LibrePortal/scripts/docker/command/run_privileged.sh
librelad a27304a191 fix(distribution): harden the artifact apply pipeline (adversarial review)
A 4-lens adversarial security review of the Phase 2 applier raised 19 issues
and confirmed 17 after per-finding verification. All are trust-boundary (they
require the signing key), but several break the explicit "no code-exec, always
reversible, nothing-silent" contract, so all 17 are fixed:

Trust path — fail CLOSED, never misreport:
- lpFetchIndex now surfaces the real signature state (LP_INDEX_SIGSTATE);
  artifactApply REFUSES to mutate unless the index is actually verified, and
  _artifactFetchPayload refuses an unsigned payload. The read path still
  tolerates dev/unsigned but now says "UNSIGNED" instead of "Signed + verified".
- valid_until and index_serial are now MANDATORY + numeric in lpFetchIndex
  (missing = refuse) — closes the anti-withholding / anti-rollback fail-opens.

Injection / code-exec (defense in depth even for a signed payload):
- runFileWrite rootless branch no longer builds a `bash -c` shell string with the
  destination interpolated — it uses the argv form (like runFileOp), so a path
  with a quote can't inject a command as the install user. (shared-helper fix)
- op paths must match a safe-filename charset (no quotes/$/backtick/;/newline);
  set-config-key values and set-compose-image refs are charset-guarded too.
- content_b64 is validated as real base64 at precheck.

Reversibility / honest failure:
- dockerComposeUp now returns the real compose exit status (it always returned 0,
  so the updater's rollback gate AND the apply's start-failure detection were
  fail-open). (shared-helper fix)
- set-config-key undo captures the WHOLE config file (lossless) instead of a
  lossy re-parsed scalar; edit-only (rejects an absent key).
- _artifactReplayUndoFile returns non-zero if any inverse op fails; auto-rollback
  and revert now record "rollback-incomplete"/"revert-incomplete" + isError
  instead of falsely claiming success, and revert keeps the record for retry.
- applied-record write failure is checked — apply rolls back rather than leave an
  un-revertable change. System-scope regen failure is no longer swallowed.
- Writes are path-aware (configs/ -> runInstallWrite, container tree ->
  runFileWrite) so system-scope hotfixes write/restore correctly.
- Checked lazy-sourcing surfaces a clear error instead of a bare exit 127.

Unit-tested 35/35 (adds: command-sub value rejection, bad image-ref, invalid
base64, quote/metachar path-injection rejection, replay-failure reporting).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-31 20:47:18 +01:00

179 lines
8.0 KiB
Bash

#!/bin/bash
# Mode-aware privileged operations.
#
# Ownership model (single source of truth — see reconcileDockerOwnership):
# The MANAGER user ($sudo_user_name, e.g. libreportal) runs the CLI + host
# scripts and is in the docker group, so it owns and operates the LibrePortal
# control plane in BOTH modes. root:root is never the intended owner — it only
# ever appeared as an artifact of un-de-sudo'd `sudo` commands.
# rooted — the manager owns everything under /docker (it talks to the root
# docker socket via the docker group); ops run AS the manager.
# rootless — the manager owns the control plane; the docker install user owns
# /docker/containers/** (the rootless daemon requires it).
# Only genuine system administration (apt/systemctl/ufw/sysctl/useradd, /etc)
# needs real root — that goes through runSystem.
# Run a command AS the manager user (plain if we're already it — the runtime
# case — otherwise sudo -u to it, e.g. at install time when we're root). This is
# how we keep files manager-owned instead of accidentally root-owned.
runAsManager() {
local mgr="${sudo_user_name:-libreportal}"
if [[ "$(id -un)" == "$mgr" ]]; then
"$@"
else
sudo -u "$mgr" "$@"
fi
}
# /docker data-plane command (mkdir/chown/rm/cp/mv/sed/sqlite3/docker/etc.) on
# app/container files.
# rooted -> as the manager user (owns /docker, in the docker group)
# rootless -> as the docker install user (owns /docker/containers/**, and has
# DOCKER_HOST set so `docker ...` hits the rootless socket)
# For stdin-fed writes (`… | sudo tee file`) use runFileWrite below.
runFileOp() {
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
dockerCommandRunInstallUser --argv "$@"
else
runAsManager "$@"
fi
}
# Write stdin to a /docker data-plane path (replaces `… | sudo tee path`).
# Pass -a/--append as the first arg to append instead of truncate.
# Usage: some_command | runFileWrite [-a] /path/to/file
runFileWrite() {
local append_flag=()
if [[ "$1" == "-a" || "$1" == "--append" ]]; then
append_flag=(-a)
shift
fi
local dest="$1"
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
# --argv: pass tee + the destination as literal argv (no `bash -c`), so a
# path containing a quote/metachar can't break out of a shell string and
# inject a command. Mirrors runFileOp; the >/dev/null is the manager-side
# shell's (suppresses tee's stdout echo). stdin is preserved by sudo.
dockerCommandRunInstallUser --argv tee "${append_flag[@]}" "$dest" >/dev/null
else
runAsManager tee "${append_flag[@]}" "$dest" >/dev/null
fi
}
# Op on a MANAGER-owned path — the LibrePortal clone/templates AND the /docker
# control plane (apps DB, configs/, logs/, scripts). Owned by the manager in
# BOTH modes, so it always runs as the manager.
runInstallOp() {
runAsManager "$@"
}
# Write stdin to a MANAGER-owned path (apps DB sidecars, configs/, logs/ — e.g.
# the /docker/logs log-append idiom). Manager-owned in both modes.
# Pass -a/--append as the first arg to append.
runInstallWrite() {
local append_flag=()
if [[ "$1" == "-a" || "$1" == "--append" ]]; then
append_flag=(-a)
shift
fi
local dest="$1"
runAsManager tee "${append_flag[@]}" "$dest" >/dev/null
}
# Run a read/edit op against a CONFIG FILE, auto-selecting elevation by where the
# file lives: the container data-plane (/libreportal-containers, install-user-owned
# in rootless) -> runFileOp; the manager-owned control plane (configs/, the clone,
# backup-location configs) -> runInstallOp. The target file must be the LAST arg
# (true for the grep/sed/awk calls in the password replacers). Without this,
# sed -i EACCES'd its own temp file whenever the manager edited an app config
# copied into the container tree (the adguard.config "couldn't open temporary
# file" bug — the substitution silently failed, leaving the placeholder).
runCfgOp() {
local _file="${!#}"
if [[ -n "$containers_dir" && "$_file" == "$containers_dir"* ]]; then
runFileOp "$@"
else
runInstallOp "$@"
fi
}
# Backup-engine command (borg/restic/kopia) run AS the dedicated backup user
# ($docker_install_user), with the environment preserved (-E) so the repo
# password and BORG_/RESTIC_/KOPIA_ env vars reach the tool. Never root — the
# scoped sudoers lets the manager drop to this user. Single funnel so the
# backup subsystem's privilege drop has one audit point.
# -H resets HOME to the target user's so restic finds (or creates) its cache
# under /home/$docker_install_user/.cache/restic instead of inheriting the
# manager's HOME (which dockerinstall can't write into, surfacing as
# "unable to open cache: mkdir /home/libreportal/.cache/restic: permission denied"
# on every backup).
runBackupOp() {
sudo -E -H -u "$docker_install_user" "$@"
}
# Run one of the ROOT-OWNED LibrePortal helpers installed (root:root 0755) under
# /usr/local/lib/libreportal/ by init.sh. These are how the manager-run runtime
# (Model A) performs the genuine-root operations it can't drop — establishing the
# /docker ownership model, editing /etc/resolv.conf, managing host SSH access —
# WITHOUT the scoped sudoers granting blanket `sudo chown/chmod/tee/sed/cp` (which
# would be root-equivalent: chown /etc/sudoers, tee a new sudoers drop-in, …).
# Each helper validates its own fixed-path operations, so the sudoers can allow it
# wholesale. At install time (already root) the installed helper may be absent, so
# run the bundled copy directly — no sudo, no escalation, since we are root.
_runRootHelper() {
local name="$1"; shift
local helper="/usr/local/lib/libreportal/$name"
if [[ -x "$helper" ]]; then
sudo "$helper" "$@"
elif [[ $EUID -eq 0 ]]; then
bash "${script_dir:-/libreportal-system/install}/scripts/system/$name" "$@"
else
sudo "$helper" "$@"
fi
}
# Ownership reconcile: action ∈ {reconcile [mode]|traversal|containers-top|
# app-perms|webui|taskdir|app-data-nobody <app>}
runOwnership() { _runRootHelper libreportal-ownership "$@"; }
# /etc/resolv.conf edits: {clear|add <ip>}
runResolv() { _runRootHelper libreportal-dns "$@"; }
# Host SSH access (authorized_keys + sshd PasswordAuthentication):
# {ensure-dir|key-count|pw-status|has-keys|read-keys|authkeys-path|
# key-add <b64>|key-remove <fp>|pw-set <on|off>}
runSshAccess() { _runRootHelper libreportal-ssh-access "$@"; }
# Docker-socket read perms for the type switcher: {rootless|rooted} {on|off}
# (exit 3 = socket absent).
runSocket() { _runRootHelper libreportal-socket "$@"; }
# Install/refresh the systemd task-processor unit (root generates the unit from
# config; no caller-supplied content): {install|enable|restart|start|status}
runSvc() { _runRootHelper libreportal-svc "$@"; }
# Backup-engine binary install (restic/kopia) to /usr/local/bin: install <engine>
runBinInstall() { _runRootHelper libreportal-bininstall "$@"; }
# App config-file rewrites owned by in-container uids / root /etc:
# {adguard-auth <user> <bcrypt>|owncloud-config <public> <host> <ip> <public_ip>|
# wireguard-ip-forward}
runAppCfg() { _runRootHelper libreportal-appcfg "$@"; }
# CrowdSec host-side privileged ops — apt install of the agent + firewall
# bouncer, cscli register/enroll, /etc/crowdsec/* edits, /var/log/crowdsec*.log
# touch+chmod, /etc/crowdsec/traefik_bouncer.key write. One audit funnel for
# every operation the host-side CrowdSec install needs the manager can't drop:
# {install|services <enable|disable|restart>|capi <register|unregister|status>
# |console <enroll <token>|disenroll|status>|bouncer-traefik-init|
# bouncer-priority|bind-lapi|prometheus <on <addr> <port>|off>|touch-host-logs}
runCrowdsec() { _runRootHelper libreportal-crowdsec "$@"; }
# Genuine system-administration command (ufw/systemctl/apt/sysctl/useradd, /etc
# edits). Needs real root in both modes; funnelled through one place so it can
# later be confined to a scoped sudoers allowlist.
runSystem() {
sudo "$@"
}