meatbag/baseimage-alpine
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Fix tamper check for custom files

Browse source
This commit is contained in:
TheSpad 2022-08-28 20:31:20 +01:00
parent fe4b20c671
commit 84040bc356
No known key found for this signature in database
GPG key ID: 08F06191F4587860
2 changed files with 30 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
root/docker-mods
View file

@ -9,10 +9,38 @@ set_legacy_executable_bits() {
/etc/services.d/*/* 2>/dev/null || true /etc/services.d/*/* 2>/dev/null || true
} }
# Tamper check custom service locations
tamper_check() { tamper_check() {
SCRIPTS_DIR_OLD="/config/custom-cont-init.d"
SCRIPTS_DIR="/custom-cont-init.d"
SERVICES_DIR_OLD="/config/custom-services.d" SERVICES_DIR_OLD="/config/custom-services.d"
SERVICES_DIR="/custom-services.d" SERVICES_DIR="/custom-services.d"
# Tamper check custom script locations
if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
echo "**** Potential tampering with custom scripts detected ****"
randstr=$(
tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
echo
)
mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
echo "**** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
echo "**** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
mkdir -p ${SCRIPTS_DIR_OLD}
chown 0:0 ${SCRIPTS_DIR_OLD}
elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then
echo "**** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
# Tamper check custom service locations
if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then
echo "**** Potential tampering with custom scripts detected ****" echo "**** Potential tampering with custom scripts detected ****"
randstr=$( randstr=$(

25
root/etc/s6-overlay/s6-rc.d/init-custom-files/run
View file

@ -7,31 +7,6 @@ SCRIPTS_DIR="/custom-cont-init.d"
SERVICES_DIR_OLD="/config/custom-services.d" SERVICES_DIR_OLD="/config/custom-services.d"
# Tamper check custom script locations
if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
echo "**** Potential tampering with custom scripts detected ****"
randstr=$(
tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
echo
)
mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
echo "**** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
echo "**** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
mkdir -p ${SCRIPTS_DIR_OLD}
chown 0:0 ${SCRIPTS_DIR_OLD}
elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then
echo "**** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
# chown legacy folders if they exist # chown legacy folders if they exist
if [[ -e "${SCRIPTS_DIR_OLD}" ]]; then if [[ -e "${SCRIPTS_DIR_OLD}" ]]; then
chown -R 0:0 "${SCRIPTS_DIR_OLD}" chown -R 0:0 "${SCRIPTS_DIR_OLD}"