From e0fd8cb9645db7cf27990ab9b12d13d613219a94 Mon Sep 17 00:00:00 2001
From: TheSpad <git@spad.co.uk>
Date: Sun, 28 Aug 2022 16:07:23 +0100
Subject: [PATCH] Expand tamper check and enable custom files warning

---
 root/docker-mods                              | 28 +++++++++++++------
 .../s6-overlay/s6-rc.d/init-custom-files/run  | 10 ++++++-
 .../s6-overlay/s6-rc.d/init-script-check/run  |  4 ---
 3 files changed, 28 insertions(+), 14 deletions(-)

diff --git a/root/docker-mods b/root/docker-mods
index 9217c73..17aa908 100755
--- a/root/docker-mods
+++ b/root/docker-mods
@@ -9,21 +9,31 @@ set_legacy_executable_bits() {
         /etc/services.d/*/* 2>/dev/null || true
 }
 
-# Tamper check legacy custom service locations
+# Tamper check custom service locations
 tamper_check() {
-    if [[ -d "/config/custom-services.d" ]] && [[ -n "$(find /config/custom-services.d ! -user root)" ]]; then
+    SERVICES_DIR_OLD="/config/custom-services.d"
+    SERVICES_DIR="/custom-services.d"  
+    if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then
         echo "**** Potential tampering with custom scripts detected ****"
         randstr=$(
             tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
             echo
         )
-        mv "/config/custom-services.d" "/config/custom-services.d.${randstr}"
-        echo "**** Folder /config/custom-services.d is moved to /config/custom-services.d.${randstr} ****"
-        echo "**** The folder '/config/custom-services.d' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
-        mkdir -p /config/custom-services.d
-        chown 0:0 /config/custom-services.d
-    elif [[ -d "/config/custom-services.d" ]] && [[ -n "$(find /config/custom-services.d -perm -o+w)" ]]; then
-        echo "**** The folder '/config/custom-services.d' or some of its contents have write permissions for others, which is a security risk. ****"
+        mv "${SERVICES_DIR_OLD}" "${SERVICES_DIR_OLD}.${randstr}"
+        echo "**** Folder ${SERVICES_DIR_OLD} is moved to ${SERVICES_DIR_OLD}.${randstr} ****"
+        echo "**** The folder '${SERVICES_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
+        mkdir -p ${SERVICES_DIR_OLD}
+        chown 0:0 ${SERVICES_DIR_OLD}
+    elif [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} -perm -o+w)" ]]; then
+        echo "**** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    fi
+
+    if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR} ! -user root)" ]]; then
+        echo "**** The folder '${SERVICES_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
+        echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+    elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR} -perm -o+w)" ]]; then
+        echo "**** The folder '${SERVICES_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
         echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
     fi
 }
diff --git a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run
index fb249c6..54ceb9a 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-custom-files/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-custom-files/run
@@ -7,7 +7,7 @@ SCRIPTS_DIR="/custom-cont-init.d"
 
 SERVICES_DIR_OLD="/config/custom-services.d"
 
-# Tamper check legacy custom script locations
+# Tamper check custom script locations
 if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then
     echo "**** Potential tampering with custom scripts detected ****"
     randstr=$(
@@ -24,6 +24,14 @@ elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+
     echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
 fi
 
+if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} ! -user root)" ]]; then
+    echo "**** The folder '${SCRIPTS_DIR}' or some of its contents are not owned by root, which is a security risk. ****"
+    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR} -perm -o+w)" ]]; then
+    echo "**** The folder '${SCRIPTS_DIR}' or some of its contents have write permissions for others, which is a security risk. ****"
+    echo "**** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
+fi
+
 # chown legacy folders if they exist
 if [[ -e "${SCRIPTS_DIR_OLD}" ]]; then
     chown -R 0:0 "${SCRIPTS_DIR_OLD}"
diff --git a/root/etc/s6-overlay/s6-rc.d/init-script-check/run b/root/etc/s6-overlay/s6-rc.d/init-script-check/run
index 35d4c7a..09120e8 100755
--- a/root/etc/s6-overlay/s6-rc.d/init-script-check/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-script-check/run
@@ -1,10 +1,6 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash
 
-# This doesn't do anything yet
-
-exit 0
-
 if [[ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]] &&
     [[ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]]; then
     cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null