From 71298094f4547592afcb50db55133f37788fae23 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 24 Nov 2024 19:07:12 +0000 Subject: [PATCH 1/5] Don't allow USER_NAME to be set to existing user --- root/etc/s6-overlay/s6-rc.d/init-adduser/run | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/run b/root/etc/s6-overlay/s6-rc.d/init-adduser/run index efe470e..fc07ff3 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-adduser/run +++ b/root/etc/s6-overlay/s6-rc.d/init-adduser/run @@ -1,7 +1,12 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -USER_NAME=${USER_NAME:-linuxserver.io} +if grep -q "^${USER_NAME}" /etc/passwd; then + echo "*** USER_NAME cannot be set to an user that already exists in /etc/passwd. Halting init. ***" + sleep infinity +else + USER_NAME=${USER_NAME:-linuxserver.io} +fi PUID=${PUID:-911} PGID=${PGID:-911} From e02ba195a64f4b0df17145188e5560e2c1ea3c01 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 24 Nov 2024 19:26:15 +0000 Subject: [PATCH 2/5] Move everything out of the container filesystem into its own directories --- README.md | 1 + readme-vars.yml | 1 + .../s6-rc.d/init-openssh-server-config/run | 49 +++++++++++-------- .../s6-overlay/s6-rc.d/svc-openssh-server/run | 6 ++- 4 files changed, 35 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 2de9ec2..e4bd09a 100644 --- a/README.md +++ b/README.md @@ -338,6 +338,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **24.11.24:** - Move sshd_config to /config/sshd/sshd_config. * **31.05.24:** - Rebase to Alpine 3.20. * **04.05.24:** - Display the SSH host public keys every time the container starts. * **09.03.24:** - Rebase to Alpine 3.19. diff --git a/readme-vars.yml b/readme-vars.yml index 240df5b..f568a43 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -72,6 +72,7 @@ app_setup_block: | The keys generated by this script are only displayed on your console output, so make sure to save them somewhere after generation. # changelog changelogs: + - {date: "24.11.24:", desc: "Move sshd_config to /config/sshd/sshd_config."} - {date: "31.05.24:", desc: "Rebase to Alpine 3.20."} - {date: "04.05.24:", desc: "Display the SSH host public keys every time the container starts."} - {date: "09.03.24:", desc: "Rebase to Alpine 3.19."} diff --git a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run index 6288289..fd80244 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run @@ -3,7 +3,7 @@ # create folders mkdir -p \ - /config/{.ssh,ssh_host_keys,logs/openssh} + /config/{.ssh,logs/openssh,sshd} USER_NAME=${USER_NAME:-linuxserver.io} echo "User name is set to $USER_NAME" @@ -30,15 +30,23 @@ fi USER_PASSWORD=${USER_PASSWORD:-$(< /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c"${1:-8}";echo;)} echo "${USER_NAME}:${USER_PASSWORD}" | chpasswd -# symlink out ssh config directory -if [[ ! -L /etc/ssh ]]; then - if [[ ! -f /config/ssh_host_keys/sshd_config ]]; then - sed -i '/#PidFile/c\PidFile \/config\/sshd.pid' /etc/ssh/sshd_config - cp -a /etc/ssh/sshd_config /config/ssh_host_keys/ - fi - rm -Rf /etc/ssh - ln -s /config/ssh_host_keys /etc/ssh +# Migration +if [[ -f /config/ssh_host_keys/sshd_config ]]; then + mv /config/ssh_host_keys/sshd_config /config/sshd/sshd_config + sed -i 's/Include \/etc\/ssh\/sshd_config.d\/\*.conf/#Include \/etc\/ssh\/sshd_config.d\/\*.conf/' /config/sshd/sshd_config + echo "This file has been moved to /config/sshd/sshd_config" > /config/ssh_host_keys/sshd_config_README +fi + +if [[ ! -f /config/sshd/sshd_config ]]; then + sed -i '/#PidFile/c\PidFile \/config\/sshd.pid' /etc/ssh/sshd_config + sed -i 's/Include \/etc\/ssh\/sshd_config.d\/\*.conf/#Include \/etc\/ssh\/sshd_config.d\/\*.conf/' /etc/ssh/sshd_config + cp -a /etc/ssh/sshd_config /config/sshd/sshd_config +fi + +if [[ ! -d /config/ssh_host_keys ]]; then + mkdir -p /config/ssh_host_keys ssh-keygen -A + cp /etc/ssh/ssh_host_* /config/ssh_host_keys fi # display SSH host public key(s) @@ -47,24 +55,24 @@ cat /config/ssh_host_keys/ssh_host_*.pub # custom port if [[ -n "${LISTEN_PORT}" ]]; then - sed -i "s/^#Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /etc/ssh/sshd_config - sed -i "s/^Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /etc/ssh/sshd_config + sed -i "s/^#Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /config/sshd/sshd_config + sed -i "s/^Port [[:digit:]]\+/Port ${LISTEN_PORT}"/ /config/sshd/sshd_config echo "sshd is listening on port ${LISTEN_PORT}" else - sed -i "s/^#Port [[:digit:]]\+/Port 2222"/ /etc/ssh/sshd_config - sed -i "s/^Port [[:digit:]]\+/Port 2222"/ /etc/ssh/sshd_config + sed -i "s/^#Port [[:digit:]]\+/Port 2222"/ /config/sshd/sshd_config + sed -i "s/^Port [[:digit:]]\+/Port 2222"/ /config/sshd/sshd_config echo "sshd is listening on port 2222" fi # password access if [[ "$PASSWORD_ACCESS" == "true" ]]; then - sed -i '/^#PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config - sed -i '/^PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config + sed -i '/^#PasswordAuthentication/c\PasswordAuthentication yes' /config/sshd/sshd_config + sed -i '/^PasswordAuthentication/c\PasswordAuthentication yes' /config/sshd/sshd_config chown root:"${USER_NAME}" \ /etc/shadow echo "User/password ssh access is enabled." else - sed -i '/^PasswordAuthentication/c\PasswordAuthentication no' /etc/ssh/sshd_config + sed -i '/^PasswordAuthentication/c\PasswordAuthentication no' /config/sshd/sshd_config chown root:root \ /etc/shadow echo "User/password ssh access is disabled." @@ -72,7 +80,7 @@ fi # set umask for sftp UMASK=${UMASK:-022} -sed -i "s|/usr/lib/ssh/sftp-server$|/usr/lib/ssh/sftp-server -u ${UMASK}|g" /etc/ssh/sshd_config +sed -i "s|/usr/lib/ssh/sftp-server$|/usr/lib/ssh/sftp-server -u ${UMASK}|g" /config/sshd/sshd_config # set key auth in file if [[ ! -f /config/.ssh/authorized_keys ]]; then @@ -133,10 +141,9 @@ chmod 700 \ chmod 600 \ /config/.ssh/authorized_keys -# ssh_host_keys permissions lsiown -R root:"${USER_NAME}" \ - /config/ssh_host_keys + /config/sshd chmod 750 \ - /config/ssh_host_keys + /config/sshd chmod 640 \ - /config/ssh_host_keys/* + /config/sshd/sshd_config diff --git a/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run index 6a3a7f8..0af0a30 100755 --- a/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run +++ b/root/etc/s6-overlay/s6-rc.d/svc-openssh-server/run @@ -3,6 +3,10 @@ USER_NAME=${USER_NAME:-linuxserver.io} +for i in /config/ssh_host_keys/ssh_host_*_key; do + SSH_HOST_KEYS="${SSH_HOST_KEYS} -h ${i}" +done + exec 2>&1 \ s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost ${LISTEN_PORT:-2222}" \ - s6-setuidgid "${USER_NAME}" /usr/sbin/sshd.pam -D -e + s6-setuidgid "${USER_NAME}" /usr/sbin/sshd.pam -D -e -f /config/sshd/sshd_config ${SSH_HOST_KEYS} From 69cf34d58819e30916d46d233e746c1a860a7024 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 24 Nov 2024 19:31:54 +0000 Subject: [PATCH 3/5] Don't check USER_NAME if it's not set --- root/etc/s6-overlay/s6-rc.d/init-adduser/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/run b/root/etc/s6-overlay/s6-rc.d/init-adduser/run index fc07ff3..52d7b3e 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-adduser/run +++ b/root/etc/s6-overlay/s6-rc.d/init-adduser/run @@ -1,7 +1,7 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -if grep -q "^${USER_NAME}" /etc/passwd; then +if [[ -n "$USER_NAME" ]] && grep -q "^${USER_NAME}" /etc/passwd; then echo "*** USER_NAME cannot be set to an user that already exists in /etc/passwd. Halting init. ***" sleep infinity else From 348399e4bad64b6a6706e6af5d36d11ab37e1ee7 Mon Sep 17 00:00:00 2001 From: thespad Date: Sun, 24 Nov 2024 19:37:11 +0000 Subject: [PATCH 4/5] Allow abc as USER_NAME --- root/etc/s6-overlay/s6-rc.d/init-adduser/run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/etc/s6-overlay/s6-rc.d/init-adduser/run b/root/etc/s6-overlay/s6-rc.d/init-adduser/run index 52d7b3e..2111a58 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-adduser/run +++ b/root/etc/s6-overlay/s6-rc.d/init-adduser/run @@ -1,7 +1,7 @@ #!/usr/bin/with-contenv bash # shellcheck shell=bash -if [[ -n "$USER_NAME" ]] && grep -q "^${USER_NAME}" /etc/passwd; then +if [[ -n "$USER_NAME" ]] && [[ "$USER_NAME" != "abc" ]] && grep -q "^${USER_NAME}" /etc/passwd; then echo "*** USER_NAME cannot be set to an user that already exists in /etc/passwd. Halting init. ***" sleep infinity else From 1383ead42c07879fadaa4667fc8e8dd670a0c2c8 Mon Sep 17 00:00:00 2001 From: thespad Date: Mon, 25 Nov 2024 19:46:04 +0000 Subject: [PATCH 5/5] Fix host key permissions on migration if needed --- root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run | 2 ++ 1 file changed, 2 insertions(+) diff --git a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run index fd80244..65593ae 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run +++ b/root/etc/s6-overlay/s6-rc.d/init-openssh-server-config/run @@ -35,6 +35,8 @@ if [[ -f /config/ssh_host_keys/sshd_config ]]; then mv /config/ssh_host_keys/sshd_config /config/sshd/sshd_config sed -i 's/Include \/etc\/ssh\/sshd_config.d\/\*.conf/#Include \/etc\/ssh\/sshd_config.d\/\*.conf/' /config/sshd/sshd_config echo "This file has been moved to /config/sshd/sshd_config" > /config/ssh_host_keys/sshd_config_README + chmod 600 /config/sshd/sshd_config/ssh_host_*_key + chmod 644 /config/sshd/sshd_config/ssh_host_*_key.pub fi if [[ ! -f /config/sshd/sshd_config ]]; then