As part of my Docker image I have the following ENTRYPOINT script:
#!/bin/bash
set -e
if [ -z "${UID}" ]; then
uid=1000;
else
uid=${UID};
fi
if [ -z "${GID}" ]; then
gid=1000;
else
gid=${GID};
fi
echo "UID: $uid"
echo "GID: $gid"
data_dir="/var/www/html"
usermod -u "$uid" www-data && groupmod -g "$gid" www-data
chown -R www-data:root "$data_dir"
if [ -d "$data_dir" ]; then
chgrp -RH www-data "$data_dir"
chmod -R g+w "$data_dir"
find "$data_dir" -type d -exec chmod 2775 {} +
find "$data_dir" -type f -exec chmod ug+rw {} +
fi
composer_cache_dir="/var/www/.composer"
mkdir -p "$composer_cache_dir"
chown -R www-data:root "$composer_cache_dir"
if [ -d "$composer_cache_dir" ]; then
chgrp -R www-data "$composer_cache_dir"
chmod -R g+w "$composer_cache_dir"
fi
a2enmod rewrite expires
rm -f /var/run/apache2/apache2.pid
source /etc/apache2/envvars && exec /usr/sbin/apache2 -DFOREGROUND "$#"
The image compiles successfully. When I try to run the container by running the following command docker run -it temp bash I got the following output:
UID: 0
GID: 1000
usermod: UID '0' already exists
Enabling module rewrite.
Enabling module expires.
To activate the new configuration, you need to run:
service apache2 restart
AH00112: Warning: DocumentRoot [/var/www/html/public_html] does not exist
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
Why my UID is 0? I can't find where is my error here, any help is more than welcome.
Update:
Changing this lines on the script:
if [ "$UID" != 0 ]; then
uid=1000;
else
uid=${UID};
fi
Still making it to assign 0 to uid, is because of the var name? (I have rebuilt the image using docker build --no-cache -t temp . so no cache is being used)
Because $UID in Bash expands to the current user id of the shell, and it's never empty, so [ -z "${UID}" ] is never true. So, you're setting uid=${UID};, probably uid=0 if the script runs as root.
Then usermod -u 0 www-data complains because it tries to change the UID of www-data to zero, but that's already in use, and it doesn't do that without the -o flag. (And you'd never want to do that anyway...)
If you want to test if $UID is zero, use [ "$UID" == 0 ]. Or [[ $UID == 0 ]] in Bash. Or [ "$UID" -eq 0 ] for a numeric comparison, not that it matters.
(I'm not exactly sure if changing the uid of www-data to 1000 is a good idea in any case, you already must have the user for usermod to be able to change its uid. But that wasn't the question.)
Bash:
UID
Expands to the user ID of the current user, initialized at shell startup. This variable is readonly.
usermod:
-u, --uid UID
The new numerical value of the user's ID.
This value must be unique, unless the -o option is used. The value must be non-negative.
Related
I have a DEB package which dynamically creates a chroot filesystem in package postinst helper script. The package works fine for x86, amd64, and arm64 on Debian Stretch/Buster/Bullseye and Ubuntu Bionic/Focal/Jammy. However, I recently tried to install it on Raspbian arm32 and it failed.
The problem is that the pathname of the nsswitch libraries is constructed differently than on the other platforms. In other words, the piece meal assembly of the library path using uname -m is not matching what's present in the file-system.
#!/bin/bash -eu
U=chroot_user
UHOME=/home/$U
ARCH=$(uname -m)
function add_executable () {
FROM="$1"; shift
TO="$(basename $FROM)"
if [ $# -ge 1 ]; then
TO=$1; shift
fi
cp "$FROM" "$UHOME/bin/$TO"
ldd "$FROM" | grep "=> /" | awk '{print $3}' | xargs -I '{}' cp '{}' $UHOME/lib/
LIBNAME="ld-linux-$(echo $ARCH | tr '_' '-').so*"
if compgen -G "/lib64/${LIBNAME}" > /dev/null; then
cp /lib64/${LIBNAME} $UHOME/lib64/
elif compgen -G "/lib/${LIBNAME}" > /dev/null; then
cp /lib/${LIBNAME} $UHOME/lib/
fi
}
if [ "$1" = "configure" ]; then
# Create a system user that has restricted bash as its login shell.
IS_USER=$(grep $U /etc/passwd || true)
if [ ! -z "$IS_USER" ]; then
killall -u $U || true
userdel -f $U > /dev/null 2>&1 || true
fi
adduser --system --home ${UHOME} --no-create-home --group --shell /bin/rbash ${U}
# Create a clean usable chroot
rm -rf $UHOME
mkdir -p $UHOME
mkdir -p $UHOME/dev/
mknod -m 666 $UHOME/dev/null c 1 3
mknod -m 666 $UHOME/dev/tty c 5 0
mknod -m 666 $UHOME/dev/zero c 1 5
mknod -m 666 $UHOME/dev/random c 1 8
mknod -m 644 $UHOME/dev/urandom c 1 9
chown root:root $UHOME
chmod 0755 $UHOME
mkdir -p $UHOME/bin
mkdir -p $UHOME/etc
mkdir -p $UHOME/lib
mkdir -p $UHOME/usr
cd $UHOME/usr
ln -s ../bin bin
cd - > /dev/null
cd $UHOME
ln -s lib lib64
cd - > /dev/null
mkdir $UHOME/lib/${ARCH}-linux-gnu
cp /lib/${ARCH}-linux-gnu/libnss* $UHOME/lib/${ARCH}-linux-gnu
cat <<EOT>$UHOME/etc/nsswitch.conf
passwd: files
group: files
EOT
chmod 0444 $UHOME/etc/nsswitch.conf
echo "127.0.0.1 localhost" > $UHOME/etc/hosts
chmod 0444 $UHOME/etc/hosts
if [ -d /etc/terminfo/ ]; then
cp -R /etc/terminfo $UHOME/etc
fi
if [ -d /lib/terminfo/ ]; then
cp -R /lib/terminfo $UHOME/lib
fi
# Add restricted bash and ssh/scp executables into the chroot. There is no
# need for any other executable.
add_executable /bin/bash rbash
add_executable /usr/bin/ssh
add_executable /usr/bin/scp
add_executable /bin/date
add_executable /bin/ls
add_executable /bin/rm
add_executable /bin/mv
add_executable /bin/cp
grep $U /etc/passwd > $UHOME/etc/passwd
grep $U /etc/group > $UHOME/etc/group
mkdir -p $UHOME/.ssh
chmod 700 $UHOME/.ssh
chown -R $U:$U $UHOME/.ssh
# When using SSH to get out of the jail onto localhost machine, we don't want
# to be constantly told about fingerprints and permanently added hosts
mkdir -p $UHOME/home/$U/.ssh
chmod 0700 $UHOME/home/$U/.ssh
chown -R $U:$U $UHOME/home/$U
fi
#DEBHELPER#
exit 0
# vim: set ts=2 sw=2 tw=0 et :
Not in the expected location ... well, more like: the architecture type in uname's output doesn't match the directory name you want to construct ...
But you could find the directory in a different way, since you're on apt based distros.
dpkg -L libnss3 | awk '/libnss3.so/{gsub(/\/libnss3.so/,"",$0);print}'
This worked for me on both Ubuntu 20.04 and Raspbian GNU/Linux 10 (buster)
Raspbian:
$ dpkg -L libnss3 | awk '/libnss3.so/{gsub(/\/libnss3.so/,"",$0);print}'
/usr/lib/arm-linux-gnueabihf
Ubuntu:
$ dpkg -L libnss3 | awk '/libnss3.so/{gsub(/\/libnss3.so/,"",$0);print}'
/usr/lib/x86_64-linux-gnu
We give the upmost permission to a file or directory, using this command:
sudo chmod -R 777 directory
Now I want to know if this command is already executed for a given directory.
I know I can use -r for read, -w for write, and -x for execution, in [ test ] blocks.
But I want to know two things:
Is it also a directory?
Does it have those permissions for everyone?
How can I get that info?
Update
Based on #Barmar comment, I came up with this. But it's not working:
if [ stat /Temp | grep -oP "(?<=Access: \()[^)]*" == '' ]; then
echo '/Temp folder has full access'
else
sudo chmod -R 777 /Temp
fi
This command works though:
stat /Temp | grep -oP "(?<=Access: \()[^)]*"
# prints => 0777/drwxrwxrwx
How should I fix the syntax error of my if-else statement?
You don't need to process the output of stat with grep; you can ask stat to only produce the specific information you want. See the man page regarding the --format option. We can for example write:
# ask stat for the file type and mode, and put those values into $1
# and $2
set -- $(stat --format '%F %a' /Temp)
if [[ $1 == directory ]]; then
if [[ $2 == 777 ]]; then
echo "/Temp folder has full access"
else
sudo chmod -R 777 /Temp
fi
else
echo "ERROR: /Temp is not a directory!" >&2
fi
A simple example:
#!/bin/bash
function setfullperm(){
[ -d $1 ] && \
(
[ "$(stat --format '%a' $1)" == "777" ] && \
echo "Full permissions are applied." || \
( echo "Setting full permissions" && sudo chmod -R 777 $1 )
) || \
( echo "$1 is not a directory !" && mkdir $1 && setfullperm $1 )
}
export setfullperm
Source the script:
$ source example.sh
Set full permissions (777) on any directory, it tests if the directory exists in the first place, if not it will create it and set the permissions.
It will export the function setfullperm to the shell so you can run it:
>$ setfullperm ali
ali is not a directory !
mkdir: created directory 'ali'
Setting full permissions
>$ setfullperm ali
Full permissions are applied.
If using zsh (But not other shells), you can do it with just a glob pattern:
setopt extended_glob null_glob
if [[ -n /Temp(#q/f777) ]]; then
echo '/Temp folder has full access'
else
sudo chmod -R 777 /Temp
fi
The pattern /Temp(#q/f777) will, with the null_glob and extended_glob options set, expand to an empty string if /Temp is anything but a directory with the exact octal permissions 0777 (And to /Temp if the criteria are met). For more details, see Glob Qualifiers in the zsh manual.
I don't recommend using stat for this. Though widespread, stat isn't POSIX, which means there's no guarantee that your script will work in the future or work on other platforms. If you're writing scripts for a production environment, I'd urge you to consider a different approach.
You're better off using ls(1)'s -l option and passing the file as an argument. From there you can use cut(1)'s -c option to grab the file mode flags.
Get file type:
ls -l <file> | cut -c1
Also, don't forget about test's -d operator, which tests if a file is a directory.
Get owner permissions:
ls -l <file> | cut -c2-4
and so on.
This approach is POSIX compliant and it avoids the shortcomings of using stat.
I would like to check if the user has sudo privileges. This is an approximate example of what I am trying to do. I am trying to get this to work across the following os: centos, ubuntu, arch.
if userIsSudo; then
chsh -s $(which zsh)
fi
Try with this:
$ sudo -v &> /dev/null && echo "Sudoer" || echo "Not sudoer"
Also, IDK how secure will be searching for his membership in the sudo group, i.e:
$ groups "$(id -un)" \
| grep -q ' sudo ' \
&& echo In sudo group \
|| echo Not in sudo group
Or:
$ getent group sudo \
| grep -qE "(:|,)$(id -un)(,|$)" \
&& echo in sudo group \
|| echo not in sudo group
sudo -l will display the commands that the user can run with sudo privileges. If there are no commands that can be run, sudo -l will return an error code and so you could try:
sudo -l && chsh -s $(which zsh)
Usually when you run an script you want to know if end it well or you got an error or what kind of error you got if there was any.
This is a more elaborated snippet, sudoer-script.sh:
## Define error code
E_NOTROOT=87 # Non-root exit error.
## check if is sudoer
if ! $(sudo -l &> /dev/null); then
echo 'Error: root privileges are needed to run this script'
exit $E_NOTROOT
fi
## do something else you
## means it was successfully executed
exit 0
Now you can reuse your script, pipe it or concatenate with other commands
sudoer-script.sh && ls
## in a script
if $(sudoer-script.sh); then
echo 'success'
fi
## capture error
stderr=$(./sudoer-script.sh 2>&1 >/dev/null)
echo $stderr
As a function:
is_sudoer() {
## Define error code
E_NOTROOT=87 # Non-root exit error.
## check if is sudoer
if ! $(sudo -l &> /dev/null); then
echo 'Error: root privileges are needed to run this script'
return $E_NOTROOT
fi
return 0
}
if is_sudoer; then
echo "Sudoer"
else
echo "Not sudoer"
fi
I wrote a bash script which should move a file to remote server.
this is my code:
#!/bin/sh
# ensure running as root
if [ "$(id -u)" != "0" ]; then
exec sudo "$0" "$#"
fi
cat <<EOF > /etc/name.txt
EOF
sshpass -p 'password' scp -r /etc/name.txt root#192.168.1.50:/etc/name.txt
when I run this script under root user it works perfectly. but when I run this script under non-root user the scp part doesn't work. when I check $UID after this part:
if [ "$(id -u)" != "0" ]; then
exec sudo "$0" "$#"
fi
it shows 0 and $USER is root which means user changed to root but I don't know why it's not working. Any help?
I wanted to make this Script kinda Secure, so it cannot be direct exploited.
I have a Bash file called Test.sh, I gave a User Sudo rights on it:
user ALL=(root) NOPASSWD: /home/user/Test.sh
So the User has full Sudo permission to this file.
Next Step was to ensure that the User cannot edit this file with:
chown root:root /home/user/Test.sh
chmod u=rwx,g=rwx,o=rx /home/user/Test.sh
The File for example contains this Command
if [ "$1" = "run" ]; then
sudo -u ${2} ${3};
fi
OR
`sudo cp -R /home/test/test/${2}/* /home/${3}/test/
useradd ${2} -r -d /home/${2} -s /bin/bash
userdel -r ${2}
Basically the User could even Login as root and fuck things up.
So my first thought was, lets check if the Home folder exists like that:
if [ -d "/home/$2" ] && [ "$2" != "" ]; then
Which would prevent such things like run crap as root and only let them log into th other users like i want. Or do i think wrong?
I would also check that the Command begins with /home/....
grep '^/home/....' $3
So, is that enought? or Not? I guess I should filter also ;