librelad 82839abea6 harden(desudo): arg-safe runFileOp + convert DNS subsystem off raw sudo
Give dockerCommandRunInstallUser an --argv mode that execs arguments
verbatim (sudo -u <user> env ... "$@") instead of bash -c "$*", and
point runFileOp at it. The old $*+bash -c re-parse silently mangled
backslashes/quotes in args — e.g. sed scripts (\1, \( become 1, ( ) and
the sqlite3 .backup arg — so rootless data-plane ops with regex were
broken. Verified: the WG_DEFAULT_DNS sed now applies correctly as the
install user. All existing runFileOp callers pass plain commands, so the
switch is safe (and fixes the latent sqlite3 case).

Convert scripts/network/dns/setup_dns.sh: /etc/resolv.conf edits and
ping -> runSystem; the WG_DEFAULT_DNS compose-file sed -> runFileOp.
Byte-identical in rooted; correct in rootless.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-23 23:22:46 +01:00

147 lines
7.0 KiB
Bash
Executable File

#!/bin/bash
updateDNS()
{
local app_name="$1"
local flag="$2"
if [[ "$OS_TYPE" == "Ubuntu" || "$OS_TYPE" == "Debian" ]]; then
dnsRemoveNameservers()
{
result=$(runSystem sed -i '/^nameserver/d' /etc/resolv.conf)
checkSuccess "Removing all instances of Nameserver from Resolv.conf"
}
if [[ "$flag" == "standalonewireguard" ]]; then
dnsRemoveNameservers;
echo "nameserver $CFG_DNS_SERVER_1" | runSystem tee -a /etc/resolv.conf > /dev/null
echo "nameserver $CFG_DNS_SERVER_2" | runSystem tee -a /etc/resolv.conf > /dev/null
else
# Check if AdGuard is installed
local status=$(dockerCheckAppInstalled "adguard" "docker")
if [ "$status" == "installed" ]; then
setupDNSIP adguard;
local adguard_ip="$dns_ip_setup"
# Testing Docker IP Address
result=$(runSystem ping -c 1 $adguard_ip)
if [ $? -eq 0 ]; then
isSuccessful "Ping to $adguard_ip was successful."
else
isNotice "Ping to $adguard_ip failed."
isNotice "Defaulting to DNS 1 Server $CFG_DNS_SERVER_1."
local adguard_ip="$CFG_DNS_SERVER_1"
# Fallback to Quad9 if DNS has issues
result=$(runSystem ping -c 1 $adguard_ip)
if [ $? -eq 0 ]; then
isSuccessful "Ping to $adguard_ip was successful."
else
isNotice "Ping to $adguard_ip failed."
isNotice "Defaulting to DNS Server 1"
local adguard_ip="$CFG_DNS_SERVER_1"
fi
fi
else
local adguard_ip="$CFG_DNS_SERVER_1"
# Fallback to Quad9 if DNS has issues
result=$(runSystem ping -c 1 $adguard_ip)
if [ $? -eq 0 ]; then
isSuccessful "Ping to $adguard_ip was successful."
else
isNotice "Ping to $adguard_ip failed."
isNotice "Defaulting to DNS Server 1"
local adguard_ip="$CFG_DNS_SERVER_1"
fi
fi
# Check if Pi-hole is installed
local status=$(dockerCheckAppInstalled "pihole" "docker")
if [ "$status" == "installed" ]; then
setupDNSIP pihole;
local pihole_ip="$dns_ip_setup"
# Testing Docker IP Address
result=$(runSystem ping -c 1 $pihole_ip)
if [ $? -eq 0 ]; then
isSuccessful "Ping to $pihole_ip was successful."
else
isNotice "Ping to $pihole_ip failed."
isNotice "Defaulting to DNS 2 Server $CFG_DNS_SERVER_2."
local pihole_ip="$CFG_DNS_SERVER_2"
# Fallback to Quad9 if DNS has issues
result=$(runSystem ping -c 1 $pihole_ip)
if [ $? -eq 0 ]; then
isSuccessful "Ping to $pihole_ip was successful."
else
isNotice "Ping to $pihole_ip failed."
isNotice "Defaulting to DNS Server 2"
local pihole_ip="$CFG_DNS_SERVER_2"
fi
fi
else
local pihole_ip="$CFG_DNS_SERVER_2"
if [ $? -eq 0 ]; then
isSuccessful "Ping to $pihole_ip was successful."
else
isNotice "Ping to $pihole_ip failed."
isNotice "Defaulting to DNS Server 2"
local pihole_ip="$CFG_DNS_SERVER_2"
fi
fi
# Add the custom DNS servers to /etc/resolv.conf
if [[ "$adguard_ip" == *10.100.0* ]]; then
# Wireguard update
local status=$(dockerCheckAppInstalled "wireguard" "docker")
if [ "$status" == "installed" ]; then
initializeAppVariables wireguard;
if [[ $compose_setup == "default" ]]; then
local compose_file="docker-compose.yml"
elif [[ $compose_setup == "app" ]]; then
local compose_file="docker-compose.$app_name.yml"
fi
result=$(runFileOp sed -i "s/\(WG_DEFAULT_DNS=\).*/\1$adguard_ip/" $containers_dir$app_name/$compose_file)
checkSuccess "Updated Wireguard default DNS to $adguard_ip"
fi
dnsRemoveNameservers;
echo "nameserver $adguard_ip" | runSystem tee -a /etc/resolv.conf > /dev/null
echo "nameserver $pihole_ip" | runSystem tee -a /etc/resolv.conf > /dev/null
elif [[ "$pihole_ip" == *10.100.0* ]]; then
# Wireguard update
local status=$(dockerCheckAppInstalled "wireguard" "docker")
if [ "$status" == "installed" ]; then
initializeAppVariables $app_name;
if [[ $compose_setup == "default" ]]; then
local compose_file="docker-compose.yml"
elif [[ $compose_setup == "app" ]]; then
local compose_file="docker-compose.$app_name.yml"
fi
result=$(runFileOp sed -i "s/\(WG_DEFAULT_DNS=\).*/\1$pihole_ip/" $containers_dir$app_name/$compose_file)
checkSuccess "Updated Wireguard default DNS to $pihole_ip"
fi
dnsRemoveNameservers;
echo "nameserver $pihole_ip" | runSystem tee -a /etc/resolv.conf > /dev/null
echo "nameserver $adguard_ip" | runSystem tee -a /etc/resolv.conf > /dev/null
else
# Wireguard update
local status=$(dockerCheckAppInstalled "wireguard" "docker")
if [ "$status" == "installed" ]; then
initializeAppVariables wireguard;
if [[ $compose_setup == "default" ]]; then
local compose_file="docker-compose.yml"
elif [[ $compose_setup == "app" ]]; then
local compose_file="docker-compose.$app_name.yml"
fi
result=$(runFileOp sed -i "s/\(WG_DEFAULT_DNS=\).*/\1$adguard_ip/" $containers_dir$app_name/$compose_file)
checkSuccess "Updated Wireguard default DNS to $adguard_ip"
fi
dnsRemoveNameservers;
echo "nameserver $adguard_ip" | runSystem tee -a /etc/resolv.conf > /dev/null
echo "nameserver $pihole_ip" | runSystem tee -a /etc/resolv.conf > /dev/null
fi
if [ "$flag" == "install" ]; then
initializeAppVariables $app_name;
fi
isSuccessful "Resolv.conf has been updated with the latest DNS settings."
fi
fi
}