From d7ac0a9a4ea65bc2114b7e3da5f277e8049ccee7 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Fri, 10 Jun 2022 23:38:29 +0100 Subject: [PATCH] Reorder so custom services aren't dependent on mods --- root/docker-mods | 345 ++++++++++++++++++++++++----------------------- 1 file changed, 179 insertions(+), 166 deletions(-) diff --git a/root/docker-mods b/root/docker-mods index 6249e74..881fb36 100755 --- a/root/docker-mods +++ b/root/docker-mods @@ -1,37 +1,108 @@ #!/usr/bin/with-contenv bash +#shellcheck disable=SC2120 + # Set executable bit on cont-init and services built into the image -set_legacy_executable_bits() { +set_legacy_executable_bits () { mkdir -p /etc/{cont-init.d,services.d} chmod +x \ /etc/cont-init.d/* \ /etc/services.d/*/* 2> /dev/null || true } -set_legacy_executable_bits -# Exit if mods is not set -if [ -z ${DOCKER_MODS+x} ]; then - exit 0 -fi +# Tamper check legacy custom service locations +tamper_check () { + if ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then + echo "**** Potential tampering with custom scripts detected ****" + randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) + mv "/config/custom-services.d" "/config/custom-services.d.${randstr}" + echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****" + echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" + mkdir -p /config/custom-services.d + chown 0:0 /config/custom-services.d + elif ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then + echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****" + echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" + fi +} + +# Process Custom Services +process_custom_services() { + SERVICES_DIR_OLD="/config/custom-services.d" + SERVICES_DIR="/custom-services.d" + + # Remove all existing custom services before continuing to ensure + # we aren't running anything the user may have removed + if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then + echo "[custom-init] removing existing custom services..." + rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* + fi + + if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ + { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + echo "[custom-init] no custom files found, exiting..." + return + fi + + # Make sure custom init directory exists and has files in it + if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then + if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then + echo "[custom-init] service files found in ${SERVICES_DIR}" + for SERVICE in ${SERVICES_DIR}/*; do + NAME="$(basename "${SERVICE}")" + if [ -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ + cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type + echo "[custom-init] ${NAME}: copied" + elif [ ! -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi + fi + + if { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then + if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then + echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" + for SERVICE in ${SERVICES_DIR_OLD}/*; do + NAME="$(basename "${SERVICE}")" + if [ -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: service detected, copying..." + mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ + cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run + echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type + echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up + echo "[custom-init] ${NAME}: copied" + elif [ ! -f "${SERVICE}" ]; then + echo "[custom-init] ${NAME}: is not a file" + fi + done + fi + fi +} # Check for curl -if [ ! -f /usr/bin/curl ] || [ ! -f /usr/bin/jq ]; then - echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing" - if [ -f /usr/bin/apt ]; then - ## Ubuntu - apt-get update - apt-get install --no-install-recommends -y \ - curl \ - jq - elif [ -f /sbin/apk ]; then - # Alpine - apk add --no-cache \ - curl \ - jq +curl_check () { + if [ ! -f /usr/bin/curl ] || [ ! -f /usr/bin/jq ]; then + echo "[mod-init] Curl/JQ was not found on this system for Docker mods installing" + if [ -f /usr/bin/apt ]; then + ## Ubuntu + apt-get update + apt-get install --no-install-recommends -y \ + curl \ + jq + elif [ -f /sbin/apk ]; then + # Alpine + apk add --no-cache \ + curl \ + jq + fi fi -fi - -## Functions +} # Use different filtering depending on URL get_blob_sha () { @@ -53,152 +124,94 @@ get_blob_sha () { } # Main run logic -echo "[mod-init] Attempting to run Docker Modification Logic" -IFS='|' -DOCKER_MODS=(${DOCKER_MODS}) -for DOCKER_MOD in "${DOCKER_MODS[@]}"; do - # Support alternative endpoints - if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then - DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}" - ENDPOINT="${DOCKER_MOD%%:*}" - USERNAME="${DOCKER_MOD%%/*}" - REPO="${ENDPOINT#*/}" - TAG="${DOCKER_MOD#*:}" - if [[ ${TAG} == "${DOCKER_MOD}" ]]; then - TAG="latest" - fi - FILENAME="${USERNAME}.${REPO}.${TAG}" - AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull" - MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}" - BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/" - MODE="ghcr" - else - ENDPOINT="${DOCKER_MOD%%:*}" - USERNAME="${DOCKER_MOD%%/*}" - REPO="${ENDPOINT#*/}" - TAG="${DOCKER_MOD#*:}" - if [[ ${TAG} == "${DOCKER_MOD}" ]]; then - TAG="latest" - fi - FILENAME="${USERNAME}.${REPO}.${TAG}" - AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull" - MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}" - BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/" - MODE="dockerhub" - fi - # Kill off modification logic if any of the usernames are banned - BLACKLIST=$(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt) - IFS=$'\n' - BLACKLIST=(${BLACKLIST}) - for BANNED in "${BLACKLIST[@]}"; do - if [ "${BANNED}" == "${USERNAME,,}" ]; then - if [ -z ${RUN_BANNED_MODS+x} ]; then - echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic" - exit 0 - else - echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied" +run_mods () { + echo "[mod-init] Attempting to run Docker Modification Logic" + IFS='|' + DOCKER_MODS=(${DOCKER_MODS}) + for DOCKER_MOD in "${DOCKER_MODS[@]}"; do + # Support alternative endpoints + if [[ ${DOCKER_MOD} == ghcr.io/* ]] || [[ ${DOCKER_MOD} == linuxserver/* ]]; then + DOCKER_MOD="${DOCKER_MOD#ghcr.io/*}" + ENDPOINT="${DOCKER_MOD%%:*}" + USERNAME="${DOCKER_MOD%%/*}" + REPO="${ENDPOINT#*/}" + TAG="${DOCKER_MOD#*:}" + if [[ ${TAG} == "${DOCKER_MOD}" ]]; then + TAG="latest" fi + FILENAME="${USERNAME}.${REPO}.${TAG}" + AUTH_URL="https://ghcr.io/token?scope=repository%3A${USERNAME}%2F${REPO}%3Apull" + MANIFEST_URL="https://ghcr.io/v2/${ENDPOINT}/manifests/${TAG}" + BLOB_URL="https://ghcr.io/v2/${ENDPOINT}/blobs/" + MODE="ghcr" + else + ENDPOINT="${DOCKER_MOD%%:*}" + USERNAME="${DOCKER_MOD%%/*}" + REPO="${ENDPOINT#*/}" + TAG="${DOCKER_MOD#*:}" + if [[ ${TAG} == "${DOCKER_MOD}" ]]; then + TAG="latest" + fi + FILENAME="${USERNAME}.${REPO}.${TAG}" + AUTH_URL="https://auth.docker.io/token?service=registry.docker.io&scope=repository:${ENDPOINT}:pull" + MANIFEST_URL="https://registry-1.docker.io/v2/${ENDPOINT}/manifests/${TAG}" + BLOB_URL="https://registry-1.docker.io/v2/${ENDPOINT}/blobs/" + MODE="dockerhub" + fi + # Kill off modification logic if any of the usernames are banned + BLACKLIST=$(curl -s https://raw.githubusercontent.com/linuxserver/docker-mods/master/blacklist.txt) + IFS=$'\n' + BLACKLIST=(${BLACKLIST}) + for BANNED in "${BLACKLIST[@]}"; do + if [ "${BANNED}" == "${USERNAME,,}" ]; then + if [ -z ${RUN_BANNED_MODS+x} ]; then + echo "[mod-init] ${DOCKER_MOD} is banned from use due to reported abuse aborting mod logic" + return + else + echo "[mod-init] You have chosen to run banned mods ${DOCKER_MOD} will be applied" + fi + fi + done + echo "[mod-init] Applying ${DOCKER_MOD} files to container" + # Get Dockerhub token for api operations + TOKEN="$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ + --silent \ + --header 'GET' \ + "${AUTH_URL}" \ + | jq -r '.token' \ + )" + # Determine first and only layer of image + SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}") + # Check if we have allready applied this layer + if [ -f "/${FILENAME}" ] && [ "${SHALAYER}" == "$(cat /${FILENAME})" ]; then + echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping" + else + # Download and extract layer to / + curl -f --retry 10 --retry-max-time 60 --retry-all-errors \ + --silent \ + --location \ + --request GET \ + --header "Authorization: Bearer ${TOKEN}" \ + "${BLOB_URL}${SHALAYER}" -o \ + /modtarball.tar.xz + tar xzf /modtarball.tar.xz -C / + rm -rf /modtarball.tar.xz + echo ${SHALAYER} > "/${FILENAME}" fi done - echo "[mod-init] Applying ${DOCKER_MOD} files to container" - # Get Dockerhub token for api operations - TOKEN=\ -"$(curl -f --retry 10 --retry-max-time 60 --retry-connrefused \ - --silent \ - --header 'GET' \ - "${AUTH_URL}" \ - | jq -r '.token' \ - )" - # Determine first and only layer of image - SHALAYER=$(get_blob_sha "${MODE}" "${TOKEN}" "${MANIFEST_URL}") - # Check if we have allready applied this layer - if [ -f "/${FILENAME}" ] && [ "${SHALAYER}" == "$(cat /${FILENAME})" ]; then - echo "[mod-init] ${DOCKER_MOD} at ${SHALAYER} has been previously applied skipping" - else - # Download and extract layer to / - curl -f --retry 10 --retry-max-time 60 --retry-all-errors \ - --silent \ - --location \ - --request GET \ - --header "Authorization: Bearer ${TOKEN}" \ - "${BLOB_URL}${SHALAYER}" -o \ - /modtarball.tar.xz - tar xzf /modtarball.tar.xz -C / - rm -rf /modtarball.tar.xz - echo ${SHALAYER} > "/${FILENAME}" - fi -done +} -# Set executable bit on cont-init and services that may have been unpacked by mods +# Tamper check legacy services +tamper_check + +# Process any custom services +process_custom_services + +# Run mod logic +if [ -n "${DOCKER_MODS+x}" ]; then + curl_check + run_mods +fi + +# Set executable bit on legacy cont-init and services built into the image and anything legacy unpacked by mods set_legacy_executable_bits - -# Process Custom Services -SERVICES_DIR_OLD="/config/custom-services.d" -SERVICES_DIR="/custom-services.d" - -# Remove all existing custom services before continuing to ensure -# we aren't running anything the user may have removed -if [ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]; then - echo "[custom-init] removing existing custom services..." - rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* -fi - -# Tamper check services -if ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then - echo "**** Potential tampering with custom scripts detected ****" - randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;) - mv "/config/custom-services.d" "/config/custom-services.d.${randstr}" - echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****" - echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" - mkdir -p /config/custom-services.d - chown 0:0 /config/custom-services.d -elif ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then - echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****" - echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" -fi - -if { [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \ - { [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then - echo "[custom-init] no custom files found, exiting..." - exit 0 -fi - -# Make sure custom init directory exists and has files in it -if { [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then - if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then - echo "[custom-init] service files found in ${SERVICES_DIR}" - for SERVICE in ${SERVICES_DIR}/*; do - NAME="$(basename "${SERVICE}")" - if [ -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ - cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - echo "longrun" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - echo "[custom-init] ${NAME}: copied" - elif [ ! -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - fi -fi - -if { [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then - if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then - echo "[custom-init] service files found in ${SERVICES_DIR_OLD}" - for SERVICE in ${SERVICES_DIR_OLD}/*; do - NAME="$(basename "${SERVICE}")" - if [ -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: service detected, copying..." - mkdir -p /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/ - cp "${SERVICE}" /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - chmod +x /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/run - echo "oneshot" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/type - echo "/etc/s6-overlay/s6-rc.d/custom-svc-${NAME}/run" > /etc/s6-overlay/s6-rc.d/custom-svc-"${NAME}"/up - echo "[custom-init] ${NAME}: copied" - elif [ ! -f "${SERVICE}" ]; then - echo "[custom-init] ${NAME}: is not a file" - fi - done - fi -fi