meatbag/baseimage-alpine
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Expand tamper check and enable custom files warning

Browse source
This commit is contained in:
TheSpad 2022-08-28 16:07:23 +01:00
parent 4f4d988211
commit e0fd8cb964
No known key found for this signature in database
GPG key ID: 08F06191F4587860
3 changed files with 28 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
root/docker-mods
View file

@ -9,21 +9,31 @@ set_legacy_executable_bits() {
/etc/services.d/*/* 2>/dev/null || true
}
# Tamper check legacy custom service locations
# Tamper check custom service locations
tamper_check() {
if [[ -d "/config/custom-services.d" ]] && [[ -n "$(find /config/custom-services.d ! -user root)" ]]; then
SERVICES_DIR_OLD="/config/custom-services.d"
SERVICES_DIR="/custom-services.d"
if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then
echo "**** Potential tampering with custom scripts detected ****"
randstr=$(
tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
echo
)
mv "/config/custom-services.d" "/config/custom-services.d.${randstr}"
echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****"
echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
mkdir -p /config/custom-services.d
chown 0:0 /config/custom-services.d
elif [[ -d "/config/custom-services.d" ]] && [[ -n "$(find /config/custom-services.d -perm -o+w)" ]]; then
echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****"
mv "${SERVICES_DIR_OLD}" "${SERVICES_DIR_OLD}.${randstr}"
echo "**** Folder ${SERVICES_DIR_OLD} is moved to ${SERVICES_DIR_OLD}.${randstr} ****"
echo "**** The folder '${SERVICES_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
mkdir -p ${SERVICES_DIR_OLD}
chown 0:0 ${SERVICES_DIR_OLD}
elif [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} -perm -o+w)" ]]; then
echo "**** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR} ! -user root)" ]]; then
echo "**** The folder '${SERVICES_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR} -perm -o+w)" ]]; then
echo "**** The folder '${SERVICES_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
}

10
root/etc/s6-overlay/s6-rc.d/init-custom-files/run
View file

@ -7,7 +7,7 @@ SCRIPTS_DIR="/custom-cont-init.d"
SERVICES_DIR_OLD="/config/custom-services.d"
# Tamper check legacy custom script locations
# Tamper check custom script locations
if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
echo "**** Potential tampering with custom scripts detected ****"
randstr=$(
@ -24,6 +24,14 @@ elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi
# chown legacy folders if they exist
if [[ -e "${SCRIPTS_DIR_OLD}" ]]; then
chown -R 0:0 "${SCRIPTS_DIR_OLD}"

4
root/etc/s6-overlay/s6-rc.d/init-script-check/run
View file

@ -1,10 +1,6 @@
#!/usr/bin/with-contenv bash
# shellcheck shell=bash
# This doesn't do anything yet
exit 0
if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] &&
[[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then
cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null