From c6664a4990c5efee5b9bfb7d515cf48030ea4708 Mon Sep 17 00:00:00 2001 From: Nordine Bittich Date: Mon, 23 Jun 2025 15:01:36 +0200 Subject: [PATCH 1/4] privileged mode --- mu | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) diff --git a/mu b/mu index ed35ae7..77971f2 100755 --- a/mu +++ b/mu @@ -1,5 +1,5 @@ #!/usr/bin/env bash -MU_CLI_VERSION="1.0.3" +MU_CLI_VERSION="boom" #### ## Sending command info @@ -455,6 +455,18 @@ then fi echo -n "." + privileged_mode=`echo "$command_spec" | $interactive_cli jq -r '.environment.privileged // false'` + echo -n "." + privileged="" + if [[ true == "$privileged_mode" ]]; + then + read -p "The script you're about to run needs privileged mode. Are you sure? " -n 1 -r + if [[ $REPLY =~ ^[Yy]$ ]] + then + privileged=" --privileged " + fi + fi + echo -n "." network_options=$() join_networks=`echo "$command_spec" | $interactive_cli jq -r '.environment.join_networks // false'` echo -n "." @@ -470,7 +482,7 @@ then then volume_mounts+=(--volume $PWD:$app_mount_point) fi - docker run ${network_options[@]} ${volume_mounts[@]} $it -w $working_directory --rm --entrypoint ./$entry_point $image_name "${arguments[@]}" + docker run ${network_options[@]} ${volume_mounts[@]} $privileged $it -w $working_directory --rm --entrypoint ./$entry_point $image_name "${arguments[@]}" elif [[ -f "Dockerfile" ]] then # A script for developing a microservice @@ -608,11 +620,23 @@ then status_step # 21 + privileged_mode=`echo "$command_spec" | $interactive_cli jq -r '.environment.privileged // false'` + privileged="" + if [[ true == "$privileged_mode" ]]; + then + read -p "The script you're about to run needs privileged mode. Are you sure? " -n 1 -r + if [[ $REPLY =~ ^[Yy]$ ]] + then + privileged=" --privileged " + fi + fi + status_step # 22 + echo " DONE" echo "Executing script $command ${arguments[@]}" - docker run ${docker_volumes[@]} ${docker_environment_variables[@]} $it -w $working_directory --rm --entrypoint ./$entry_point $image_name "${arguments[@]}" + docker run ${docker_volumes[@]} ${docker_environment_variables[@]} $privileged $it -w $working_directory --rm --entrypoint ./$entry_point $image_name "${arguments[@]}" exit 0 else echo "Did not recognise location" From 495cbaf46738899a368ea1df73125d4bdc8f8565 Mon Sep 17 00:00:00 2001 From: Nordine Bittich Date: Tue, 24 Jun 2025 14:55:56 +0200 Subject: [PATCH 2/4] add readme --- README.md | 1 + mu | 11 +++++------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 64162b1..e5776c9 100644 --- a/README.md +++ b/README.md @@ -343,6 +343,7 @@ This section describes the config.json as currently specified. The section is a - **`scripts.environment`**: JSON object describing the general environment in which the script will run. - **`scripts.environment.image`**: Docker image of the container in which the script will run. This does not need to be the same as the image of the service. - **`scripts.environment.interactive`**: When set to true, your Docker container is ran in interactive mode and can thus receive input from the user. Non-interactive scripts are easier to call by external scripts. +- **`scripts.environment.privileged`**: If the script needs to run in privileged mode (sharing the docker sock) - **`scripts.environment.join_networks`**: For scripts which run in a project, this will make the script container join the default network. Set to `true` to activate this option. - **`scripts.environment.script`**: The script which will be ran. Make sure this script is executable (`chmod a+x your-script.sh`). If the script can be ran by your container as a script, it's fine. You could use a shebang like `#!/usr/bin/ruby` as the first line of your script to run a ruby script, or you could have a standard shell script which launches something totally different. - **`scripts.mounts.app`**: For scripts which run in a project, this is the place where the full project folder will be mounted. It allows you to do things like create new files for the project. diff --git a/mu b/mu index 77971f2..54c8ab2 100755 --- a/mu +++ b/mu @@ -359,12 +359,7 @@ then fi elif [[ "script" == $1 ]] then - # Check if we are in a project or in a service - if [[ -f ./docker-compose.yml && -f Dockerfile ]] - then - echo "mu script is not supported in folders which have a Dockerfile and a docker-compose.yml" - exit 1 - elif [[ -f ./docker-compose.yml ]] + if [[ -f ./docker-compose.yml ]] then service=$2 command=$3 @@ -460,11 +455,13 @@ then privileged="" if [[ true == "$privileged_mode" ]]; then + echo read -p "The script you're about to run needs privileged mode. Are you sure? " -n 1 -r if [[ $REPLY =~ ^[Yy]$ ]] then privileged=" --privileged " fi + echo fi echo -n "." network_options=$() @@ -624,11 +621,13 @@ then privileged="" if [[ true == "$privileged_mode" ]]; then + echo read -p "The script you're about to run needs privileged mode. Are you sure? " -n 1 -r if [[ $REPLY =~ ^[Yy]$ ]] then privileged=" --privileged " fi + echo fi status_step # 22 From 282ebcb3bf1f776c5b3d48db4deba0d46031ce72 Mon Sep 17 00:00:00 2001 From: Nordine Bittich Date: Tue, 24 Jun 2025 14:58:35 +0200 Subject: [PATCH 3/4] bump mu cli --- mu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mu b/mu index 54c8ab2..80dd0e5 100755 --- a/mu +++ b/mu @@ -1,5 +1,5 @@ #!/usr/bin/env bash -MU_CLI_VERSION="boom" +MU_CLI_VERSION="1.0.4" #### ## Sending command info From b796dfe9df0842f8e89edc16c49c2d21d70c64f4 Mon Sep 17 00:00:00 2001 From: Nordine Bittich Date: Wed, 13 Aug 2025 13:50:01 +0200 Subject: [PATCH 4/4] check entrypoint script based on a list of suspicious commands --- mu | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/mu b/mu index 80dd0e5..0766a12 100755 --- a/mu +++ b/mu @@ -1,5 +1,5 @@ #!/usr/bin/env bash -MU_CLI_VERSION="1.0.4" +MU_CLI_VERSION="1.0.3" #### ## Sending command info @@ -455,11 +455,34 @@ then privileged="" if [[ true == "$privileged_mode" ]]; then + entrypoint_script=/tmp/mu/cache/$container_id/scripts/$script_path echo - read -p "The script you're about to run needs privileged mode. Are you sure? " -n 1 -r + read -p "The script you're about to run needs privileged mode. Are you sure? (Y/N) " -n 1 -r if [[ $REPLY =~ ^[Yy]$ ]] then + suspicious_patterns=( + "wget" + ) + suspicious_found=false + suspicious_pat='' + for pat in "${suspicious_patterns[@]}"; do + if grep -qi "$pat" "$entrypoint_script"; then + suspicious_found=true + suspicious_pat=$pat + break + fi + done + + if $suspicious_found; then + echo + read -p "The script you're about to run has at least one suspicious pattern ('$suspicious_pat'), are you sure(Y/N)? " -n 1 -r + if [[ ! $REPLY =~ ^[Yy]$ ]]; then + exit 2 + fi + fi privileged=" --privileged " + else + exit 0 fi echo fi