From 5eb25b8357da83fd5fd7f8ddb55fe8d11b4f28c5 Mon Sep 17 00:00:00 2001
From: TheSpad <git@spad.co.uk>
Date: Sun, 28 Aug 2022 20:30:30 +0100
Subject: [PATCH] Fix tamper check for custom files

---
 root/docker-mods                              | 32 +++++++++++++++++--
 .../s6-overlay/s6-rc.d/init-custom-files/run  | 25 ---------------
 2 files changed, 30 insertions(+), 27 deletions(-)

diff --git a/root/docker-mods b/root/docker-mods
index 17aa908..1ce68d2 100755
--- a/root/docker-mods
+++ b/root/docker-mods
@@ -9,10 +9,38 @@ set_legacy_executable_bits() {
         /etc/services.d/*/* 2>/dev/null || true
 }
 
-# Tamper check custom service locations
 tamper_check() {
+    SCRIPTS_DIR_OLD="/config/custom-cont-init.d"
+    SCRIPTS_DIR="/custom-cont-init.d"
     SERVICES_DIR_OLD="/config/custom-services.d"
-    SERVICES_DIR="/custom-services.d"  
+    SERVICES_DIR="/custom-services.d"
+
+    # Tamper check custom script locations
+    if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
+        echo "**** Potential tampering with custom scripts detected ****"
+        randstr=$(
+            tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
+            echo
+        )
+        mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
+        echo "**** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
+        echo "**** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
+        mkdir -p ${SCRIPTS_DIR_OLD}
+        chown 0:0 ${SCRIPTS_DIR_OLD}
+    elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then
+        echo "**** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    fi
+
+    if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
+        echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
+        echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    fi
+
+    # Tamper check custom service locations
     if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then
         echo "**** Potential tampering with custom scripts detected ****"
         randstr=$(
diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run
index 54ceb9a..a202b5b 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run
@@ -7,31 +7,6 @@ SCRIPTS_DIR="/custom-cont-init.d"
 
 SERVICES_DIR_OLD="/config/custom-services.d"
 
-# Tamper check custom script locations
-if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
-    echo "**** Potential tampering with custom scripts detected ****"
-    randstr=$(
-        tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
-        echo
-    )
-    mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
-    echo "**** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
-    echo "**** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
-    mkdir -p ${SCRIPTS_DIR_OLD}
-    chown 0:0 ${SCRIPTS_DIR_OLD}
-elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then
-    echo "**** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
-    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
-fi
-
-if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
-    echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
-    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
-elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
-    echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
-    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
-fi
-
 # chown legacy folders if they exist
 if [[ -e "${SCRIPTS_DIR_OLD}" ]]; then
     chown -R 0:0 "${SCRIPTS_DIR_OLD}"