mirror of
https://github.com/paperless-ngx/paperless-ngx.git
synced 2025-10-22 03:16:15 -05:00
Adds local and readonly to almost everything. Fully qualifies the path to binaries
This commit is contained in:

committed by
Trenton H

parent
0903a2a21e
commit
ed7b82ecc8
@@ -9,8 +9,8 @@ set -e
|
|||||||
# fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's
|
# fill in the value of "$XYZ_DB_PASSWORD" from a file, especially for Docker's
|
||||||
# secrets feature
|
# secrets feature
|
||||||
file_env() {
|
file_env() {
|
||||||
local var="$1"
|
local -r var="$1"
|
||||||
local fileVar="${var}_FILE"
|
local -r fileVar="${var}_FILE"
|
||||||
|
|
||||||
# Basic validation
|
# Basic validation
|
||||||
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
|
||||||
@@ -35,14 +35,14 @@ file_env() {
|
|||||||
|
|
||||||
# Source: https://github.com/sameersbn/docker-gitlab/
|
# Source: https://github.com/sameersbn/docker-gitlab/
|
||||||
map_uidgid() {
|
map_uidgid() {
|
||||||
USERMAP_ORIG_UID=$(id -u paperless)
|
local -r usermap_original_uid=$(id -u paperless)
|
||||||
USERMAP_ORIG_GID=$(id -g paperless)
|
local -r usermap_original_gid=$(id -g paperless)
|
||||||
USERMAP_NEW_UID=${USERMAP_UID:-$USERMAP_ORIG_UID}
|
local -r usermap_new_uid=${USERMAP_UID:-$usermap_original_uid}
|
||||||
USERMAP_NEW_GID=${USERMAP_GID:-${USERMAP_ORIG_GID:-$USERMAP_NEW_UID}}
|
local -r usermap_new_gid=${USERMAP_GID:-${usermap_original_gid:-$usermap_new_uid}}
|
||||||
if [[ ${USERMAP_NEW_UID} != "${USERMAP_ORIG_UID}" || ${USERMAP_NEW_GID} != "${USERMAP_ORIG_GID}" ]]; then
|
if [[ ${usermap_new_uid} != "${usermap_original_uid}" || ${usermap_new_gid} != "${usermap_original_gid}" ]]; then
|
||||||
echo "Mapping UID and GID for paperless:paperless to $USERMAP_NEW_UID:$USERMAP_NEW_GID"
|
echo "Mapping UID and GID for paperless:paperless to $usermap_new_uid:$usermap_new_gid"
|
||||||
usermod -o -u "${USERMAP_NEW_UID}" paperless
|
usermod -o -u "${usermap_new_uid}" paperless
|
||||||
groupmod -o -g "${USERMAP_NEW_GID}" paperless
|
groupmod -o -g "${usermap_new_gid}" paperless
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -55,8 +55,8 @@ map_folders() {
|
|||||||
|
|
||||||
nltk_data () {
|
nltk_data () {
|
||||||
# Store the NLTK data outside the Docker container
|
# Store the NLTK data outside the Docker container
|
||||||
local nltk_data_dir="${DATA_DIR}/nltk"
|
local -r nltk_data_dir="${DATA_DIR}/nltk"
|
||||||
readonly truthy_things=("yes y 1 t true")
|
local -r truthy_things=("yes y 1 t true")
|
||||||
|
|
||||||
# If not set, or it looks truthy
|
# If not set, or it looks truthy
|
||||||
if [[ -z "${PAPERLESS_ENABLE_NLTK}" ]] || [[ "${truthy_things[*]}" =~ ${PAPERLESS_ENABLE_NLTK,} ]]; then
|
if [[ -z "${PAPERLESS_ENABLE_NLTK}" ]] || [[ "${truthy_things[*]}" =~ ${PAPERLESS_ENABLE_NLTK,} ]]; then
|
||||||
@@ -100,7 +100,7 @@ initialize() {
|
|||||||
# Check for overrides of certain folders
|
# Check for overrides of certain folders
|
||||||
map_folders
|
map_folders
|
||||||
|
|
||||||
local export_dir="/usr/src/paperless/export"
|
local -r export_dir="/usr/src/paperless/export"
|
||||||
|
|
||||||
for dir in \
|
for dir in \
|
||||||
"${export_dir}" \
|
"${export_dir}" \
|
||||||
@@ -113,7 +113,7 @@ initialize() {
|
|||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
local tmp_dir="/tmp/paperless"
|
local -r tmp_dir="/tmp/paperless"
|
||||||
echo "Creating directory ${tmp_dir}"
|
echo "Creating directory ${tmp_dir}"
|
||||||
mkdir -p "${tmp_dir}"
|
mkdir -p "${tmp_dir}"
|
||||||
|
|
||||||
@@ -137,7 +137,7 @@ initialize() {
|
|||||||
install_languages() {
|
install_languages() {
|
||||||
echo "Installing languages..."
|
echo "Installing languages..."
|
||||||
|
|
||||||
local langs="$1"
|
local -r langs="$1"
|
||||||
read -ra langs <<<"$langs"
|
read -ra langs <<<"$langs"
|
||||||
|
|
||||||
# Check that it is not empty
|
# Check that it is not empty
|
||||||
|
@@ -4,12 +4,12 @@ set -e
|
|||||||
|
|
||||||
wait_for_postgres() {
|
wait_for_postgres() {
|
||||||
local attempt_num=1
|
local attempt_num=1
|
||||||
local max_attempts=5
|
local -r max_attempts=5
|
||||||
|
|
||||||
echo "Waiting for PostgreSQL to start..."
|
echo "Waiting for PostgreSQL to start..."
|
||||||
|
|
||||||
local host="${PAPERLESS_DBHOST:-localhost}"
|
local -r host="${PAPERLESS_DBHOST:-localhost}"
|
||||||
local port="${PAPERLESS_DBPORT:-5432}"
|
local -r port="${PAPERLESS_DBPORT:-5432}"
|
||||||
|
|
||||||
# Disable warning, host and port can't have spaces
|
# Disable warning, host and port can't have spaces
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
@@ -31,11 +31,11 @@ wait_for_postgres() {
|
|||||||
wait_for_mariadb() {
|
wait_for_mariadb() {
|
||||||
echo "Waiting for MariaDB to start..."
|
echo "Waiting for MariaDB to start..."
|
||||||
|
|
||||||
host="${PAPERLESS_DBHOST:=localhost}"
|
local -r host="${PAPERLESS_DBHOST:=localhost}"
|
||||||
port="${PAPERLESS_DBPORT:=3306}"
|
local -r port="${PAPERLESS_DBPORT:=3306}"
|
||||||
|
|
||||||
attempt_num=1
|
local attempt_num=1
|
||||||
max_attempts=5
|
local -r max_attempts=5
|
||||||
|
|
||||||
while ! true > /dev/tcp/$host/$port; do
|
while ! true > /dev/tcp/$host/$port; do
|
||||||
|
|
||||||
@@ -73,8 +73,8 @@ migrations() {
|
|||||||
|
|
||||||
search_index() {
|
search_index() {
|
||||||
|
|
||||||
local index_version=1
|
local -r index_version=1
|
||||||
local index_version_file=${DATA_DIR}/.index_version
|
local -r index_version_file=${DATA_DIR}/.index_version
|
||||||
|
|
||||||
if [[ (! -f "${index_version_file}") || $(<"${index_version_file}") != "$index_version" ]]; then
|
if [[ (! -f "${index_version_file}") || $(<"${index_version_file}") != "$index_version" ]]; then
|
||||||
echo "Search index out of date. Updating..."
|
echo "Search index out of date. Updating..."
|
||||||
@@ -92,31 +92,31 @@ superuser() {
|
|||||||
custom_container_init() {
|
custom_container_init() {
|
||||||
# Mostly borrowed from the LinuxServer.io base image
|
# Mostly borrowed from the LinuxServer.io base image
|
||||||
# https://github.com/linuxserver/docker-baseimage-ubuntu/tree/bionic/root/etc/cont-init.d
|
# https://github.com/linuxserver/docker-baseimage-ubuntu/tree/bionic/root/etc/cont-init.d
|
||||||
readonly custom_script_dir="/custom-cont-init.d"
|
local -r custom_script_dir="/custom-cont-init.d"
|
||||||
# Tamper checking.
|
# Tamper checking.
|
||||||
# Don't run files which are owned by anyone except root
|
# Don't run files which are owned by anyone except root
|
||||||
# Don't run files which are writeable by others
|
# Don't run files which are writeable by others
|
||||||
if [ -d "${custom_script_dir}" ]; then
|
if [ -d "${custom_script_dir}" ]; then
|
||||||
if [ -n "$(find "${custom_script_dir}" ! -user root)" ]; then
|
if [ -n "$(/usr/bin/find "${custom_script_dir}" ! -user root)" ]; then
|
||||||
echo "**** Potential tampering with custom scripts detected ****"
|
echo "**** Potential tampering with custom scripts detected ****"
|
||||||
echo "**** The folder '${custom_script_dir}' must be owned by root ****"
|
echo "**** The folder '${custom_script_dir}' must be owned by root ****"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
if [ -n "$(find "${custom_script_dir}" -perm -o+w)" ]; then
|
if [ -n "$(/usr/bin/find "${custom_script_dir}" -perm -o+w)" ]; then
|
||||||
echo "**** The folder '${custom_script_dir}' or some of contents have write permissions for others, which is a security risk. ****"
|
echo "**** The folder '${custom_script_dir}' or some of contents have write permissions for others, which is a security risk. ****"
|
||||||
echo "**** Please review the permissions and their contents to make sure they are owned by root, and can only be modified by root. ****"
|
echo "**** Please review the permissions and their contents to make sure they are owned by root, and can only be modified by root. ****"
|
||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Make sure custom init directory has files in it
|
# Make sure custom init directory has files in it
|
||||||
if [ -n "$(/bin/ls -A "${custom_script_dir}" 2>/dev/null)" ]; then
|
if [ -n "$(/usr/bin/ls -A "${custom_script_dir}" 2>/dev/null)" ]; then
|
||||||
echo "[custom-init] files found in ${custom_script_dir} executing"
|
echo "[custom-init] files found in ${custom_script_dir} executing"
|
||||||
# Loop over files in the directory
|
# Loop over files in the directory
|
||||||
for SCRIPT in "${custom_script_dir}"/*; do
|
for SCRIPT in "${custom_script_dir}"/*; do
|
||||||
NAME="$(basename "${SCRIPT}")"
|
NAME="$(basename "${SCRIPT}")"
|
||||||
if [ -f "${SCRIPT}" ]; then
|
if [ -f "${SCRIPT}" ]; then
|
||||||
echo "[custom-init] ${NAME}: executing..."
|
echo "[custom-init] ${NAME}: executing..."
|
||||||
/bin/bash "${SCRIPT}"
|
/usr/bin/bash "${SCRIPT}"
|
||||||
echo "[custom-init] ${NAME}: exited $?"
|
echo "[custom-init] ${NAME}: exited $?"
|
||||||
elif [ ! -f "${SCRIPT}" ]; then
|
elif [ ! -f "${SCRIPT}" ]; then
|
||||||
echo "[custom-init] ${NAME}: is not a file"
|
echo "[custom-init] ${NAME}: is not a file"
|
||||||
|
Reference in New Issue
Block a user