From 3582a1004c23b1fda67268855942081fa5919f6e Mon Sep 17 00:00:00 2001 From: Leon van Kammen Date: Fri, 7 Feb 2025 20:58:49 +0100 Subject: [PATCH] added bubblewrap docs + script --- README.md | 5 ++++- bin/README.md | 3 +++ bin/bubblewrap.sh | 19 +++++++++++++++++++ 3 files changed, 26 insertions(+), 1 deletion(-) create mode 100755 bin/bubblewrap.sh diff --git a/README.md b/README.md index 54f9521f..c24f1271 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,9 @@ just run **[copyparty-sfx.py](https://github.com/9001/copyparty/releases/latest/ * or if you are on android, [install copyparty in termux](#install-on-android) * or maybe you have a [synology nas / dsm](./docs/synology-dsm.md) * or if your computer is messed up and nothing else works, [try the pyz](#zipapp) +* or if you don't trust copyparty yet and want to isolate it a little, then... + * ...maybe [prisonparty](./bin/prisonparty.sh) to create a tiny [chroot](https://wiki.archlinux.org/title/Chroot) (very portable), + * ...or [bubbleparty](./bin/bubbleparty.sh) to wrap it in [bubblewrap](https://github.com/containers/bubblewrap) (much better) * or if you prefer to [use docker](./scripts/docker/) 🐋 you can do that too * docker has all deps built-in, so skip this step: @@ -1186,7 +1189,7 @@ dependencies: `python3 -m pip install --user -U impacket==0.11.0` some **BIG WARNINGS** specific to SMB/CIFS, in decreasing importance: * not entirely confident that read-only is read-only -* the smb backend is not fully integrated with vfs, meaning there could be security issues (path traversal). Please use `--smb-port` (see below) and [prisonparty](./bin/prisonparty.sh) +* the smb backend is not fully integrated with vfs, meaning there could be security issues (path traversal). Please use `--smb-port` (see below) and [prisonparty](./bin/prisonparty.sh) or [bubbleparty](./bin/bubbleparty.sh) * account passwords work per-volume as expected, and so does account permissions (read/write/move/delete), but `--smbw` must be given to allow write-access from smb * [shadowing](#shadowing) probably works as expected but no guarantees diff --git a/bin/README.md b/bin/README.md index 495292a7..c8eca2a1 100644 --- a/bin/README.md +++ b/bin/README.md @@ -78,3 +78,6 @@ cd /mnt/nas/music/.hist # [`prisonparty.sh`](prisonparty.sh) * run copyparty in a chroot, preventing any accidental file access * creates bindmounts for /bin, /lib, and so on, see `sysdirs=` + +# [`bubblewrap.sh`](bubblewrap.sh) +* run copyparty in an isolated process, preventing any accidental file access and more diff --git a/bin/bubblewrap.sh b/bin/bubblewrap.sh new file mode 100755 index 00000000..57eea8c2 --- /dev/null +++ b/bin/bubblewrap.sh @@ -0,0 +1,19 @@ +#!/bin/sh +# usage: ./bubblewrap.sh ./copyparty-sfx.py .... +bwrap \ + --unshare-all \ + --ro-bind /usr /usr \ + --ro-bind /bin /bin \ + --ro-bind /lib /lib \ + --ro-bind /etc/resolv.conf /etc/resolv.conf \ + --dev-bind /dev /dev \ + --dir /tmp \ + --dir /var \ + --bind $(pwd) $(pwd) \ + --share-net \ + --die-with-parent \ + --file 11 /etc/passwd \ + --file 12 /etc/group \ + "$@" \ + 11< <(getent passwd $(id -u) 65534) \ + 12< <(getent group $(id -g) 65534)