TechQA.

How to disable a bash builtin inside a docker container

84 views Asked by At

I am trying to disable the builtin kill in the bash running inside the container, and I would like to know if it is possible to run a command after the container start running, or if it is possible to run /bash/bash with some specific parameter to disable a builtin function.

I have a Dockerfile with the following content:

...
ENTRYPOINT [ "/entrypoint.sh" ]

CMD [ "/bin/bash" ]

in the entrypoint.sh, I have the following:

#!/bin/bash

exec "$@"

What I know is possible to do to disable kill is run the command enable -n kill and the builtin will be disabled. But this only works if I run the command inside the container (after exec when I docker run).

Is there some way to disable the kill bultin in the entrypoint or in the Dockerfile?

bash docker
Original Q&A
2

There are 2 answers

0
larsks On

As I mentioned in the comments on your question, I think the only way to do this effectively (that is, in a way that isn't easy for someone to re-enable the kill command) is to build a custom bash binary with the kill command disabled.

Here's one option for that; we replace the kill builtin with a modified command that reports The kill command is not available in this shell. when someone runs kill. This is a multi-stage Dockerfile -- we perform the custom build in the first stage, and then copy just the bash binary into the final image.

FROM docker.io/debian:bookworm AS builder

RUN apt update
RUN DEBIAN_FRONTEND=noninteractive  && apt-get -y install gcc make autoconf automake libtool git 

WORKDIR /src/bash
RUN git clone https://git.savannah.gnu.org/git/bash.git .
COPY <<'EOF' ./builtins/kill.def
$PRODUCES kill.c

$BUILTIN kill
$FUNCTION kill_builtin
$SHORT_DOC kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
The kill command is not available in this shell.
$END

#include <config.h>
#include <stdio.h>
#include <signal.h>
#include "../shell.h"

int
kill_builtin (list)
     WORD_LIST *list;
{
  fprintf(stderr, "The kill command is not available in this shell.\n");
  return (EXECUTION_FAILURE);
}
EOF
RUN ./configure --prefix=/usr
RUN make
RUN mkdir -p /tmp/bash && make install DESTDIR=/tmp/bash

FROM docker.io/debian:bookworm

COPY --from=builder /tmp/bash/usr/bin/bash /usr/bin/bash

CMD ["/usr/bin/bash"]

Using this looks like:

$ podman run -it --rm bash-nokill
bash-5.2# kill
The kill command is not available in this shell.
bash-5.2# help kill
kill: kill (disabled)
    The kill command is not available in this shell.
bash-5.2#
0
Diego Torres Milano On

You can run bash --restricted which after processing any startup file (where you can disable builtins) these restrictions are applied (among others):

  • Adding or deleting builtin commands with the -f and -d options to the enable builtin.
  • Using the enable builtin command to enable disabled shell builtins.

see the full list at https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html

Related Questions in BASH

Related Questions in DOCKER

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions