meatbag/baseimage-alpine
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Initial s6-rc commit

Browse source
This commit is contained in:
TheSpad 2022-06-08 15:31:58 +01:00
parent 45b3854870
commit f6f2804792
No known key found for this signature in database
GPG key ID: 08F06191F4587860
38 changed files with 121 additions and 73 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
root/etc/cont-init.d/02-tamper-check
View file

@ -1,18 +0,0 @@
#!/usr/bin/with-contenv bash
if ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d ! -user root)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d ! -user root)" ]); then
echo "**** Potential tampering with custom scripts/services detected ****"
randstr=$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-8};echo;)
for folder in "/config/custom-cont-init.d" "/config/custom-services.d"; do
if [ -d "${folder}" ]; then
mv "${folder}" "${folder}.${randstr}"
echo "**** Folder ${folder} is moved to ${folder}.${randstr} ****"
fi
done
echo "**** The folders '/config/custom-cont-init.d' and '/config/custom-services.d'; and their contents need to all be owned by root to prevent root escalation inside the container!!! ****"
mkdir -p /config/custom-cont-init.d /config/custom-services.d
chown 0:0 /config/custom-cont-init.d /config/custom-services.d
elif ([ -d "/config/custom-cont-init.d" ] && [ -n "$(find /config/custom-cont-init.d -perm -o+w)" ]) || ([ -d "/config/custom-services.d" ] && [ -n "$(find /config/custom-services.d -perm -o+w)" ]); then
echo "**** The folders '/config/custom-cont-init.d' or '/config/custom-services.d'; or some of their contents have write permissions for others, which is a security risk. ****"
echo "**** Please review the permissions of these two folders and their contents to make sure they are owned by root, and can only be modified by root. ****"
fi

5
root/etc/cont-init.d/90-custom-folders
View file

@ -1,5 +0,0 @@
#!/usr/bin/with-contenv bash
# create custom folders and secure permissions
mkdir -p /config/{custom-cont-init.d,custom-services.d}
chown -R 0:0 /config/{custom-cont-init.d,custom-services.d}

49
root/etc/cont-init.d/99-custom-files
View file

@ -1,49 +0,0 @@
#!/usr/bin/with-contenv bash
# Directories
SCRIPTS_DIR="/config/custom-cont-init.d"
SERVICES_DIR="/config/custom-services.d"
# Remove all existing custom services before continuing to ensure
# we aren't running anything the user may have removed
if [ -n "$(/bin/ls -A /etc/services.d/custom-service-* 2>/dev/null)" ]; then
echo "[custom-init] removing existing custom services..."
rm -rf /etc/services.d/custom-service-*
fi
# Make sure custom init directory exists and has files in it
if ([ -e "${SCRIPTS_DIR}" ] && \
[ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]) || \
([ -e "${SERVICES_DIR}" ] && \
[ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]); then
if [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; then
echo "[custom-init] files found in ${SCRIPTS_DIR} executing"
for SCRIPT in ${SCRIPTS_DIR}/*; do
NAME="$(basename "${SCRIPT}")"
if [ -f "${SCRIPT}" ]; then
echo "[custom-init] ${NAME}: executing..."
/bin/bash ${SCRIPT}
echo "[custom-init] ${NAME}: exited $?"
elif [ ! -f "${SCRIPT}" ]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then
echo "[custom-init] service files found in ${SERVICES_DIR}"
for SERVICE in ${SERVICES_DIR}/*; do
NAME="$(basename "${SERVICE}")"
if [ -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: service detected, copying..."
mkdir -p /etc/services.d/custom-service-${NAME}/
cp ${SERVICE} /etc/services.d/custom-service-${NAME}/run
chmod +x /etc/services.d/custom-service-${NAME}/run
echo "[custom-init] ${NAME}: copied"
elif [ ! -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
else
echo "[custom-init] no custom files found exiting..."
fi

0
root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-migrations Normal file
View file

0
root/etc/s6-overlay/s6-rc.d/init-adduser/dependencies.d/init-script-check Normal file
View file

0
root/etc/cont-init.d/10-adduser → root/etc/s6-overlay/s6-rc.d/init-adduser/run
View file

1
root/etc/s6-overlay/s6-rc.d/init-adduser/type Normal file
View file

@ -0,0 +1 @@
oneshot

1
root/etc/s6-overlay/s6-rc.d/init-adduser/up Normal file
View file

@ -0,0 +1 @@
/etc/s6-overlay/s6-rc.d/init-adduser/run

0
root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-adduser Normal file
View file

0
root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-envfile Normal file
View file

0
root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-migrations Normal file
View file

0
root/etc/s6-overlay/s6-rc.d/init-base/dependencies.d/init-script-check Normal file
View file

1
root/etc/s6-overlay/s6-rc.d/init-base/type Normal file
View file

@ -0,0 +1 @@
oneshot

1
root/etc/s6-overlay/s6-rc.d/init-base/up Normal file
View file

@ -0,0 +1 @@
# This file doesn't do anything, it's just the end of the base image init process

0
root/etc/s6-overlay/s6-rc.d/init-custom-files/dependencies.d/init-downstream Normal file
View file

87
root/etc/s6-overlay/s6-rc.d/init-custom-files/run Executable file
View file

@ -0,0 +1,87 @@
#!/usr/bin/with-contenv bash
# Directories
SCRIPTS_DIR_OLD="/config/custom-cont-init.d"
SERVICES_DIR_OLD="/config/custom-services.d"
SCRIPTS_DIR="/custom-cont-init.d"
SERVICES_DIR="/custom-services.d"
# Remove all existing custom services before continuing to ensure
# we aren't running anything the user may have removed
if [ -n "$(/bin/ls -A /etc/services.d/custom-service-* 2>/dev/null)" ]; then
echo "[custom-init] removing existing custom services..."
rm -rf /etc/services.d/custom-service-*
fi
if { [ -z "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } && \
{ [ -z "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; } && \
{ [ -z "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; } && \
{ [ -z "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then
echo "[custom-init] no custom files found, exiting..."
exit 0
fi
# Make sure custom init directory exists and has files in it
if { [ -e "${SCRIPTS_DIR}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; } || \
{ [ -e "${SERVICES_DIR}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; }; then
if [ -n "$(/bin/ls -A ${SCRIPTS_DIR} 2>/dev/null)" ]; then
echo "[custom-init] files found, executing"
for SCRIPT in ${SCRIPTS_DIR}/*; do
NAME="$(basename "${SCRIPT}")"
if [ -f "${SCRIPT}" ]; then
echo "[custom-init] ${NAME}: executing..."
/bin/bash "${SCRIPT}"
echo "[custom-init] ${NAME}: exited $?"
elif [ ! -f "${SCRIPT}" ]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
if [ -n "$(/bin/ls -A ${SERVICES_DIR} 2>/dev/null)" ]; then
echo "[custom-init] service files found in ${SERVICES_DIR}"
for SERVICE in ${SERVICES_DIR}/*; do
NAME="$(basename "${SERVICE}")"
if [ -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: service detected, copying..."
mkdir -p /etc/services.d/custom-service-"${NAME}"/
cp "${SERVICE}" /etc/services.d/custom-service-"${NAME}"/run
chmod +x /etc/services.d/custom-service-"${NAME}"/run
echo "[custom-init] ${NAME}: copied"
elif [ ! -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
fi
if { [ -e "${SCRIPTS_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; } || \
{ [ -e "${SERVICES_DIR_OLD}" ] && [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; }; then
if [ -n "$(/bin/ls -A ${SCRIPTS_DIR_OLD} 2>/dev/null)" ]; then
echo "[custom-init] files found, executing"
for SCRIPT in ${SCRIPTS_DIR_OLD}/*; do
NAME="$(basename "${SCRIPT}")"
if [ -f "${SCRIPT}" ]; then
echo "[custom-init] ${NAME}: executing..."
/bin/bash "${SCRIPT}"
echo "[custom-init] ${NAME}: exited $?"
elif [ ! -f "${SCRIPT}" ]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
if [ -n "$(/bin/ls -A ${SERVICES_DIR_OLD} 2>/dev/null)" ]; then
echo "[custom-init] service files found in ${SERVICES_DIR_OLD}"
for SERVICE in ${SERVICES_DIR_OLD}/*; do
NAME="$(basename "${SERVICE}")"
if [ -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: service detected, copying..."
mkdir -p /etc/services.d/custom-service-"${NAME}"/
cp "${SERVICE}" /etc/services.d/custom-service-"${NAME}"/run
chmod +x /etc/services.d/custom-service-"${NAME}"/run
echo "[custom-init] ${NAME}: copied"
elif [ ! -f "${SERVICE}" ]; then
echo "[custom-init] ${NAME}: is not a file"
fi
done
fi
fi

1
root/etc/s6-overlay/s6-rc.d/init-custom-files/type Normal file
View file

@ -0,0 +1 @@
oneshot

1
root/etc/s6-overlay/s6-rc.d/init-custom-files/up Normal file
View file

@ -0,0 +1 @@
/etc/s6-overlay/s6-rc.d/init-custom-files/run

0
root/etc/s6-overlay/s6-rc.d/init-downstream/dependencies.d/init-base Normal file
View file

1
root/etc/s6-overlay/s6-rc.d/init-downstream/type Normal file
View file

@ -0,0 +1 @@
oneshot

1
root/etc/s6-overlay/s6-rc.d/init-downstream/up Normal file
View file

@ -0,0 +1 @@
# This file doesn't do anything, it's just the end of the downstream image init process

0
root/etc/s6-overlay/s6-rc.d/init-envfile/dependencies.d/00-legacy Normal file
View file

0
root/etc/cont-init.d/01-envfile → root/etc/s6-overlay/s6-rc.d/init-envfile/run
View file

1
root/etc/s6-overlay/s6-rc.d/init-envfile/type Normal file
View file

@ -0,0 +1 @@
oneshot

1
root/etc/s6-overlay/s6-rc.d/init-envfile/up Normal file
View file

@ -0,0 +1 @@
/etc/s6-overlay/s6-rc.d/init-envfile/run

0
root/etc/s6-overlay/s6-rc.d/init-migrations/dependencies.d/00-legacy Normal file
View file

2
root/etc/cont-init.d/01-migrations → root/etc/s6-overlay/s6-rc.d/init-migrations/run
View file

@ -7,7 +7,7 @@ echo "[migrations] started"
if [ ! -d $MIGRATIONS_DIR ]; then if [ ! -d $MIGRATIONS_DIR ]; then
echo "[migrations] no migrations found" echo "[migrations] no migrations found"
exit exit 0
fi fi
for MIGRATION in $(ls -1 ${MIGRATIONS_DIR}/* | sort -n); do for MIGRATION in $(ls -1 ${MIGRATIONS_DIR}/* | sort -n); do

1
root/etc/s6-overlay/s6-rc.d/init-migrations/type Normal file
View file

@ -0,0 +1 @@
oneshot

1
root/etc/s6-overlay/s6-rc.d/init-migrations/up Normal file
View file

@ -0,0 +1 @@
/etc/s6-overlay/s6-rc.d/init-migrations/run

0
root/etc/s6-overlay/s6-rc.d/init-script-check/dependencies.d/00-legacy Normal file
View file

19
root/etc/s6-overlay/s6-rc.d/init-script-check/run Executable file
View file

@ -0,0 +1,19 @@
#!/usr/bin/with-contenv bash
if { [ -n "$(/bin/ls -A "/config/custom-cont-init.d" 2>/dev/null)" ]; } && \
{ [ -n "$(/bin/ls -A "/config/custom-services.d" 2>/dev/null)" ]; }; then
cat <<-EOF | tee /config/custom-cont-init.d/README.txt,/config/custom-services.d/README.txt 2>/dev/null
********************************************************
********************************************************
* *
* !!!! *
* Custom scripts or services found in legacy locations *
* !!!! *
* Please move your custom scripts and services *
* to /custom-cont-init.d and /custom-services.d *
* respectively to ensure they continue working. *
* *
********************************************************
********************************************************
EOF
fi

1
root/etc/s6-overlay/s6-rc.d/init-script-check/type Normal file
View file

@ -0,0 +1 @@
oneshot

1
root/etc/s6-overlay/s6-rc.d/init-script-check/up Normal file
View file

@ -0,0 +1 @@
/etc/s6-overlay/s6-rc.d/init-script-check/run

0
root/etc/s6-overlay/s6-rc.d/user/contents.d/init-adduser Normal file
View file

0
root/etc/s6-overlay/s6-rc.d/user/contents.d/init-base Normal file
View file

0
root/etc/s6-overlay/s6-rc.d/user/contents.d/init-envfile Normal file
View file

0
root/etc/s6-overlay/s6-rc.d/user/contents.d/init-migrations Normal file
View file

0
root/etc/s6-overlay/s6-rc.d/user/contents.d/init-script-check Normal file
View file