meatbag/baseimage-alpine
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Split tamper check between files/services

Browse source
This commit is contained in:
TheSpad 2022-06-10 16:29:36 +01:00
parent 36c3f7ffb5
commit 1dabda8b62
No known key found for this signature in database
GPG key ID: 08F06191F4587860
2 changed files with 24 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
root/docker-mods
View file

@ -136,10 +136,6 @@ set_legacy_executable_bits
SERVICES_DIR_OLD="/config/custom-services.d" SERVICES_DIR_OLD="/config/custom-services.d"
SERVICES_DIR="/custom-services.d" SERVICES_DIR="/custom-services.d"
if [ -e "${SERVICES_DIR_OLD}" ]; then
chown -R 0:0 "${SERVICES_DIR_OLD}"
fi
# Remove all existing custom services before continuing to ensure # Remove all existing custom services before continuing to ensure
# we aren't running anything the user may have removed # we aren't running anything the user may have removed
if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then
@ -147,6 +143,20 @@ if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then
rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
fi fi
# Tamper check services
if ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then
echo "**** Potential tampering with custom scripts detected ****"
randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;)
mv "/config/custom-services.d" "/config/custom-services.d.${randstr}"
echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****"
echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
mkdir -p /config/custom-services.d
chown 0:0 /config/custom-services.d
elif ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then
echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \
{ [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then
echo "[custom-init] no custom files found, exiting..." echo "[custom-init] no custom files found, exiting..."

24
root/etc/s6-overlay/s6-rc.d/init-tamper-check/run
View file

@ -1,18 +1,14 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
if ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d ! -user root)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then if ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d ! -user root)" ]); then
echo "**** Potential tampering with custom scripts/services detected ****" echo "**** Potential tampering with custom scripts detected ****"
randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;)
for folder in "/config/custom-cont-init.d" "/config/custom-services.d"; do mv "/config/custom-cont-init.d" "/config/custom-cont-init.d.${randstr}"
if [ -d "${folder}" ]; then echo "**** Folder /config/custom-cont-init.d is moved to /config/custom-cont-init.d.${randstr} ****"
mv "${folder}" "${folder}.${randstr}" echo "**** The folder '/config/custom-cont-init.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
echo "**** Folder ${folder} is moved to ${folder}.${randstr} ****" mkdir -p /config/custom-cont-init.d
fi chown 0:0 /config/custom-cont-init.d
done elif ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d -perm -o+w)" ]); then
echo "**** The folders '/config/custom-cont-init.d' and '/config/custom-services.d'; and their contents need to all be owned by root to prevent root escalation inside the container!!! ****" echo "**** The folder '/config/custom-cont-init.d' or some of its contents have write permissions for others, which is a security risk. ****"
mkdir -p /config/custom-cont-init.d /config/custom-services.d echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
chown 0:0 /config/custom-cont-init.d /config/custom-services.d
elif ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d -perm -o+w)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then
echo "**** The folders '/config/custom-cont-init.d' or '/config/custom-services.d'; or some of their contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of these two folders and their contents to make sure they are owned by root, and can only be modified by root. ****"
fi fi