nexus/ProxmoxVE
2
0
Fork 0
mirror of https://github.com/community-scripts/ProxmoxVE.git synced 2026-04-24 11:20:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden shell scripts against injection and insecure permissions

Browse Source 
Security fixes across multiple files:

- install.func: Quote command substitutions in mkdir/systemctl to prevent
  word splitting and globbing on GETTY_OVERRIDE path
- build.func: Escape sed special chars (& \) in current_os/hostname/ip
  before using them as sed replacement strings in update_motd_ip
- build.func: Escape regex metacharacters (. |) in $LANG before sed use
- build.func: Validate render_gid/video_gid as numeric before sed injection
- build.func: Use HTTPS for Alpine APK repositories instead of HTTP
- tools.func: Verify GPG dearmor output is non-empty (-s check)
- tools.func: Tighten GPU device permissions from 666 to 660 (owner+group)
- tools.func: Add chgrp render for /dev/kfd (AMD ROCm)
- shinobi-install.sh: chmod 777 -> 644 on version.json
- tasmoadmin-install.sh: chmod 777 -> 775 on tmp/data directories
- runtipi.sh: chmod 666 -> 660 on settings.json
This commit is contained in:
MickLesk
2026-03-23 21:22:58 +01:00
parent b1604ceae0
commit a3498644fc
6 changed files with 25 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
misc/build.func
+14 -3
View File
@@ -221,6 +221,11 @@ update_motd_ip() {
local current_hostname="$(hostname)"
local current_ip="$(hostname -I | awk '{print $1}')"
# Escape sed special chars in replacement strings (& \ |)
current_os="${current_os//\\/\\\\}"; current_os="${current_os//&/\\&}"
current_hostname="${current_hostname//\\/\\\\}"; current_hostname="${current_hostname//&/\\&}"
current_ip="${current_ip//\\/\\\\}"; current_ip="${current_ip//&/\\&}"
# Update only if values actually changed
if ! grep -q "OS:.*$current_os" "$PROFILE_FILE" 2>/dev/null; then
sed -i "s|OS:.*|OS: \${GN}$current_os\${CL}\\\"|" "$PROFILE_FILE"
@@ -4076,8 +4081,8 @@ EOF
if [ "$var_os" == "alpine" ]; then
sleep 3
pct exec "$CTID" -- /bin/sh -c 'cat <<EOF >/etc/apk/repositories
http://dl-cdn.alpinelinux.org/alpine/latest-stable/main
http://dl-cdn.alpinelinux.org/alpine/latest-stable/community
https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
https://dl-cdn.alpinelinux.org/alpine/latest-stable/community
EOF'
pct exec "$CTID" -- ash -c "apk add bash newt curl openssh nano mc ncurses jq" >>"$BUILD_LOG" 2>&1 || {
msg_error "Failed to install base packages in Alpine container"
@@ -4086,7 +4091,9 @@ EOF'
else
sleep 3
LANG=${LANG:-en_US.UTF-8}
pct exec "$CTID" -- bash -c "sed -i \"/$LANG/ s/^# //\" /etc/locale.gen"
local LANG_ESC="${LANG//./\\.}"
LANG_ESC="${LANG_ESC//|/\\|}"
pct exec "$CTID" -- bash -c "sed -i \"/$LANG_ESC/ s/^# //\" /etc/locale.gen"
pct exec "$CTID" -- bash -c "locale_line=\$(grep -v '^#' /etc/locale.gen | grep -E '^[a-zA-Z]' | awk '{print \$1}' | head -n 1) && \
echo LANG=\$locale_line >/etc/default/locale && \
locale-gen >/dev/null && \
@@ -4759,6 +4766,10 @@ fix_gpu_gids() {
pct stop "$CTID" >/dev/null 2>&1
sleep 1
# Validate GIDs are numeric before sed
[[ "$render_gid" =~ ^[0-9]+$ ]] || render_gid="104"
[[ "$video_gid" =~ ^[0-9]+$ ]] || video_gid="44"
# Update dev entries with correct GIDs
sed -i.bak -E "s|(dev[0-9]+: /dev/dri/renderD[0-9]+),gid=[0-9]+|\1,gid=${render_gid}|g" "$LXC_CONFIG"
sed -i -E "s|(dev[0-9]+: /dev/dri/card[0-9]+),gid=[0-9]+|\1,gid=${video_gid}|g" "$LXC_CONFIG"