Browse Source

change docker root exec

Christian Mehlmauer 11 months ago
parent
commit
e9da06a645
No account linked to committer's email address
6 changed files with 46 additions and 22 deletions
  1. 2
    0
      .dockerignore
  2. 13
    8
      Dockerfile
  3. 1
    1
      docker-compose.override.yml
  4. 1
    2
      docker-compose.yml
  5. 5
    0
      docker/database.yml
  6. 24
    11
      docker/entrypoint.sh

+ 2
- 0
.dockerignore View File

@@ -5,6 +5,8 @@ docker-compose*.yml
5 5
 docker/
6 6
 !docker/msfconsole.rc
7 7
 !docker/entrypoint.sh
8
+!docker/database.yml
9
+Dockerfile
8 10
 README.md
9 11
 .git/
10 12
 .github/

+ 13
- 8
Dockerfile View File

@@ -2,11 +2,11 @@ FROM ruby:2.5.1-alpine3.7 AS builder
2 2
 LABEL maintainer="Rapid7"
3 3
 
4 4
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
5
-ENV APP_HOME /usr/src/metasploit-framework/
5
+ENV APP_HOME=/usr/src/metasploit-framework
6 6
 ENV BUNDLE_IGNORE_MESSAGES="true"
7 7
 WORKDIR $APP_HOME
8 8
 
9
-COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME
9
+COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
10 10
 COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
11 11
 COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
12 12
 COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
@@ -40,23 +40,28 @@ RUN apk add --no-cache \
40 40
 FROM ruby:2.5.1-alpine3.7
41 41
 LABEL maintainer="Rapid7"
42 42
 
43
-ENV APP_HOME /usr/src/metasploit-framework/
43
+ENV APP_HOME=/usr/src/metasploit-framework
44 44
 ENV NMAP_PRIVILEGED=""
45
+ENV METASPLOIT_GROUP=metasploit
45 46
 
46
-COPY --from=builder /usr/local/bundle /usr/local/bundle
47
-COPY . $APP_HOME
47
+# used for the copy command
48
+RUN addgroup -S $METASPLOIT_GROUP
48 49
 
49 50
 RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
50 51
 
51 52
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
52 53
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
53 54
 
55
+COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
56
+COPY --chown=root:metasploit . $APP_HOME/
57
+RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
58
+
54 59
 WORKDIR $APP_HOME
60
+
55 61
 # we need this entrypoint to dynamically create a user
56 62
 # matching the hosts UID and GID so we can mount something
57 63
 # from the users home directory. If the IDs don't match
58
-# it results in access denied errors. Once docker has
59
-# a solution for this we can revert it back to normal
64
+# it results in access denied errors.
60 65
 ENTRYPOINT ["docker/entrypoint.sh"]
61 66
 
62
-CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]
67
+CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]

+ 1
- 1
docker-compose.override.yml View File

@@ -9,6 +9,6 @@ services:
9 9
         BUNDLER_ARGS: --jobs=8
10 10
     image: metasploit:dev
11 11
     environment:
12
-      DATABASE_URL: postgres://postgres@db:5432/msf_dev
12
+      DATABASE_URL: postgres://postgres@db:5432/msf_dev?pool=200&timeout=5
13 13
     volumes:
14 14
       - .:/usr/src/metasploit-framework

+ 1
- 2
docker-compose.yml View File

@@ -3,14 +3,13 @@ services:
3 3
   ms:
4 4
     image: metasploitframework/metasploit-framework:latest
5 5
     environment:
6
-      DATABASE_URL: postgres://postgres@db:5432/msf
6
+      DATABASE_URL: postgres://postgres@db:5432/msf?pool=200&timeout=5
7 7
     links:
8 8
       - db
9 9
     ports:
10 10
       - 4444:4444
11 11
     volumes:
12 12
       - $HOME/.msf4:/home/msf/.msf4
13
-      - /etc/localtime:/etc/localtime:ro
14 13
 
15 14
   db:
16 15
     image: postgres:10-alpine

+ 5
- 0
docker/database.yml View File

@@ -0,0 +1,5 @@
1
+development: &pgsql
2
+  url: <%= ENV['DATABASE_URL'] %>
3
+
4
+production: &production
5
+  <<: *pgsql

+ 24
- 11
docker/entrypoint.sh View File

@@ -5,16 +5,29 @@ MSF_GROUP=msf
5 5
 TMP=${MSF_UID:=1000}
6 6
 TMP=${MSF_GID:=1000}
7 7
 
8
-# don't recreate system users like root
9
-if [ "$MSF_UID" -lt "1000" ]; then
10
-  MSF_UID=1000
11
-fi
8
+# if the user starts the container as root or another system user,
9
+# don't use a low privileged user as we mount the home directory
10
+if [ "$MSF_UID" -eq "0" ]; then
11
+  "$@"
12
+else
13
+  # if the users group already exists, create a random GID, otherwise
14
+  # reuse it
15
+  if ! grep ":$MSF_GID:" /etc/group > /dev/null; then
16
+    echo "asdf"
17
+    addgroup -g $MSF_GID $MSF_GROUP
18
+  else
19
+    addgroup $MSF_GROUP
20
+  fi
12 21
 
13
-if [ "$MSF_GID" -lt "1000" ]; then
14
-  MSF_GID=1000
22
+  # check if user id already exists
23
+  if ! grep ":$MSF_UID:" /etc/passwd > /dev/null; then
24
+    echo "cvbb"
25
+    adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
26
+    # add user to metasploit group so it can read the source
27
+    addgroup $MSF_USER $METASPLOIT_GROUP
28
+    su-exec $MSF_USER "$@"
29
+  # fall back to root exec if the user id already exists
30
+  else
31
+    "$@"
32
+  fi
15 33
 fi
16
-
17
-addgroup -g $MSF_GID $MSF_GROUP
18
-adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
19
-
20
-su-exec $MSF_USER "$@"

Loading…
Cancel
Save