Compare commits

...

2 Commits

Author SHA1 Message Date
librelad
03d7a7b969 Merge claude/1 2026-05-23 23:26:13 +01:00
librelad
bdd73b4686 harden(desudo): append-capable runFileWrite + convert config-to-container
Add -a/--append to runFileWrite so the pervasive /docker/logs log-append
idiom (`… | sudo tee -a $logs_dir/$docker_log_file`) routes through the
mode-aware helper instead of raw sudo.

Convert scripts/config/docker/docker_config_to_container.sh fully: all
ops target /docker app config + logs (data-plane), so md5sum/grep/chmod/
cmp/editor -> runFileOp and the log-appends -> runFileWrite -a.
Byte-identical in rooted.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 23:26:13 +01:00
2 changed files with 28 additions and 21 deletions

View File

@ -44,7 +44,7 @@ dockerConfigSetupToContainer()
if [ "$silent_flag" == "loud" ]; then
isNotice "Copying config file to '$target_path/$config_file'..."
fi
copyFile "$silent_flag" "$source_file" "$target_path/$config_file" $sudo_user_name | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
copyFile "$silent_flag" "$source_file" "$target_path/$config_file" $sudo_user_name | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1
fi
if [[ -n "$config_overrides" ]]; then
@ -60,9 +60,9 @@ dockerConfigSetupToContainer()
fi
fi
if sudo grep -qE 'RANDOMIZED(PASSWORD|USERNAME|BCRYPTPASSWORD|HEX|VAPID|APPKEY)[0-9]*' "$target_path/$config_file" 2>/dev/null; then
if runFileOp grep -qE 'RANDOMIZED(PASSWORD|USERNAME|BCRYPTPASSWORD|HEX|VAPID|APPKEY)[0-9]*' "$target_path/$config_file" 2>/dev/null; then
scanFileForRandomPasswordKeysUsers "$target_path/$config_file"
sudo chmod a+r "$target_path/$config_file" 2>/dev/null || true
runFileOp chmod a+r "$target_path/$config_file" 2>/dev/null || true
source "$target_path/$config_file"
fi
@ -81,7 +81,7 @@ dockerConfigSetupToContainer()
if [[ "$flags" == "install" ]]; then
if [ -f "$target_path/$config_file" ]; then
# Same content check
if sudo cmp -s "$source_file" "$target_path/$config_file"; then
if runFileOp cmp -s "$source_file" "$target_path/$config_file"; then
isNotice "Config file for $app_name contains no edits."
while true; do
#isQuestion "? (y/n): "
@ -91,11 +91,11 @@ dockerConfigSetupToContainer()
case $editconfigaccept in
[yY])
# Calculate checksum of the original file
local original_checksum=$(sudo md5sum "$target_path/$config_file")
local original_checksum=$(runFileOp md5sum "$target_path/$config_file")
# Open the file with $CFG_TEXT_EDITOR for editing
sudo $CFG_TEXT_EDITOR "$target_path/$config_file"
runFileOp $CFG_TEXT_EDITOR "$target_path/$config_file"
# Calculate checksum of the edited file
local edited_checksum=$(sudo md5sum "$target_path/$config_file")
local edited_checksum=$(runFileOp md5sum "$target_path/$config_file")
# Compare the checksums to check if changes were made
if [[ "$original_checksum" != "$edited_checksum" ]]; then
source $target_path/$config_file
@ -124,7 +124,7 @@ dockerConfigSetupToContainer()
case $resetconfigaccept in
[yY])
isNotice "Resetting $app_name config file."
copyFile "loud" "$source_file" "$target_path/$config_file" $docker_install_user | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
copyFile "loud" "$source_file" "$target_path/$config_file" $docker_install_user | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1
source $target_path/$config_file
dockerConfigSetupToContainer "loud" $app_name;
while true; do
@ -135,13 +135,13 @@ dockerConfigSetupToContainer()
case $editconfigaccept in
[yY])
# Calculate the checksum of the original file
local original_checksum=$(sudo md5sum "$target_path/$config_file")
local original_checksum=$(runFileOp md5sum "$target_path/$config_file")
# Open the file with $CFG_TEXT_EDITOR for editing
sudo $CFG_TEXT_EDITOR "$target_path/$config_file"
runFileOp $CFG_TEXT_EDITOR "$target_path/$config_file"
# Calculate the checksum of the edited file
local edited_checksum=$(sudo md5sum "$target_path/$config_file")
local edited_checksum=$(runFileOp md5sum "$target_path/$config_file")
# Compare the checksums to check if changes were made
if [[ "$original_checksum" != "$edited_checksum" ]]; then
@ -170,13 +170,13 @@ dockerConfigSetupToContainer()
case $editconfigaccept in
[yY])
# Calculate the checksum of the original file
local original_checksum=$(sudo md5sum "$target_path/$config_file")
local original_checksum=$(runFileOp md5sum "$target_path/$config_file")
# Open the file with $CFG_TEXT_EDITOR for editing
sudo $CFG_TEXT_EDITOR "$target_path/$config_file"
runFileOp $CFG_TEXT_EDITOR "$target_path/$config_file"
# Calculate the checksum of the edited file
local edited_checksum=$(sudo md5sum "$target_path/$config_file")
local edited_checksum=$(runFileOp md5sum "$target_path/$config_file")
# Compare the checksums to check if changes were made
if [[ "$original_checksum" != "$edited_checksum" ]]; then
@ -204,7 +204,7 @@ dockerConfigSetupToContainer()
fi
else
isNotice "Config file for $app_name does not exist. Creating it..."
copyFile "loud" "$source_file" "$target_path/$config_file" $docker_install_user | sudo tee -a "$logs_dir/$docker_log_file" 2>&1
copyFile "loud" "$source_file" "$target_path/$config_file" $docker_install_user | runFileWrite -a "$logs_dir/$docker_log_file" 2>&1
isNotice "Config file for $app_name contains no edits."
while true; do
#isQuestion "Would you like to make edits to the config file? (y/n): "
@ -214,13 +214,13 @@ dockerConfigSetupToContainer()
case $editconfigaccept in
[yY])
# Calculate the checksum of the original file
local original_checksum=$(sudo md5sum "$target_path/$config_file")
local original_checksum=$(runFileOp md5sum "$target_path/$config_file")
# Open the file with $CFG_TEXT_EDITOR for editing
sudo $CFG_TEXT_EDITOR "$target_path/$config_file"
runFileOp $CFG_TEXT_EDITOR "$target_path/$config_file"
# Calculate the checksum of the edited file
local edited_checksum=$(sudo md5sum "$target_path/$config_file")
local edited_checksum=$(runFileOp md5sum "$target_path/$config_file")
# Compare the checksums to check if changes were made
if [[ "$original_checksum" != "$edited_checksum" ]]; then

View File

@ -27,13 +27,20 @@ runFileOp() {
# Write stdin to a path with the right privilege (replaces `… | sudo tee path`).
# rooted -> sudo tee
# rootless -> tee as the Docker install user
# Usage: some_command | runFileWrite /path/to/file
# Pass -a/--append as the first arg to append instead of truncate (replaces
# `… | sudo tee -a path`, e.g. the /docker/logs log-append idiom).
# Usage: some_command | runFileWrite [-a] /path/to/file
runFileWrite() {
local append=""
if [[ "$1" == "-a" || "$1" == "--append" ]]; then
append=" -a"
shift
fi
local dest="$1"
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
dockerCommandRunInstallUser "tee '$dest' >/dev/null"
dockerCommandRunInstallUser "tee$append '$dest' >/dev/null"
else
sudo tee "$dest" >/dev/null
sudo tee$append "$dest" >/dev/null
fi
}