mirror of
https://github.com/community-scripts/ProxmoxVE.git
synced 2026-04-24 11:20:56 +00:00
fix: harden shell scripts against injection and insecure permissions
Security fixes across multiple files: - install.func: Quote command substitutions in mkdir/systemctl to prevent word splitting and globbing on GETTY_OVERRIDE path - build.func: Escape sed special chars (& \) in current_os/hostname/ip before using them as sed replacement strings in update_motd_ip - build.func: Escape regex metacharacters (. |) in $LANG before sed use - build.func: Validate render_gid/video_gid as numeric before sed injection - build.func: Use HTTPS for Alpine APK repositories instead of HTTP - tools.func: Verify GPG dearmor output is non-empty (-s check) - tools.func: Tighten GPU device permissions from 666 to 660 (owner+group) - tools.func: Add chgrp render for /dev/kfd (AMD ROCm) - shinobi-install.sh: chmod 777 -> 644 on version.json - tasmoadmin-install.sh: chmod 777 -> 775 on tmp/data directories - runtipi.sh: chmod 666 -> 660 on settings.json
This commit is contained in:
+14
-3
@@ -221,6 +221,11 @@ update_motd_ip() {
|
||||
local current_hostname="$(hostname)"
|
||||
local current_ip="$(hostname -I | awk '{print $1}')"
|
||||
|
||||
# Escape sed special chars in replacement strings (& \ |)
|
||||
current_os="${current_os//\\/\\\\}"; current_os="${current_os//&/\\&}"
|
||||
current_hostname="${current_hostname//\\/\\\\}"; current_hostname="${current_hostname//&/\\&}"
|
||||
current_ip="${current_ip//\\/\\\\}"; current_ip="${current_ip//&/\\&}"
|
||||
|
||||
# Update only if values actually changed
|
||||
if ! grep -q "OS:.*$current_os" "$PROFILE_FILE" 2>/dev/null; then
|
||||
sed -i "s|OS:.*|OS: \${GN}$current_os\${CL}\\\"|" "$PROFILE_FILE"
|
||||
@@ -4076,8 +4081,8 @@ EOF
|
||||
if [ "$var_os" == "alpine" ]; then
|
||||
sleep 3
|
||||
pct exec "$CTID" -- /bin/sh -c 'cat <<EOF >/etc/apk/repositories
|
||||
http://dl-cdn.alpinelinux.org/alpine/latest-stable/main
|
||||
http://dl-cdn.alpinelinux.org/alpine/latest-stable/community
|
||||
https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
|
||||
https://dl-cdn.alpinelinux.org/alpine/latest-stable/community
|
||||
EOF'
|
||||
pct exec "$CTID" -- ash -c "apk add bash newt curl openssh nano mc ncurses jq" >>"$BUILD_LOG" 2>&1 || {
|
||||
msg_error "Failed to install base packages in Alpine container"
|
||||
@@ -4086,7 +4091,9 @@ EOF'
|
||||
else
|
||||
sleep 3
|
||||
LANG=${LANG:-en_US.UTF-8}
|
||||
pct exec "$CTID" -- bash -c "sed -i \"/$LANG/ s/^# //\" /etc/locale.gen"
|
||||
local LANG_ESC="${LANG//./\\.}"
|
||||
LANG_ESC="${LANG_ESC//|/\\|}"
|
||||
pct exec "$CTID" -- bash -c "sed -i \"/$LANG_ESC/ s/^# //\" /etc/locale.gen"
|
||||
pct exec "$CTID" -- bash -c "locale_line=\$(grep -v '^#' /etc/locale.gen | grep -E '^[a-zA-Z]' | awk '{print \$1}' | head -n 1) && \
|
||||
echo LANG=\$locale_line >/etc/default/locale && \
|
||||
locale-gen >/dev/null && \
|
||||
@@ -4759,6 +4766,10 @@ fix_gpu_gids() {
|
||||
pct stop "$CTID" >/dev/null 2>&1
|
||||
sleep 1
|
||||
|
||||
# Validate GIDs are numeric before sed
|
||||
[[ "$render_gid" =~ ^[0-9]+$ ]] || render_gid="104"
|
||||
[[ "$video_gid" =~ ^[0-9]+$ ]] || video_gid="44"
|
||||
|
||||
# Update dev entries with correct GIDs
|
||||
sed -i.bak -E "s|(dev[0-9]+: /dev/dri/renderD[0-9]+),gid=[0-9]+|\1,gid=${render_gid}|g" "$LXC_CONFIG"
|
||||
sed -i -E "s|(dev[0-9]+: /dev/dri/card[0-9]+),gid=[0-9]+|\1,gid=${video_gid}|g" "$LXC_CONFIG"
|
||||
|
||||
Reference in New Issue
Block a user