harden(desudo): convert permission/touch helpers + network-mode processor
app_folder.sh, libreportal_folders.sh, create_touch.sh: chmod/find/chown/ touch on /docker dirs -> runFileOp (dropped nested -exec sudo chmod). tags_processor_network_mode.sh: awk/tee/mv/cmp/rm/sqlite3 on compose+DB -> runFileOp/runFileWrite; gluetun docker ps + compose up -> dockerCommandRun. Deferred (read install-dir templates, need category-3 handling): copy_file.sh, copy_files.sh, config_scan_variables.sh. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
fe01a1947b
commit
ccbb2e1c47
@ -19,7 +19,7 @@ tagsProcessorNetworkMode()
|
||||
fi
|
||||
|
||||
local tmp="${file}.netmode.$$"
|
||||
sudo awk '
|
||||
runFileOp awk '
|
||||
BEGIN { in_off=0; in_on=0 }
|
||||
/# *GLUETUN_OFF_BEGIN/ { in_off=1; print; next }
|
||||
/# *GLUETUN_OFF_END/ { in_off=0; print; next }
|
||||
@ -44,9 +44,9 @@ tagsProcessorNetworkMode()
|
||||
}
|
||||
print
|
||||
}
|
||||
' "$file" | sudo tee "$tmp" >/dev/null
|
||||
' "$file" | runFileWrite "$tmp"
|
||||
|
||||
sudo mv "$tmp" "$file"
|
||||
runFileOp mv "$tmp" "$file"
|
||||
|
||||
tagsManagerUpdateUniversalTag "$file" "TRAEFIK_ENABLE_TAG" "false"
|
||||
}
|
||||
@ -62,7 +62,7 @@ tagsProcessorGluetunForwardedPorts()
|
||||
if [[ ! -f "$docker_dir/$db_file" ]]; then return 0; fi
|
||||
|
||||
local installed_apps
|
||||
installed_apps=$(sudo sqlite3 "$docker_dir/$db_file" \
|
||||
installed_apps=$(runFileOp sqlite3 "$docker_dir/$db_file" \
|
||||
"SELECT name FROM apps WHERE status = 1 ORDER BY name;" 2>/dev/null)
|
||||
|
||||
local routed_lines=""
|
||||
@ -75,7 +75,7 @@ tagsProcessorGluetunForwardedPorts()
|
||||
[[ "$net" != "gluetun" ]] && continue
|
||||
|
||||
local ports
|
||||
ports=$(sudo sqlite3 "$docker_dir/$db_file" \
|
||||
ports=$(runFileOp sqlite3 "$docker_dir/$db_file" \
|
||||
"SELECT resource_value FROM network_resources WHERE app_name = '$app' AND resource_type = 'port' AND status = 'active';" 2>/dev/null)
|
||||
while IFS= read -r p; do
|
||||
[[ -z "$p" ]] && continue
|
||||
@ -90,7 +90,7 @@ tagsProcessorGluetunForwardedPorts()
|
||||
done <<< "$installed_apps"
|
||||
|
||||
local tmp="${gluetun_compose}.fwd.$$"
|
||||
sudo awk -v block="$routed_lines" '
|
||||
runFileOp awk -v block="$routed_lines" '
|
||||
BEGIN { in_region=0 }
|
||||
/# *GLUETUN_FORWARDED_PORTS_BEGIN/ {
|
||||
print
|
||||
@ -100,13 +100,13 @@ tagsProcessorGluetunForwardedPorts()
|
||||
}
|
||||
/# *GLUETUN_FORWARDED_PORTS_END/ { in_region=0; print; next }
|
||||
{ if (!in_region) print }
|
||||
' "$gluetun_compose" | sudo tee "$tmp" >/dev/null
|
||||
' "$gluetun_compose" | runFileWrite "$tmp"
|
||||
|
||||
if ! sudo cmp -s "$tmp" "$gluetun_compose"; then
|
||||
sudo mv "$tmp" "$gluetun_compose"
|
||||
if sudo docker ps --format '{{.Names}}' 2>/dev/null | grep -q '^gluetun-service$'; then
|
||||
if ! runFileOp cmp -s "$tmp" "$gluetun_compose"; then
|
||||
runFileOp mv "$tmp" "$gluetun_compose"
|
||||
if dockerCommandRun "docker ps --format '{{.Names}}'" "sudo" 2>/dev/null | grep -q '^gluetun-service$'; then
|
||||
isNotice "Gluetun forwarded ports changed; recreating gluetun-service to apply."
|
||||
(cd "${containers_dir}gluetun" && sudo docker compose up -d --force-recreate gluetun-service >/dev/null 2>&1) || true
|
||||
(cd "${containers_dir}gluetun" && dockerCommandRun "docker compose up -d --force-recreate gluetun-service" "sudo" >/dev/null 2>&1) || true
|
||||
# Recreating gluetun gives it a new container ID, which orphans
|
||||
# every `network_mode: container:gluetun-service` reference. Re-
|
||||
# attach all routed apps so they share the new netns instead of
|
||||
@ -114,6 +114,6 @@ tagsProcessorGluetunForwardedPorts()
|
||||
appGluetunRecreateRouted
|
||||
fi
|
||||
else
|
||||
sudo rm -f "$tmp"
|
||||
runFileOp rm -f "$tmp"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -10,13 +10,13 @@ createTouch()
|
||||
local clean_dir=$(echo "$file" | sed 's#//*#/#g')
|
||||
|
||||
if [ "$silent_flag" == "silent" ]; then
|
||||
sudo touch "$clean_dir"
|
||||
sudo chown $user_name:$user_name "$file"
|
||||
runFileOp touch "$clean_dir"
|
||||
runFileOp chown $user_name:$user_name "$file"
|
||||
else
|
||||
local result=$(sudo touch "$clean_dir")
|
||||
local result=$(runFileOp touch "$clean_dir")
|
||||
checkSuccess "Touching $file_name"
|
||||
|
||||
local result=$(sudo chown $user_name:$user_name "$file")
|
||||
local result=$(runFileOp chown $user_name:$user_name "$file")
|
||||
checkSuccess "Updating $file_name with $user_name ownership"
|
||||
fi
|
||||
}
|
||||
|
||||
@ -18,7 +18,7 @@ fixAppFolderPermissions()
|
||||
|
||||
# Updating $containers_dir with execute permissions
|
||||
if [ -d "$containers_dir" ]; then
|
||||
local result=$(sudo chmod +x "$containers_dir" > /dev/null 2>&1)
|
||||
local result=$(runFileOp chmod +x "$containers_dir" > /dev/null 2>&1)
|
||||
if [ "$silent_flag" == "loud" ]; then
|
||||
checkSuccess "Updating $containers_dir with execute permissions."
|
||||
fi
|
||||
@ -30,7 +30,7 @@ fixAppFolderPermissions()
|
||||
|
||||
# Updating $containers_dir$app_name with execute permissions
|
||||
if [ -d "$containers_dir$app_name" ]; then
|
||||
local result=$(sudo chmod +x "$containers_dir$app_name" > /dev/null 2>&1)
|
||||
local result=$(runFileOp chmod +x "$containers_dir$app_name" > /dev/null 2>&1)
|
||||
if [ "$silent_flag" == "loud" ]; then
|
||||
checkSuccess "Updating $containers_dir$app_name with execute permissions."
|
||||
fi
|
||||
@ -42,7 +42,7 @@ fixAppFolderPermissions()
|
||||
|
||||
# Updating $app_name with read permissions
|
||||
if [ -d "$containers_dir$app_name" ]; then
|
||||
local result=$(sudo chmod o+r "$containers_dir$app_name")
|
||||
local result=$(runFileOp chmod o+r "$containers_dir$app_name")
|
||||
if [ "$silent_flag" == "loud" ]; then
|
||||
checkSuccess "Updating $app_name with read permissions"
|
||||
fi
|
||||
@ -54,7 +54,7 @@ fixAppFolderPermissions()
|
||||
|
||||
# Updating compose file(s) for LibrePortal access
|
||||
if [ -d "$containers_dir$app_name" ]; then
|
||||
local result=$(sudo find "$containers_dir$app_name" -type f -name '*docker-compose*' -exec chmod o+r {} \;)
|
||||
local result=$(runFileOp find "$containers_dir$app_name" -type f -name '*docker-compose*' -exec chmod o+r {} \;)
|
||||
if [ "$silent_flag" == "loud" ]; then
|
||||
isNotice "Updating compose file(s) for LibrePortal access"
|
||||
fi
|
||||
@ -70,7 +70,7 @@ fixAppFolderPermissions()
|
||||
local file_path="$containers_dir$app_name/$file"
|
||||
# Check if the file exists
|
||||
if [ -e "$file_path" ]; then
|
||||
local result=$(sudo chown $docker_install_user:$docker_install_user "$file_path")
|
||||
local result=$(runFileOp chown $docker_install_user:$docker_install_user "$file_path")
|
||||
if [ "$silent_flag" == "loud" ]; then
|
||||
checkSuccess "Updating $file with $docker_install_user ownership"
|
||||
fi
|
||||
|
||||
@ -5,23 +5,23 @@ fixFolderPermissions()
|
||||
local silent_flag="$1"
|
||||
local app_name="$2"
|
||||
|
||||
local result=$(sudo chmod +x "$docker_dir" > /dev/null 2>&1)
|
||||
local result=$(runFileOp chmod +x "$docker_dir" > /dev/null 2>&1)
|
||||
if [ "$silent_flag" == "loud" ]; then
|
||||
checkSuccess "Updating $docker_dir with execute permissions."
|
||||
fi
|
||||
|
||||
local result=$(sudo chmod +x "$containers_dir" > /dev/null 2>&1)
|
||||
local result=$(runFileOp chmod +x "$containers_dir" > /dev/null 2>&1)
|
||||
if [ "$silent_flag" == "loud" ]; then
|
||||
checkSuccess "Updating $containers_dir with execute permissions."
|
||||
fi
|
||||
|
||||
local result=$(sudo find "$script_dir" "$ssl_dir" "$ssh_dir" "$backup_dir" "$restore_dir" "$migrate_dir" -maxdepth 2 -type d -exec sudo chmod +x {} \;)
|
||||
local result=$(runFileOp find "$script_dir" "$ssl_dir" "$ssh_dir" "$backup_dir" "$restore_dir" "$migrate_dir" -maxdepth 2 -type d -exec chmod +x {} \;)
|
||||
if [ "$silent_flag" == "loud" ]; then
|
||||
checkSuccess "Adding execute permissions for $docker_install_user user"
|
||||
fi
|
||||
|
||||
# Install user related
|
||||
local result=$(sudo chown $docker_install_user:$docker_install_user "$containers_dir" > /dev/null 2>&1)
|
||||
local result=$(runFileOp chown $docker_install_user:$docker_install_user "$containers_dir" > /dev/null 2>&1)
|
||||
if [ "$silent_flag" == "loud" ]; then
|
||||
checkSuccess "Updating $containers_dir with $docker_install_user ownership"
|
||||
fi
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user