From 8023aae738606f70bb06bd28cf11d92301b870fe Mon Sep 17 00:00:00 2001 From: Trenton Holmes Date: Tue, 25 Oct 2022 09:19:07 -0700 Subject: [PATCH] Adds local and readonly to almost everything. Fully qualifies the path to binaries --- docker/docker-entrypoint.sh | 30 +++++++++++++++--------------- docker/docker-prepare.sh | 28 ++++++++++++++-------------- 2 files changed, 29 insertions(+), 29 deletions(-) diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index 2a0269e73..d1107feca 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -9,8 +9,8 @@ set -e # fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's # secrets feature file_env() { - local var="$1" - local fileVar="${var}_FILE" + local -r var="$1" + local -r fileVar="${var}_FILE" # Basic validation if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then @@ -35,14 +35,14 @@ file_env() { # Source: https://github.com/sameersbn/docker-gitlab/ map_uidgid() { - USERMAP_ORIG_UID=$(id -u paperless) - USERMAP_ORIG_GID=$(id -g paperless) - USERMAP_NEW_UID=${USERMAP_UID:-$USERMAP_ORIG_UID} - USERMAP_NEW_GID=${USERMAP_GID:-${USERMAP_ORIG_GID:-$USERMAP_NEW_UID}} - if [[ ${USERMAP_NEW_UID} != "${USERMAP_ORIG_UID}" || ${USERMAP_NEW_GID} != "${USERMAP_ORIG_GID}" ]]; then - echo "Mapping UID and GID for paperless:paperless to $USERMAP_NEW_UID:$USERMAP_NEW_GID" - usermod -o -u "${USERMAP_NEW_UID}" paperless - groupmod -o -g "${USERMAP_NEW_GID}" paperless + local -r usermap_original_uid=$(id -u paperless) + local -r usermap_original_gid=$(id -g paperless) + local -r usermap_new_uid=${USERMAP_UID:-$usermap_original_uid} + local -r usermap_new_gid=${USERMAP_GID:-${usermap_original_gid:-$usermap_new_uid}} + if [[ ${usermap_new_uid} != "${usermap_original_uid}" || ${usermap_new_gid} != "${usermap_original_gid}" ]]; then + echo "Mapping UID and GID for paperless:paperless to $usermap_new_uid:$usermap_new_gid" + usermod -o -u "${usermap_new_uid}" paperless + groupmod -o -g "${usermap_new_gid}" paperless fi } @@ -55,8 +55,8 @@ map_folders() { nltk_data () { # Store the NLTK data outside the Docker container - local nltk_data_dir="${DATA_DIR}/nltk" - readonly truthy_things=("yes y 1 t true") + local -r nltk_data_dir="${DATA_DIR}/nltk" + local -r truthy_things=("yes y 1 t true") # If not set, or it looks truthy if [[ -z "${PAPERLESS_ENABLE_NLTK}" ]] || [[ "${truthy_things[*]}" =~ ${PAPERLESS_ENABLE_NLTK,} ]]; then @@ -100,7 +100,7 @@ initialize() { # Check for overrides of certain folders map_folders - local export_dir="/usr/src/paperless/export" + local -r export_dir="/usr/src/paperless/export" for dir in \ "${export_dir}" \ @@ -113,7 +113,7 @@ initialize() { fi done - local tmp_dir="/tmp/paperless" + local -r tmp_dir="/tmp/paperless" echo "Creating directory ${tmp_dir}" mkdir -p "${tmp_dir}" @@ -137,7 +137,7 @@ initialize() { install_languages() { echo "Installing languages..." - local langs="$1" + local -r langs="$1" read -ra langs <<<"$langs" # Check that it is not empty diff --git a/docker/docker-prepare.sh b/docker/docker-prepare.sh index 5904f674c..92c9d1f15 100755 --- a/docker/docker-prepare.sh +++ b/docker/docker-prepare.sh @@ -4,12 +4,12 @@ set -e wait_for_postgres() { local attempt_num=1 - local max_attempts=5 + local -r max_attempts=5 echo "Waiting for PostgreSQL to start..." - local host="${PAPERLESS_DBHOST:-localhost}" - local port="${PAPERLESS_DBPORT:-5432}" + local -r host="${PAPERLESS_DBHOST:-localhost}" + local -r port="${PAPERLESS_DBPORT:-5432}" # Disable warning, host and port can't have spaces # shellcheck disable=SC2086 @@ -31,11 +31,11 @@ wait_for_postgres() { wait_for_mariadb() { echo "Waiting for MariaDB to start..." - host="${PAPERLESS_DBHOST:=localhost}" - port="${PAPERLESS_DBPORT:=3306}" + local -r host="${PAPERLESS_DBHOST:=localhost}" + local -r port="${PAPERLESS_DBPORT:=3306}" - attempt_num=1 - max_attempts=5 + local attempt_num=1 + local -r max_attempts=5 while ! true > /dev/tcp/$host/$port; do @@ -73,8 +73,8 @@ migrations() { search_index() { - local index_version=1 - local index_version_file=${DATA_DIR}/.index_version + local -r index_version=1 + local -r index_version_file=${DATA_DIR}/.index_version if [[ (! -f "${index_version_file}") || $(<"${index_version_file}") != "$index_version" ]]; then echo "Search index out of date. Updating..." @@ -92,31 +92,31 @@ superuser() { custom_container_init() { # Mostly borrowed from the LinuxServer.io base image # https://github.com/linuxserver/docker-baseimage-ubuntu/tree/bionic/root/etc/cont-init.d - readonly custom_script_dir="/custom-cont-init.d" + local -r custom_script_dir="/custom-cont-init.d" # Tamper checking. # Don't run files which are owned by anyone except root # Don't run files which are writeable by others if [ -d "${custom_script_dir}" ]; then - if [ -n "$(find "${custom_script_dir}" ! -user root)" ]; then + if [ -n "$(/usr/bin/find "${custom_script_dir}" ! -user root)" ]; then echo "**** Potential tampering with custom scripts detected ****" echo "**** The folder '${custom_script_dir}' must be owned by root ****" return 0 fi - if [ -n "$(find "${custom_script_dir}" -perm -o+w)" ]; then + if [ -n "$(/usr/bin/find "${custom_script_dir}" -perm -o+w)" ]; then echo "**** The folder '${custom_script_dir}' or some of contents have write permissions for others, which is a security risk. ****" echo "**** Please review the permissions and their contents to make sure they are owned by root, and can only be modified by root. ****" return 0 fi # Make sure custom init directory has files in it - if [ -n "$(/bin/ls -A "${custom_script_dir}" 2>/dev/null)" ]; then + if [ -n "$(/usr/bin/ls -A "${custom_script_dir}" 2>/dev/null)" ]; then echo "[custom-init] files found in ${custom_script_dir} executing" # Loop over files in the directory for SCRIPT in "${custom_script_dir}"/*; do NAME="$(basename "${SCRIPT}")" if [ -f "${SCRIPT}" ]; then echo "[custom-init] ${NAME}: executing..." - /bin/bash "${SCRIPT}" + /usr/bin/bash "${SCRIPT}" echo "[custom-init] ${NAME}: exited $?" elif [ ! -f "${SCRIPT}" ]; then echo "[custom-init] ${NAME}: is not a file"