diff --git a/Dockerfile b/Dockerfile index 93c33b629781..24337e8b7f00 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,6 @@ LABEL maintainer="Rapid7" ARG BUNDLER_ARGS="--jobs=8 --without development test coverage" ENV APP_HOME /usr/src/metasploit-framework/ -ENV MSF_USER msf ENV NMAP_PRIVILEGED="" ENV BUNDLE_IGNORE_MESSAGES="true" WORKDIR $APP_HOME @@ -15,6 +14,7 @@ COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb RUN apk update && \ apk add \ + bash \ sqlite-libs \ nmap \ nmap-scripts \ @@ -24,6 +24,7 @@ RUN apk update && \ python3 \ ncurses \ libcap \ + su-exec \ && apk add --virtual .ruby-builddeps \ autoconf \ bison \ @@ -47,13 +48,16 @@ RUN apk update && \ && apk del .ruby-builddeps \ && rm -rf /var/cache/apk/* -RUN adduser -g msfconsole -D $MSF_USER -u 1000 - RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby) RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap) -USER $MSF_USER - ADD ./ $APP_HOME +# we need this entrypoint to dynamically create a user +# matching the hosts UID and GID so we can mount something +# from the users home directory. If the IDs don't match +# it results in access denied errors. Once docker has +# a solution for this we can revert it back to normal +ENTRYPOINT ["docker/entrypoint.sh"] + CMD ["./msfconsole", "-r", "docker/msfconsole.rc"] diff --git a/docker/README.md b/docker/README.md index cec9d0207034..f84b6820ce10 100644 --- a/docker/README.md +++ b/docker/README.md @@ -3,22 +3,25 @@ To run `msfconsole` ```bash -docker-compose build -docker-compose run --rm --service-ports ms +./docker/bin/msfconsole ``` + or + ```bash -./docker/bin/msfconsole +docker-compose build +docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ``` - To run `msfvenom` ```bash -docker-compose build -docker-compose run --rm --no-deps ms ./msfvenom +./docker/bin/msfvenom ``` + or + ```bash -./docker/bin/msfvenom +docker-compose build +docker-compose run --rm --no-deps -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfvenom ``` You can pass any command line arguments to the binstubs or the docker-compose command and they will be passed to `msfconsole` or `msfvenom`. If you need to rebuild an image (for example when the Gemfile changes) you need to build the docker image using `docker-compose build` or supply the `--rebuild` parameter to the binstubs. diff --git a/docker/bin/msfconsole b/docker/bin/msfconsole index 36fa9ee1a877..50f37a5d2234 100755 --- a/docker/bin/msfconsole +++ b/docker/bin/msfconsole @@ -27,10 +27,4 @@ if [[ $PARAMS == *"--rebuild"* ]]; then exit $? fi -# workaround if current user id is not the same as in the container. -# Otherwise the ~/.msf4 folder is not writeable -if [[ $EUID -ne 1000 ]]; then - docker-compose run --rm -u root --service-ports ms ./msfconsole -r docker/msfconsole.rc "$PARAMS" -else - docker-compose run --rm --service-ports ms ./msfconsole -r docker/msfconsole.rc "$PARAMS" -fi +docker-compose run --rm --service-ports -e MSF_UID=$(id -u) -e MSF_GID=$(id -g) ms ./msfconsole -r docker/msfconsole.rc "$PARAMS" diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh new file mode 100755 index 000000000000..2acd432c2c4b --- /dev/null +++ b/docker/entrypoint.sh @@ -0,0 +1,20 @@ +#!/bin/bash + +MSF_USER=msf +MSF_GROUP=msf +TMP=${MSF_UID:=1000} +TMP=${MSF_GID:=1000} + +# don't recreate system users like root +if [ "$MSF_UID" -lt "1000" ]; then + MSF_UID=1000 +fi + +if [ "$MSF_GID" -lt "1000" ]; then + MSF_GID=1000 +fi + +addgroup -g $MSF_GID $MSF_GROUP +adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER + +su-exec $MSF_USER "$@"