Browse Source

another approach

Christian Mehlmauer 1 year ago
parent
commit
70ad41903b
No account linked to committer's email address
4 changed files with 40 additions and 19 deletions
  1. 9
    5
      Dockerfile
  2. 10
    7
      docker/README.md
  3. 1
    7
      docker/bin/msfconsole
  4. 20
    0
      docker/entrypoint.sh

+ 9
- 5
Dockerfile View File

@@ -3,7 +3,6 @@ LABEL maintainer="Rapid7"
3 3
 
4 4
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
5 5
 ENV APP_HOME /usr/src/metasploit-framework/
6
-ENV MSF_USER msf
7 6
 ENV NMAP_PRIVILEGED=""
8 7
 ENV BUNDLE_IGNORE_MESSAGES="true"
9 8
 WORKDIR $APP_HOME
@@ -15,6 +14,7 @@ COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
15 14
 
16 15
 RUN apk update && \
17 16
     apk add \
17
+      bash \
18 18
       sqlite-libs \
19 19
       nmap \
20 20
       nmap-scripts \
@@ -24,6 +24,7 @@ RUN apk update && \
24 24
       python3 \
25 25
       ncurses \
26 26
       libcap \
27
+      su-exec \
27 28
     && apk add --virtual .ruby-builddeps \
28 29
       autoconf \
29 30
       bison \
@@ -47,13 +48,16 @@ RUN apk update && \
47 48
     && apk del .ruby-builddeps \
48 49
     && rm -rf /var/cache/apk/*
49 50
 
50
-RUN adduser -g msfconsole -D $MSF_USER -u 1000
51
-
52 51
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
53 52
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
54 53
 
55
-USER $MSF_USER
56
-
57 54
 ADD ./ $APP_HOME
58 55
 
56
+# we need this entrypoint to dynamically create a user
57
+# matching the hosts UID and GID so we can mount something
58
+# from the users home directory. If the IDs don't match
59
+# it results in access denied errors. Once docker has
60
+# a solution for this we can revert it back to normal
61
+ENTRYPOINT ["docker/entrypoint.sh"]
62
+
59 63
 CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]

+ 10
- 7
docker/README.md View File

@@ -3,22 +3,25 @@
3 3
 
4 4
 To run `msfconsole`
5 5
 ```bash
6
-docker-compose build
7
-docker-compose run --rm --service-ports ms
6
+./docker/bin/msfconsole
8 7
 ```
8
+
9 9
 or
10
+
10 11
 ```bash
11
-./docker/bin/msfconsole
12
+docker-compose build
13
+docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms
12 14
 ```
13
-
14 15
 To run `msfvenom`
15 16
 ```bash
16
-docker-compose build
17
-docker-compose run --rm --no-deps ms ./msfvenom
17
+./docker/bin/msfvenom
18 18
 ```
19
+
19 20
 or
21
+
20 22
 ```bash
21
-./docker/bin/msfvenom
23
+docker-compose build
24
+docker-compose run --rm --no-deps -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfvenom
22 25
 ```
23 26
 
24 27
 You can pass any command line arguments to the binstubs or the docker-compose command and they will be passed to `msfconsole` or `msfvenom`. If you need to rebuild an image (for example when the Gemfile changes) you need to build the docker image using `docker-compose build` or supply the `--rebuild` parameter to the binstubs.

+ 1
- 7
docker/bin/msfconsole View File

@@ -27,10 +27,4 @@ if [[ $PARAMS == *"--rebuild"* ]]; then
27 27
   exit $?
28 28
 fi
29 29
 
30
-# workaround if current user id is not the same as in the container.
31
-# Otherwise the ~/.msf4 folder is not writeable
32
-if [[ $EUID -ne 1000 ]]; then
33
-  docker-compose run --rm -u root --service-ports ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"
34
-else
35
-  docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"
36
-fi
30
+docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfconsole -r docker/msfconsole.rc "$PARAMS"

+ 20
- 0
docker/entrypoint.sh View File

@@ -0,0 +1,20 @@
1
+#!/bin/bash
2
+
3
+MSF_USER=msf
4
+MSF_GROUP=msf
5
+TMP=${MSF_UID:=1000}
6
+TMP=${MSF_GID:=1000}
7
+
8
+# don't recreate system users like root
9
+if [ "$MSF_UID" -lt "1000" ]; then
10
+  MSF_UID=1000
11
+fi
12
+
13
+if [ "$MSF_GID" -lt "1000" ]; then
14
+  MSF_GID=1000
15
+fi
16
+
17
+addgroup -g $MSF_GID $MSF_GROUP
18
+adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
19
+
20
+su-exec $MSF_USER "$@"

Loading…
Cancel
Save