Rework legacy custom file handling
This commit is contained in:
TheSpad
parent
61b7bb68e5
commit
82d4508817
111
root/docker-mods
111
root/docker-mods
|
|
@ -10,11 +10,25 @@ set_legacy_executable_bits() {
|
|||
}
|
||||
|
||||
tamper_check() {
|
||||
SCRIPTS_DIR_OLD="/config/custom-cont-init.d"
|
||||
SCRIPTS_DIR="/custom-cont-init.d"
|
||||
SERVICES_DIR_OLD="/config/custom-services.d"
|
||||
SERVICES_DIR="/custom-services.d"
|
||||
#Tamper check custom service locations
|
||||
if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root)" ]]; then
|
||||
echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' are not owned by root, which is a security risk. ****"
|
||||
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w)" ]]; then
|
||||
echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' have write permissions for others, which is a security risk. ****"
|
||||
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
fi
|
||||
#Tamper check custom script locations
|
||||
if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root)" ]]; then
|
||||
echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' are not owned by root, which is a security risk. ****"
|
||||
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w)" ]]; then
|
||||
echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' have write permissions for others, which is a security risk. ****"
|
||||
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
fi
|
||||
}
|
||||
|
||||
tamper_check_legacy() {
|
||||
# Tamper check custom script locations
|
||||
if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
|
||||
echo "**** Potential tampering with custom scripts detected ****"
|
||||
|
|
@ -23,54 +37,30 @@ tamper_check() {
|
|||
echo
|
||||
)
|
||||
mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
|
||||
echo "**** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
|
||||
echo "**** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
|
||||
mkdir -p ${SCRIPTS_DIR_OLD}
|
||||
chown 0:0 ${SCRIPTS_DIR_OLD}
|
||||
echo "[custom-init] **** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
|
||||
echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
|
||||
elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then
|
||||
echo "**** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
|
||||
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
fi
|
||||
|
||||
if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
|
||||
echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
|
||||
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
|
||||
echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
|
||||
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
|
||||
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
fi
|
||||
|
||||
# Tamper check custom service locations
|
||||
if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then
|
||||
echo "**** Potential tampering with custom scripts detected ****"
|
||||
echo "[custom-init] **** Potential tampering with custom scripts detected ****"
|
||||
randstr=$(
|
||||
tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
|
||||
echo
|
||||
)
|
||||
mv "${SERVICES_DIR_OLD}" "${SERVICES_DIR_OLD}.${randstr}"
|
||||
echo "**** Folder ${SERVICES_DIR_OLD} is moved to ${SERVICES_DIR_OLD}.${randstr} ****"
|
||||
echo "**** The folder '${SERVICES_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
|
||||
mkdir -p ${SERVICES_DIR_OLD}
|
||||
chown 0:0 ${SERVICES_DIR_OLD}
|
||||
echo "[custom-init] **** Folder ${SERVICES_DIR_OLD} is moved to ${SERVICES_DIR_OLD}.${randstr} ****"
|
||||
echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
|
||||
elif [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} -perm -o+w)" ]]; then
|
||||
echo "**** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
|
||||
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
fi
|
||||
|
||||
if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR} ! -user root)" ]]; then
|
||||
echo "**** The folder '${SERVICES_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
|
||||
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR} -perm -o+w)" ]]; then
|
||||
echo "**** The folder '${SERVICES_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
|
||||
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
|
||||
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||
fi
|
||||
}
|
||||
|
||||
# Process Custom Services
|
||||
process_custom_services() {
|
||||
SERVICES_DIR_OLD="/config/custom-services.d"
|
||||
SERVICES_DIR="/custom-services.d"
|
||||
|
||||
# Remove all existing custom services before continuing to ensure
|
||||
# we aren't running anything the user may have removed
|
||||
if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then
|
||||
|
|
@ -78,15 +68,9 @@ process_custom_services() {
|
|||
rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
|
||||
fi
|
||||
|
||||
if [[ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]] &&
|
||||
[[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] no custom services found, skipping..."
|
||||
return
|
||||
fi
|
||||
|
||||
# Make sure custom service directory exists and has files in it
|
||||
if [[ -e "${SERVICES_DIR}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] service files found in ${SERVICES_DIR}"
|
||||
echo "[custom-init] Service files found in ${SERVICES_DIR}"
|
||||
for SERVICE in "${SERVICES_DIR}"/*; do
|
||||
NAME="$(basename "${SERVICE}")"
|
||||
if [[ -f "${SERVICE}" ]]; then
|
||||
|
|
@ -104,8 +88,25 @@ process_custom_services() {
|
|||
done
|
||||
fi
|
||||
|
||||
# Remove legacy folder if it's empty
|
||||
if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] Legacy service folder ${SERVICES_DIR_OLD} is empty, deleting..."
|
||||
rm -rf "${SERVICES_DIR_OLD}"
|
||||
fi
|
||||
}
|
||||
|
||||
process_custom_services_legacy() {
|
||||
|
||||
# Remove all existing custom services before continuing to ensure
|
||||
# we aren't running anything the user may have removed
|
||||
if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] removing existing custom services..."
|
||||
rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
|
||||
fi
|
||||
|
||||
# Make sure custom service directory exists and has files in it
|
||||
if [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] service files found in ${SERVICES_DIR_OLD}"
|
||||
echo "[custom-init] Service files found in ${SERVICES_DIR_OLD}"
|
||||
for SERVICE in "${SERVICES_DIR_OLD}"/*; do
|
||||
NAME="$(basename "${SERVICE}")"
|
||||
if [[ -f "${SERVICE}" ]]; then
|
||||
|
|
@ -121,6 +122,9 @@ process_custom_services() {
|
|||
echo "[custom-init] ${NAME}: is not a file"
|
||||
fi
|
||||
done
|
||||
elif [[ -e "${SERVICES_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] Legacy service folder ${SERVICES_DIR_OLD} is empty, deleting..."
|
||||
rm -rf "${SERVICES_DIR_OLD}"
|
||||
fi
|
||||
}
|
||||
|
||||
|
|
@ -251,11 +255,22 @@ run_mods() {
|
|||
done
|
||||
}
|
||||
|
||||
# Tamper check legacy services
|
||||
tamper_check
|
||||
# Main script loop
|
||||
|
||||
# Process any custom services
|
||||
SCRIPTS_DIR_OLD="/config/custom-cont-init.d"
|
||||
SCRIPTS_DIR="/custom-cont-init.d"
|
||||
SERVICES_DIR_OLD="/config/custom-services.d"
|
||||
SERVICES_DIR="/custom-services.d"
|
||||
|
||||
if [ ! -d "/custom-cont-init.d" ] && [ ! -d "/custom-services.d" ]; then
|
||||
# Tamper check legacy custom folders
|
||||
tamper_check_legacy
|
||||
process_custom_services_legacy
|
||||
else
|
||||
# Tamper check new custom folders
|
||||
tamper_check
|
||||
process_custom_services
|
||||
fi
|
||||
|
||||
# Run mod logic
|
||||
if [[ -n "${DOCKER_MODS+x}" ]]; then
|
||||
|
|
|
|||
|
|
@ -17,15 +17,9 @@ if [[ -e "${SERVICES_DIR_OLD}" ]]; then
|
|||
chown -R 0:0 "${SERVICES_DIR_OLD}"
|
||||
fi
|
||||
|
||||
if [[ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]] &&
|
||||
[[ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] no custom files found, skipping..."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Make sure custom init directory exists and has files in it
|
||||
if [[ -e "${SCRIPTS_DIR}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] files found, executing"
|
||||
echo "[custom-init] Files found, executing"
|
||||
for SCRIPT in "${SCRIPTS_DIR}"/*; do
|
||||
NAME="$(basename "${SCRIPT}")"
|
||||
if [[ -f "${SCRIPT}" ]]; then
|
||||
|
|
@ -36,10 +30,14 @@ if [[ -e "${SCRIPTS_DIR}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)"
|
|||
echo "[custom-init] ${NAME}: is not a file"
|
||||
fi
|
||||
done
|
||||
fi
|
||||
|
||||
if [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] files found, executing"
|
||||
# Remove legacy folder if it's empty
|
||||
if [[ -e "${SCRIPTS_DIR}" ]] && [[ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] Legacy service folder ${SCRIPTS_DIR} is empty, deleting..."
|
||||
rm -rf "${SCRIPTS_DIR}"
|
||||
fi
|
||||
elif [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] Files found, executing"
|
||||
for SCRIPT in "${SCRIPTS_DIR_OLD}"/*; do
|
||||
NAME="$(basename "${SCRIPT}")"
|
||||
if [[ -f "${SCRIPT}" ]]; then
|
||||
|
|
@ -50,4 +48,9 @@ if [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/de
|
|||
echo "[custom-init] ${NAME}: is not a file"
|
||||
fi
|
||||
done
|
||||
elif [[ -e "${SCRIPTS_DIR_OLD}" ]] && [[ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]]; then
|
||||
echo "[custom-init] Legacy files folder ${SCRIPTS_DIR_OLD} is empty, deleting..."
|
||||
rm -rf "${SCRIPTS_DIR_OLD}"
|
||||
else
|
||||
echo "[custom-init] No custom files found, skipping..."
|
||||
fi
|
||||
|
|
|
|||
Loading…
Reference in a new issue