nexus/ProxmoxVE
2
0
Fork 0
mirror of https://github.com/community-scripts/ProxmoxVE.git synced 2026-04-20 17:32:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: harden shell scripts against injection and insecure permissions

Browse Source 
Security fixes across multiple files:

- install.func: Quote command substitutions in mkdir/systemctl to prevent
  word splitting and globbing on GETTY_OVERRIDE path
- build.func: Escape sed special chars (& \) in current_os/hostname/ip
  before using them as sed replacement strings in update_motd_ip
- build.func: Escape regex metacharacters (. |) in $LANG before sed use
- build.func: Validate render_gid/video_gid as numeric before sed injection
- build.func: Use HTTPS for Alpine APK repositories instead of HTTP
- tools.func: Verify GPG dearmor output is non-empty (-s check)
- tools.func: Tighten GPU device permissions from 666 to 660 (owner+group)
- tools.func: Add chgrp render for /dev/kfd (AMD ROCm)
- shinobi-install.sh: chmod 777 -> 644 on version.json
- tasmoadmin-install.sh: chmod 777 -> 775 on tmp/data directories
- runtipi.sh: chmod 666 -> 660 on settings.json
This commit is contained in:
MickLesk
2026-03-23 21:22:58 +01:00
parent b1604ceae0
commit a3498644fc
6 changed files with 25 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
misc/tools.func
View File

@@ -242,7 +242,7 @@ download_gpg_key() {
# Process based on mode
if [[ "$mode" == "dearmor" ]]; then
if gpg --dearmor --yes -o "$output" <"$temp_key" 2>/dev/null; then
if gpg --dearmor --yes -o "$output" <"$temp_key" 2>/dev/null && [[ -s "$output" ]]; then
rm -f "$temp_key"
debug_log "GPG key installed (dearmored): $output"
return 0
@@ -5192,7 +5192,7 @@ _setup_gpu_permissions() {
for nvidia_dev in /dev/nvidia*; do
[[ -e "$nvidia_dev" ]] && {
chgrp video "$nvidia_dev" 2>/dev/null || true
chmod 666 "$nvidia_dev" 2>/dev/null || true
chmod 660 "$nvidia_dev" 2>/dev/null || true
}
done
if [[ -d /dev/nvidia-caps ]]; then
@@ -5200,7 +5200,7 @@ _setup_gpu_permissions() {
for caps_dev in /dev/nvidia-caps/*; do
[[ -e "$caps_dev" ]] && {
chgrp video "$caps_dev" 2>/dev/null || true
chmod 666 "$caps_dev" 2>/dev/null || true
chmod 660 "$caps_dev" 2>/dev/null || true
}
done
fi
@@ -5217,7 +5217,8 @@ _setup_gpu_permissions() {
# /dev/kfd permissions (AMD ROCm)
if [[ -e /dev/kfd ]]; then
chmod 666 /dev/kfd 2>/dev/null || true
chgrp render /dev/kfd 2>/dev/null || true
chmod 660 /dev/kfd 2>/dev/null || true
msg_info "AMD ROCm compute device configured"
fi