discourse
/
discourse_docker
mirror of https://github.com/discourse/discourse_docker.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DEV: Ensure secure file permissions by default (#627) 

`discourse-setup` will now ensure container definitions are
installed with `0600` permissions mode only.

`launcher` will now throw a warning when an existing container
definition is world-readable.

Also clean up leftover `launcher setup` logic which no longer exists.
Merge pre-existing logic into `check_prereqs` function.
This commit is contained in:
Gabe Pacuilla 2022-05-03 11:54:24 -04:00 committed by GitHub
parent 165ede9719
commit 241a42ce71
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
discourse-setup
View File

@ -884,7 +884,7 @@ then
DATE=`date +"%Y-%m-%d-%H%M%S"` DATE=`date +"%Y-%m-%d-%H%M%S"`
BACKUP=$app_name.yml.$DATE.bak BACKUP=$app_name.yml.$DATE.bak
echo Saving old file as $BACKUP echo Saving old file as $BACKUP
cp $web_file containers/$BACKUP install -m0600 $web_file containers/$BACKUP
if [ "$DEBUG" != "1" ] if [ "$DEBUG" != "1" ]
then then
echo "Stopping existing container in 5 seconds or Control-C to cancel." echo "Stopping existing container in 5 seconds or Control-C to cancel."
@ -902,7 +902,7 @@ else
then then
check_ports check_ports
fi fi
cp -v $web_template $web_file install -v -m0600 $web_template $web_file
if [ "$data_name" == "data" ] if [ "$data_name" == "data" ]
then then
echo "--------------------------------------------------" echo "--------------------------------------------------"
@ -918,7 +918,7 @@ else
echo "Problem changing DISCOURSE_DB_PASSWORD" in $web_file echo "Problem changing DISCOURSE_DB_PASSWORD" in $web_file
fi fi
cp -v $data_template $data_file install -v -m0600 $data_template $data_file
quote=\' quote=\'
sed -i -e "s/password ${quote}SOME_SECRET${quote}/password '$DISCOURSE_DB_PASSWORD'/w $changelog" $data_file sed -i -e "s/password ${quote}SOME_SECRET${quote}/password '$DISCOURSE_DB_PASSWORD'/w $changelog" $data_file
if [ -s $changelog ] if [ -s $changelog ]

19
launcher
View File

@ -278,6 +278,16 @@ check_prereqs() {
fi fi
exit 1 exit 1
fi fi
# 8. container definition file is accessible and is not insecure (world-readable)
if [[ ! -e "$config_file" || ! -r "$config_file" ]]; then
echo "ERROR: $config_file does not exist or is not readable."
echo
echo "Available configs ( `cd containers && ls -dm *.yml | tr -s '\n' ' ' | awk '{ gsub(/\.yml/, ""); print }'`)"
exit 1
elif [[ "$(find $config_file -perm -004)" ]]; then
echo "WARNING: $config_file file is world-readable. You can secure this file by running: chmod o-rwx $config_file"
fi
} }
@ -486,15 +496,6 @@ fi
exit 0 exit 0
} }
if [ ! "$command" == "setup" ]; then
if [[ ! -e $config_file ]]; then
echo "Config file was not found, ensure $config_file exists"
echo
echo "Available configs ( `cd containers && ls -dm *.yml | tr -s '\n' ' ' | awk '{ gsub(/\.yml/, ""); print }'`)"
exit 1
fi
fi
docker_version=($($docker_path --version)) docker_version=($($docker_path --version))
docker_version=${test[2]//,/} docker_version=${test[2]//,/}
restart_policy=${restart_policy:---restart=always} restart_policy=${restart_policy:---restart=always}