From 68bbac5106b1fb57032d6b78d7eab7e58ae0f5b2 Mon Sep 17 00:00:00 2001
From: TheSpad <git@spad.co.uk>
Date: Tue, 13 Sep 2022 11:01:41 +0100
Subject: [PATCH 1/4] Remove custom svc from user bundle

---
 root/docker-mods | 1 +
 1 file changed, 1 insertion(+)

diff --git a/root/docker-mods b/root/docker-mods
index 5cb356a..1e4a329 100755
--- a/root/docker-mods
+++ b/root/docker-mods
@@ -110,6 +110,7 @@ process_custom_services_legacy() {
     if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then
         echo "[custom-init] removing existing custom services..."
         rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
+        rm /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-*
     fi
 
     # Make sure custom service directory exists and has files in it

From a7a7279625c775b4d89c7c7a6615384c77801277 Mon Sep 17 00:00:00 2001
From: TheSpad <git@spad.co.uk>
Date: Tue, 13 Sep 2022 11:02:38 +0100
Subject: [PATCH 2/4] Don't write readme to services.d

---
 root/etc/s6-overlay/s6-rc.d/init-script-check/run | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run
index e20e12f..20c2c43 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run
@@ -3,7 +3,7 @@
 
 if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] ||
     [[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then
-    cat << EOF | tee {/config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt} 2>/dev/null
+    cat << EOF | tee /config/custom-cont-init.d/README.txt 2>/dev/null
 ********************************************************
 ********************************************************
 *                                                      *

From 8578bfaae91fbc4bf58cdfaeb817280c8bdc624d Mon Sep 17 00:00:00 2001
From: TheSpad <git@spad.co.uk>
Date: Tue, 13 Sep 2022 11:13:24 +0100
Subject: [PATCH 3/4] Fix errors if custom dir is mounted but empty

---
 root/docker-mods | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/root/docker-mods b/root/docker-mods
index 1e4a329..be850d2 100755
--- a/root/docker-mods
+++ b/root/docker-mods
@@ -17,18 +17,18 @@ set_legacy_executable_bits() {
 
 tamper_check() {
     #Tamper check custom service locations
-    if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root)" ]]; then
+    if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root 2>/dev/null)" ]]; then
         echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' are not owned by root, which is a security risk. ****"
         echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
-    elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w)" ]]; then
+    elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w 2>/dev/null)" ]]; then
         echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' have write permissions for others, which is a security risk. ****"
         echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
     fi
     #Tamper check custom script locations
-    if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root)" ]]; then
+    if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root 2>/dev/null)" ]]; then
         echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' are not owned by root, which is a security risk. ****"
         echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
-    elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w)" ]]; then
+    elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w 2>/dev/null)" ]]; then
         echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' have write permissions for others, which is a security risk. ****"
         echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
     fi
@@ -36,7 +36,7 @@ tamper_check() {
 
 tamper_check_legacy() {
     # Tamper check custom script locations
-    if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
+    if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root 2>/dev/null)" ]]; then
         echo "[custom-init] **** Potential tampering with custom scripts detected ****"
         randstr=$(
             tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
@@ -45,13 +45,13 @@ tamper_check_legacy() {
         mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
         echo "[custom-init] **** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
         echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
-    elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then
+    elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w 2>/dev/null)" ]]; then
         echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
         echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
     fi
 
     # Tamper check custom service locations
-    if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then
+    if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root 2>/dev/null)" ]]; then
         echo "[custom-init] **** Potential tampering with custom scripts detected ****"
         randstr=$(
             tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
@@ -60,7 +60,7 @@ tamper_check_legacy() {
         mv "${SERVICES_DIR_OLD}" "${SERVICES_DIR_OLD}.${randstr}"
         echo "[custom-init] **** Folder ${SERVICES_DIR_OLD} is moved to ${SERVICES_DIR_OLD}.${randstr} ****"
         echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
-    elif [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} -perm -o+w)" ]]; then
+    elif [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} -perm -o+w 2>/dev/null)" ]]; then
         echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
         echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
     fi

From a8d588a1ab6af25cbcbb04a1c9c5b5ed4ad118de Mon Sep 17 00:00:00 2001
From: TheSpad <git@spad.co.uk>
Date: Tue, 13 Sep 2022 11:19:49 +0100
Subject: [PATCH 4/4] Add user bundle removal to legacy block too

---
 root/docker-mods | 1 +
 1 file changed, 1 insertion(+)

diff --git a/root/docker-mods b/root/docker-mods
index be850d2..d69b801 100755
--- a/root/docker-mods
+++ b/root/docker-mods
@@ -72,6 +72,7 @@ process_custom_services() {
     if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then
         echo "[custom-init] removing existing custom services..."
         rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
+        rm /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-*
     fi
 
     # Make sure custom service directory exists and has files in it