Adds local and readonly to almost everything. Fully qualifies the path to binaries

docker/docker-entrypoint.sh

@@ -9,8 +9,8 @@ set -e
 # fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's
 # secrets feature
 file_env() {
-	local var="$1"
+	local -r var="$1"
-	local fileVar="${var}_FILE"
+	local -r fileVar="${var}_FILE"
 
 	# Basic validation
 	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
@@ -35,14 +35,14 @@ file_env() {
 
 # Source: https://github.com/sameersbn/docker-gitlab/
 map_uidgid() {
-	USERMAP_ORIG_UID=$(id -u paperless)
+	local -r usermap_original_uid=$(id -u paperless)
-	USERMAP_ORIG_GID=$(id -g paperless)
+	local -r usermap_original_gid=$(id -g paperless)
-	USERMAP_NEW_UID=${USERMAP_UID:-$USERMAP_ORIG_UID}
+	local -r usermap_new_uid=${USERMAP_UID:-$usermap_original_uid}
-	USERMAP_NEW_GID=${USERMAP_GID:-${USERMAP_ORIG_GID:-$USERMAP_NEW_UID}}
+	local -r usermap_new_gid=${USERMAP_GID:-${usermap_original_gid:-$usermap_new_uid}}
-	if [[ ${USERMAP_NEW_UID} != "${USERMAP_ORIG_UID}" || ${USERMAP_NEW_GID} != "${USERMAP_ORIG_GID}" ]]; then
+	if [[ ${usermap_new_uid} != "${usermap_original_uid}" || ${usermap_new_gid} != "${usermap_original_gid}" ]]; then
-		echo "Mapping UID and GID for paperless:paperless to $USERMAP_NEW_UID:$USERMAP_NEW_GID"
+		echo "Mapping UID and GID for paperless:paperless to $usermap_new_uid:$usermap_new_gid"
-		usermod -o -u "${USERMAP_NEW_UID}" paperless
+		usermod -o -u "${usermap_new_uid}" paperless
-		groupmod -o -g "${USERMAP_NEW_GID}" paperless
+		groupmod -o -g "${usermap_new_gid}" paperless
 	fi
 }
 
@@ -55,8 +55,8 @@ map_folders() {
 
 nltk_data () {
 	# Store the NLTK data outside the Docker container
-	local nltk_data_dir="${DATA_DIR}/nltk"
+	local -r nltk_data_dir="${DATA_DIR}/nltk"
-	readonly truthy_things=("yes y 1 t true")
+	local -r truthy_things=("yes y 1 t true")
 
 	# If not set, or it looks truthy
 	if [[ -z "${PAPERLESS_ENABLE_NLTK}" ]] || [[ "${truthy_things[*]}" =~ ${PAPERLESS_ENABLE_NLTK,} ]]; then
@@ -100,7 +100,7 @@ initialize() {
 	# Check for overrides of certain folders
 	map_folders
 
-	local export_dir="/usr/src/paperless/export"
+	local -r export_dir="/usr/src/paperless/export"
 
 	for dir in \
 		"${export_dir}" \
@@ -113,7 +113,7 @@ initialize() {
 		fi
 	done
 
-	local tmp_dir="/tmp/paperless"
+	local -r tmp_dir="/tmp/paperless"
 	echo "Creating directory ${tmp_dir}"
 	mkdir -p "${tmp_dir}"
 
@@ -137,7 +137,7 @@ initialize() {
 install_languages() {
 	echo "Installing languages..."
 
-	local langs="$1"
+	local -r langs="$1"
 	read -ra langs <<<"$langs"
 
 	# Check that it is not empty

docker/docker-prepare.sh

@@ -4,12 +4,12 @@ set -e
 
 wait_for_postgres() {
 	local attempt_num=1
-	local max_attempts=5
+	local -r max_attempts=5
 
 	echo "Waiting for PostgreSQL to start..."
 
-	local host="${PAPERLESS_DBHOST:-localhost}"
+	local -r host="${PAPERLESS_DBHOST:-localhost}"
-	local port="${PAPERLESS_DBPORT:-5432}"
+	local -r port="${PAPERLESS_DBPORT:-5432}"
 
 	# Disable warning, host and port can't have spaces
 	# shellcheck disable=SC2086
@@ -31,11 +31,11 @@ wait_for_postgres() {
 wait_for_mariadb() {
 	echo "Waiting for MariaDB to start..."
 
-	host="${PAPERLESS_DBHOST:=localhost}"
+	local -r host="${PAPERLESS_DBHOST:=localhost}"
-	port="${PAPERLESS_DBPORT:=3306}"
+	local -r port="${PAPERLESS_DBPORT:=3306}"
 
-	attempt_num=1
+	local attempt_num=1
-	max_attempts=5
+	local -r max_attempts=5
 
 	while ! true > /dev/tcp/$host/$port; do
 
@@ -73,8 +73,8 @@ migrations() {
 
 search_index() {
 
-	local index_version=1
+	local -r index_version=1
-	local index_version_file=${DATA_DIR}/.index_version
+	local -r index_version_file=${DATA_DIR}/.index_version
 
 	if [[ (! -f "${index_version_file}") || $(<"${index_version_file}") != "$index_version" ]]; then
 		echo "Search index out of date. Updating..."
@@ -92,31 +92,31 @@ superuser() {
 custom_container_init() {
 	# Mostly borrowed from the LinuxServer.io base image
 	# https://github.com/linuxserver/docker-baseimage-ubuntu/tree/bionic/root/etc/cont-init.d
-	readonly custom_script_dir="/custom-cont-init.d"
+	local -r custom_script_dir="/custom-cont-init.d"
 	# Tamper checking.
 	# Don't run files which are owned by anyone except root
 	# Don't run files which are writeable by others
 	if [ -d "${custom_script_dir}" ]; then
-		if [ -n "$(find "${custom_script_dir}" ! -user root)" ]; then
+		if [ -n "$(/usr/bin/find "${custom_script_dir}" ! -user root)" ]; then
 			echo "**** Potential tampering with custom scripts detected ****"
 			echo "**** The folder '${custom_script_dir}' must be owned by root ****"
 			return 0
 		fi
-		if [ -n "$(find "${custom_script_dir}" -perm -o+w)" ]; then
+		if [ -n "$(/usr/bin/find "${custom_script_dir}" -perm -o+w)" ]; then
 			echo "**** The folder '${custom_script_dir}' or some of contents have write permissions for others, which is a security risk. ****"
 			echo "**** Please review the permissions and their contents to make sure they are owned by root, and can only be modified by root. ****"
 			return 0
 		fi
 
 		# Make sure custom init directory has files in it
-		if [ -n "$(/bin/ls -A "${custom_script_dir}" 2>/dev/null)" ]; then
+		if [ -n "$(/usr/bin/ls -A "${custom_script_dir}" 2>/dev/null)" ]; then
 			echo "[custom-init] files found in ${custom_script_dir} executing"
 			# Loop over files in the directory
 			for SCRIPT in "${custom_script_dir}"/*; do
 				NAME="$(basename "${SCRIPT}")"
 				if [ -f "${SCRIPT}" ]; then
 					echo "[custom-init] ${NAME}: executing..."
-					/bin/bash "${SCRIPT}"
+					/usr/bin/bash "${SCRIPT}"
 					echo "[custom-init] ${NAME}: exited $?"
 				elif [ ! -f "${SCRIPT}" ]; then
 					echo "[custom-init] ${NAME}: is not a file"