Question 367174 in Docker Question posted in
The official documentation can be found here.

How to disable a bash builtin inside a docker container

I am trying to disable the builtin kill in the bash running inside the container, and I would like to know if it is possible to run a command after the container start running, or if it is possible to run /bash/bash with some specific parameter to disable a builtin function.

I have a Dockerfile with the following content:

...
ENTRYPOINT [ "/entrypoint.sh" ]

CMD [ "/bin/bash" ]

in the entrypoint.sh, I have the following:

#!/bin/bash

exec "$@"

What I know is possible to do to disable kill is run the command enable -n kill and the builtin will be disabled. But this only works if I run the command inside the container (after exec when I docker run).

Is there some way to disable the kill bultin in the entrypoint or in the Dockerfile?

Tags:

2

Answers


  1. 0

    A simple way is to put the enable -n kill command in the .bashrc file of the user running the container.

    FROM debian
RUN echo 'enable -n kill' >> /root/.bashrc
CMD tail -f /dev/null

    If you then interactively exec into the container, kill doesn’t work.

    Login or Signup to reply.
  2. 0

    As I mentioned in the comments on your question, I think the only way to do this effectively (that is, in a way that isn’t easy for someone to re-enable the kill command) is to build a custom bash binary with the kill command disabled.

    Here’s one option for that; we replace the kill builtin with a modified command that reports The kill command is not available in this shell. when someone runs kill. This is a multi-stage Dockerfile — we perform the custom build in the first stage, and then copy just the bash binary into the final image.

    FROM docker.io/debian:bookworm AS builder

RUN apt update
RUN DEBIAN_FRONTEND=noninteractive  && apt-get -y install gcc make autoconf automake libtool git 

WORKDIR /src/bash
RUN git clone https://git.savannah.gnu.org/git/bash.git .
COPY <<'EOF' ./builtins/kill.def
$PRODUCES kill.c

$BUILTIN kill
$FUNCTION kill_builtin
$SHORT_DOC kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
The kill command is not available in this shell.
$END

#include <config.h>
#include <stdio.h>
#include <signal.h>
#include "../shell.h"

int
kill_builtin (list)
     WORD_LIST *list;
{
  fprintf(stderr, "The kill command is not available in this shell.n");
  return (EXECUTION_FAILURE);
}
EOF
RUN ./configure --prefix=/usr
RUN make
RUN mkdir -p /tmp/bash && make install DESTDIR=/tmp/bash

FROM docker.io/debian:bookworm

COPY --from=builder /tmp/bash/usr/bin/bash /usr/bin/bash

CMD ["/usr/bin/bash"]

    Using this looks like:

    $ podman run -it --rm bash-nokill
bash-5.2# kill
The kill command is not available in this shell.
bash-5.2# help kill
kill: kill (disabled)
    The kill command is not available in this shell.
bash-5.2#
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search