mirror
/
docker-baseimage-ubuntu
kopia lustrzana https://github.com/linuxserver/docker-baseimage-ubuntu
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Remove custom svc from user bundle

pull/122/head
TheSpad 2022-09-13 11:25:16 +01:00
rodzic e237d080bf
commit 200374494f
Nie znaleziono w bazie danych klucza dla tego podpisu
ID klucza GPG: 08F06191F4587860
2 zmienionych plików z 11 dodań i 9 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

18
root/docker-mods
Wyświetl plik

@ -11,18 +11,18 @@ set_legacy_executable_bits() {
tamper_check() { tamper_check() {
#Tamper check custom service locations #Tamper check custom service locations
if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root)" ]]; then if [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* ! -user root 2>/dev/null)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' are not owned by root, which is a security risk. ****" echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' are not owned by root, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w)" ]]; then elif [[ -d "${SERVICES_DIR}" ]] && [[ -n "$(find ${SERVICES_DIR}/* -perm -o+w 2>/dev/null)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' have write permissions for others, which is a security risk. ****" echo "[custom-init] **** Some of the contents of the folder '${SERVICES_DIR}' have write permissions for others, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi fi
#Tamper check custom script locations #Tamper check custom script locations
if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root)" ]]; then if [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* ! -user root 2>/dev/null)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' are not owned by root, which is a security risk. ****" echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' are not owned by root, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w)" ]]; then elif [[ -d "${SCRIPTS_DIR}" ]] && [[ -n "$(find ${SCRIPTS_DIR}/* -perm -o+w 2>/dev/null)" ]]; then
echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' have write permissions for others, which is a security risk. ****" echo "[custom-init] **** Some of the contents of the folder '${SCRIPTS_DIR}' have write permissions for others, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi fi
@ -30,7 +30,7 @@ tamper_check() {
tamper_check_legacy() { tamper_check_legacy() {
# Tamper check custom script locations # Tamper check custom script locations
if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root)" ]]; then if [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} ! -user root 2>/dev/null)" ]]; then
echo "**** Potential tampering with custom scripts detected ****" echo "**** Potential tampering with custom scripts detected ****"
randstr=$( randstr=$(
tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8 tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
@ -39,13 +39,13 @@ tamper_check_legacy() {
mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}" mv "${SCRIPTS_DIR_OLD}" "${SCRIPTS_DIR_OLD}.${randstr}"
echo "[custom-init] **** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****" echo "[custom-init] **** Folder ${SCRIPTS_DIR_OLD} is moved to ${SCRIPTS_DIR_OLD}.${randstr} ****"
echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w)" ]]; then elif [[ -d "${SCRIPTS_DIR_OLD}" ]] && [[ -n "$(find ${SCRIPTS_DIR_OLD} -perm -o+w 2>/dev/null)" ]]; then
echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****" echo "[custom-init] **** The folder '${SCRIPTS_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi fi
# Tamper check custom service locations # Tamper check custom service locations
if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root)" ]]; then if [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} ! -user root 2>/dev/null)" ]]; then
echo "[custom-init] **** Potential tampering with custom scripts detected ****" echo "[custom-init] **** Potential tampering with custom scripts detected ****"
randstr=$( randstr=$(
tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8 tr </dev/urandom -dc _A-Z-a-z-0-9 | head -c8
@ -54,7 +54,7 @@ tamper_check_legacy() {
mv "${SERVICES_DIR_OLD}" "${SERVICES_DIR_OLD}.${randstr}" mv "${SERVICES_DIR_OLD}" "${SERVICES_DIR_OLD}.${randstr}"
echo "[custom-init] **** Folder ${SERVICES_DIR_OLD} is moved to ${SERVICES_DIR_OLD}.${randstr} ****" echo "[custom-init] **** Folder ${SERVICES_DIR_OLD} is moved to ${SERVICES_DIR_OLD}.${randstr} ****"
echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****" echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' and its contents need to all be owned by root to prevent root escalation inside the container!!! ****"
elif [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} -perm -o+w)" ]]; then elif [[ -d "${SERVICES_DIR_OLD}" ]] && [[ -n "$(find ${SERVICES_DIR_OLD} -perm -o+w 2>/dev/null)" ]]; then
echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****" echo "[custom-init] **** The folder '${SERVICES_DIR_OLD}' or some of its contents have write permissions for others, which is a security risk. ****"
echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****" echo "[custom-init] **** Please review the permissions of this folder and its contents to make sure they are owned by root, and can only be modified by root. ****"
fi fi
@ -66,6 +66,7 @@ process_custom_services() {
if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then
echo "[custom-init] removing existing custom services..." echo "[custom-init] removing existing custom services..."
rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
rm /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-*
fi fi
# Make sure custom service directory exists and has files in it # Make sure custom service directory exists and has files in it
@ -104,6 +105,7 @@ process_custom_services_legacy() {
if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then if [[ -n "$(/bin/ls -A /etc/s6-overlay/s6-rc.d/custom-svc-* 2>/dev/null)" ]]; then
echo "[custom-init] removing existing custom services..." echo "[custom-init] removing existing custom services..."
rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-* rm -rf /etc/s6-overlay/s6-rc.d/custom-svc-*
rm /etc/s6-overlay/s6-rc.d/user/contents.d/custom-svc-*
fi fi
# Make sure custom service directory exists and has files in it # Make sure custom service directory exists and has files in it

2
root/etc/cont-init.d/99-custom-files
Wyświetl plik

@ -57,7 +57,7 @@ fi
if [[ -n "$(/bin/ls -A "${SCRIPTS_DIR_OLD}" 2>/dev/null)" ]] || if [[ -n "$(/bin/ls -A "${SCRIPTS_DIR_OLD}" 2>/dev/null)" ]] ||
[[ -n "$(/bin/ls -A "${SERVICES_DIR_OLD}" 2>/dev/null)" ]]; then [[ -n "$(/bin/ls -A "${SERVICES_DIR_OLD}" 2>/dev/null)" ]]; then
cat << EOF | tee {${SCRIPTS_DIR_OLD}/README.txt,${SERVICES_DIR_OLD}/README.txt} 2>/dev/null cat << EOF | tee ${SCRIPTS_DIR_OLD}/README.txt 2>/dev/null
******************************************************** ********************************************************
******************************************************** ********************************************************
* * * *