From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 14 Feb 2014 15:35:18 +0000 (+0100)
Subject: nspawn: don't accept just any tree to execute
X-Git-Tag: v209~136
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=commitdiff_plain;h=6b9132a9c40355356b4d4f5b20b6338c0eb74dfa

nspawn: don't accept just any tree to execute

When invoked without -D in an arbitrary directory we should not try to
execute anything, make some validity checks first.
---

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 3a6d428cd..2a0edf6ab 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1555,9 +1555,21 @@ int main(int argc, char *argv[]) {
                 goto finish;
         }
 
-        if (arg_boot && path_is_os_tree(arg_directory) <= 0) {
-                log_error("Directory %s doesn't look like an OS root directory (/etc/os-release is missing). Refusing.", arg_directory);
-                goto finish;
+        if (arg_boot) {
+                if (path_is_os_tree(arg_directory) <= 0) {
+                        log_error("Directory %s doesn't look like an OS root directory (/etc/os-release is missing). Refusing.", arg_directory);
+                        goto finish;
+                }
+        } else {
+                const char *p;
+
+                p = strappenda(arg_directory,
+                               argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
+                if (access(p, F_OK) < 0) {
+                        log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
+                        goto finish;
+
+                }
         }
 
         log_close();