infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

change docker root exec

GSoC/Meterpreter_Web_Console
Christian Mehlmauer 2018-10-21 22:30:01 +02:00
parent 6660b1857b
commit e9da06a645
No known key found for this signature in database
GPG Key ID: DCF54A05D6E62591
6 changed files with 47 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.dockerignore
View File

@ -5,6 +5,8 @@ docker-compose*.yml
docker/ docker/
!docker/msfconsole.rc !docker/msfconsole.rc
!docker/entrypoint.sh !docker/entrypoint.sh
!docker/database.yml
Dockerfile
README.md README.md
.git/ .git/
.github/ .github/

21
Dockerfile
View File

@ -2,11 +2,11 @@ FROM ruby:2.5.1-alpine3.7 AS builder
LABEL maintainer="Rapid7" LABEL maintainer="Rapid7"
ARG BUNDLER_ARGS="--jobs=8 --without development test coverage" ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
ENV APP_HOME /usr/src/metasploit-framework/ ENV APP_HOME=/usr/src/metasploit-framework
ENV BUNDLE_IGNORE_MESSAGES="true" ENV BUNDLE_IGNORE_MESSAGES="true"
WORKDIR $APP_HOME WORKDIR $APP_HOME
COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
@ -40,23 +40,28 @@ RUN apk add --no-cache \
FROM ruby:2.5.1-alpine3.7 FROM ruby:2.5.1-alpine3.7
LABEL maintainer="Rapid7" LABEL maintainer="Rapid7"
ENV APP_HOME /usr/src/metasploit-framework/ ENV APP_HOME=/usr/src/metasploit-framework
ENV NMAP_PRIVILEGED="" ENV NMAP_PRIVILEGED=""
ENV METASPLOIT_GROUP=metasploit
COPY --from=builder /usr/local/bundle /usr/local/bundle # used for the copy command
COPY . $APP_HOME RUN addgroup -S $METASPLOIT_GROUP
RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby) RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap) RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
COPY --chown=root:metasploit . $APP_HOME/
RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
WORKDIR $APP_HOME WORKDIR $APP_HOME
# we need this entrypoint to dynamically create a user # we need this entrypoint to dynamically create a user
# matching the hosts UID and GID so we can mount something # matching the hosts UID and GID so we can mount something
# from the users home directory. If the IDs don't match # from the users home directory. If the IDs don't match
# it results in access denied errors. Once docker has # it results in access denied errors.
# a solution for this we can revert it back to normal
ENTRYPOINT ["docker/entrypoint.sh"] ENTRYPOINT ["docker/entrypoint.sh"]
CMD ["./msfconsole", "-r", "docker/msfconsole.rc"] CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]

2
docker-compose.override.yml
View File

@ -9,6 +9,6 @@ services:
BUNDLER_ARGS: --jobs=8 BUNDLER_ARGS: --jobs=8
image: metasploit:dev image: metasploit:dev
environment: environment:
DATABASE_URL: postgres://postgres@db:5432/msf_dev DATABASE_URL: postgres://postgres@db:5432/msf_dev?pool=200&timeout=5
volumes: volumes:
- .:/usr/src/metasploit-framework - .:/usr/src/metasploit-framework

3
docker-compose.yml
View File

@ -3,14 +3,13 @@ services:
ms: ms:
image: metasploitframework/metasploit-framework:latest image: metasploitframework/metasploit-framework:latest
environment: environment:
DATABASE_URL: postgres://postgres@db:5432/msf DATABASE_URL: postgres://postgres@db:5432/msf?pool=200&timeout=5
links: links:
- db - db
ports: ports:
- 4444:4444 - 4444:4444
volumes: volumes:
- $HOME/.msf4:/home/msf/.msf4 - $HOME/.msf4:/home/msf/.msf4
- /etc/localtime:/etc/localtime:ro
db: db:
image: postgres:10-alpine image: postgres:10-alpine

5
docker/database.yml Normal file
View File

@ -0,0 +1,5 @@
development: &pgsql
url: <%= ENV['DATABASE_URL'] %>
production: &production
<<: *pgsql

37
docker/entrypoint.sh
View File

@ -5,16 +5,29 @@ MSF_GROUP=msf
TMP=${MSF_UID:=1000} TMP=${MSF_UID:=1000}
TMP=${MSF_GID:=1000} TMP=${MSF_GID:=1000}
# don't recreate system users like root # if the user starts the container as root or another system user,
if [ "$MSF_UID" -lt "1000" ]; then # don't use a low privileged user as we mount the home directory
MSF_UID=1000 if [ "$MSF_UID" -eq "0" ]; then
"$@"
else
# if the users group already exists, create a random GID, otherwise
# reuse it
if ! grep ":$MSF_GID:" /etc/group > /dev/null; then
echo "asdf"
addgroup -g $MSF_GID $MSF_GROUP
else
addgroup $MSF_GROUP
fi
# check if user id already exists
if ! grep ":$MSF_UID:" /etc/passwd > /dev/null; then
echo "cvbb"
adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
# add user to metasploit group so it can read the source
addgroup $MSF_USER $METASPLOIT_GROUP
su-exec $MSF_USER "$@"
# fall back to root exec if the user id already exists
else
"$@"
fi
fi fi
if [ "$MSF_GID" -lt "1000" ]; then
MSF_GID=1000
fi
addgroup -g $MSF_GID $MSF_GROUP
adduser -u $MSF_UID -D $MSF_USER -g $MSF_USER -G $MSF_GROUP $MSF_USER
su-exec $MSF_USER "$@"