Fix tamper check for custom files

2022-08-28 20:30:30 +01:00 · 2022-08-28 20:30:30 +01:00 · 5eb25b8357
parent 7f8d142552
commit 5eb25b8357
2 changed files with 30 additions and 27 deletions
--- a/root/docker-mods
+++ b/root/docker-mods
@ -9,10 +9,38 @@ set_legacy_executable_bits() {
        /etc/services.d/*/* 2>/dev/null || true
 }

-# Tamper check custom service locations
 tamper_check() {
+    SCRIPTS_DIR_OLD="/config/custom-cont-init.d"
+    SCRIPTS_DIR="/custom-cont-init.d"
    SERVICES_DIR_OLD="/config/custom-services.d"
-    SERVICES_DIR="/custom-services.d"  
+    SERVICES_DIR="/custom-services.d"
+
+    # Tamper check custom script locations
+    if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
+        echo "**** Potential tampering with custom scripts detected ****"
+        randstr=$(
+            tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
+            echo
+        )
+        mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
+        echo "**** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
+        echo "**** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
+        mkdir -p ${SCRIPTS_DIR_OLD}
+        chown 0:0 ${SCRIPTS_DIR_OLD}
+    elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then
+        echo "**** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    fi
+
+    if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
+        echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
+        echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    fi
+
+    # Tamper check custom service locations
    if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then
        echo "**** Potential tampering with custom scripts detected ****"
        randstr=$(
--- a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run
@ -7,31 +7,6 @@ SCRIPTS_DIR="/custom-cont-init.d"

 SERVICES_DIR_OLD="/config/custom-services.d"

-# Tamper check custom script locations
-if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
-    echo "**** Potential tampering with custom scripts detected ****"
-    randstr=$(
-        tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
-        echo
-    )
-    mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
-    echo "**** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
-    echo "**** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
-    mkdir -p ${SCRIPTS_DIR_OLD}
-    chown 0:0 ${SCRIPTS_DIR_OLD}
-elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then
-    echo "**** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
-    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
-fi
-
-if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
-    echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
-    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
-elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
-    echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
-    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
-fi
-
 # chown legacy folders if they exist
 if [[ -e "${SCRIPTS_DIR_OLD}" ]]; then
    chown -R 0:0 "${SCRIPTS_DIR_OLD}"