[OPENJDK-312] Don't chmod /etc/passwd

CRI-O on OCP >= 4.2 generates a passwd line at runtime for the
running user's random UID, which removes the requirement for us
to do the same.

Fixes CVE-2021-20264.

Use nss_wrapper to provide passwd metadata for the running UID,
based on the template passwd line for the jboss user. Necessary
for OCP 3.11.

Signed-off-by: Jonathan Dowland <[email protected]>

Author: jmtd

modules/run/bash/artifacts/opt/jboss/container/java/run/run-java.sh

@@ -217,11 +217,10 @@ get_exec_args() {
   fi
 }
 
+# Ensure that the running UID has the "jboss" passwd metadata
 # XXX: Maybe we should make this an entrypoint for the image?
 function configure_passwd() {
-  sed "/^jboss/s/[^:]*/$(id -u)/3" /etc/passwd > /tmp/passwd
-  cat /tmp/passwd > /etc/passwd
-  rm /tmp/passwd
+  sed "/^jboss/s/[^:]*/$(id -u)/3" /etc/passwd > "$HOME/passwd"
 }
 
 # Start JVM

modules/run/bash/module.yaml

@@ -48,12 +48,24 @@ envs:
 - name: JAVA_ARGS
   description: Arguments passed to the `java` application.
 
+- name: LD_PRELOAD
+  value: libnss_wrapper.so
+- name: NSS_WRAPPER_PASSWD
+  value: /home/jboss/passwd
+- name: NSS_WRAPPER_GROUP
+  value: /etc/group
+
 execute:
 - script: configure.sh
 - script: backward_compatibility.sh
 
 modules:
   install:
+  - name: jboss.container.user
   - name: jboss.container.java.jvm.bash
   - name: jboss.container.util.logging.bash
   - name: jboss.container.openjdk.jdk
+
+packages:
+  install:
+  - nss_wrapper

modules/user/configure.sh

@@ -6,5 +6,5 @@ set -e
 # This ID is registered static ID for the JBoss EAP product
 # on RHEL which makes it safe to use.
 groupadd -r jboss -g 185 && useradd -u 185 -r -g root -G jboss -m -d /home/jboss -s /sbin/nologin -c "JBoss user" jboss
-chmod ug+rwX /home/jboss
-chmod 664 /etc/passwd
+cp /etc/passwd /home/jboss/passwd
+chmod ug+rwX /home/jboss /home/jboss/passwd