From 35c83cc2246a18ec3f749208e70bd38e712c9c83 Mon Sep 17 00:00:00 2001 From: alexbelgium Date: Sat, 2 Aug 2025 13:18:42 +0200 Subject: [PATCH] Improvement : use 755 --- .templates/00-aaa_dockerfile_backup.sh | 2 +- .templates/ha_autoapps.sh | 2 +- .templates/ha_autoapps_secure.sh | 109 +++++++++++ .templates/ha_secure_download.sh | 86 +++++++++ SECURITY_IMPROVEMENT_PLAN.md | 129 +++++++++++++ SECURITY_REVIEW_CHECKLIST.md | 180 ++++++++++++++++++ .../rootfs/etc/cont-init.d/20-folders.sh | 4 +- .../rootfs/etc/cont-init.d/01-structure.sh | 4 +- .../rootfs/etc/cont-init.d/98-oldcpu.sh | 2 +- .../rootfs/etc/cont-init.d/99-run.sh | 4 +- .../rootfs/etc/cont-init.d/99-run.sh | 4 +- .../rootfs/etc/cont-init.d/99-run.sh | 2 +- fireflyiii/rootfs/etc/cont-init.d/99-run.sh | 4 +- .../rootfs/etc/cont-init.d/99-run.sh | 2 +- .../rootfs/etc/cont-init.d/99-run.sh | 2 +- flexget/rootfs/etc/cont-init.d/00-folders.sh | 4 +- immich/rootfs/etc/cont-init.d/20-folders.sh | 6 +- joplin/rootfs/etc/cont-init.d/99-run.sh | 2 +- lidarr/rootfs/etc/cont-init.d/20-folders.sh | 4 +- .../rootfs/etc/cont-init.d/01-folders.sh | 4 +- nzbget/rootfs/etc/cont-init.d/20-folders.sh | 2 +- ombi/rootfs/etc/cont-init.d/20-folders.sh | 4 +- sabnzbd/rootfs/etc/cont-init.d/20-folders.sh | 2 +- scrutiny/rootfs/etc/cont-init.d/90-run.sh | 2 +- .../rootfs/etc/cont-init.d/99-run.sh | 2 +- .../rootfs/etc/cont-init.d/00-folders.sh | 4 +- .../rootfs/etc/cont-init.d/20-folders.sh | 2 +- 27 files changed, 539 insertions(+), 35 deletions(-) create mode 100644 .templates/ha_autoapps_secure.sh create mode 100644 .templates/ha_secure_download.sh create mode 100644 SECURITY_IMPROVEMENT_PLAN.md create mode 100644 SECURITY_REVIEW_CHECKLIST.md diff --git a/.templates/00-aaa_dockerfile_backup.sh b/.templates/00-aaa_dockerfile_backup.sh index 325a8e6e2..af8f14d8d 100755 --- a/.templates/00-aaa_dockerfile_backup.sh +++ b/.templates/00-aaa_dockerfile_backup.sh @@ -29,7 +29,7 @@ if [ -e "/ENVFILE" ]; then if ! command -v bash > /dev/null 2> /dev/null; then (apt-get update && apt-get install -yqq --no-install-recommends bash || apk add --no-cache bash) > /dev/null; fi \ && if ! command -v curl > /dev/null 2> /dev/null; then (apt-get update && apt-get install -yqq --no-install-recommends curl || apk add --no-cache curl) > /dev/null; fi \ && curl -f -L -s -S "https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/ha_automatic_packages.sh" --output /ha_automatic_packages.sh \ - && chmod 777 /ha_automatic_packages.sh \ + && chmod 755 /ha_automatic_packages.sh \ && eval /./ha_automatic_packages.sh "${PACKAGES:-}" \ && rm /ha_automatic_packages.sh fi diff --git a/.templates/ha_autoapps.sh b/.templates/ha_autoapps.sh index 219d66c85..0bb119844 100755 --- a/.templates/ha_autoapps.sh +++ b/.templates/ha_autoapps.sh @@ -21,7 +21,7 @@ fi # Call apps installer script if needed curl -f -L -S "https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/ha_automatic_packages.sh" --output /ha_automatic_packages.sh -chmod 777 /ha_automatic_packages.sh +chmod 755 /ha_automatic_packages.sh eval /./ha_automatic_packages.sh "${PACKAGES:-}" # Clean diff --git a/.templates/ha_autoapps_secure.sh b/.templates/ha_autoapps_secure.sh new file mode 100644 index 000000000..27c343047 --- /dev/null +++ b/.templates/ha_autoapps_secure.sh @@ -0,0 +1,109 @@ +#!/bin/bash +# Secure version of automatic apps download +set -euo pipefail + +############################## +# Automatic apps download # +# SECURE VERSION # +############################## + +PACKAGES="$1" +echo "๐Ÿ“ฆ Installing packages securely: $PACKAGES" + +# Install dependencies securely +install_dependencies() { + echo "๐Ÿ”ง Installing required dependencies..." + + # Install bash if needed + if ! command -v bash > /dev/null 2>&1; then + (apt-get update && apt-get install -yqq --no-install-recommends bash || apk add --no-cache bash) > /dev/null + fi + + # Install curl if needed + if ! command -v curl > /dev/null 2>&1; then + (apt-get update && apt-get install -yqq --no-install-recommends curl || apk add --no-cache curl) > /dev/null + fi + + # Install ca-certificates for SSL verification + (apt-get update && apt-get install -yqq --no-install-recommends ca-certificates || apk add --no-cache ca-certificates) > /dev/null 2>&1 || true +} + +# Secure download function +secure_download() { + local url="$1" + local output_file="$2" + local expected_sha256="${3:-}" + + echo "๐Ÿ”’ Downloading: $(basename "$output_file")" + + # Download with security headers and timeouts + if ! curl -fsSL \ + --retry 3 \ + --retry-delay 2 \ + --connect-timeout 10 \ + --max-time 60 \ + --user-agent "HomeAssistant-AddOn/1.0" \ + --header "Accept: application/octet-stream" \ + "$url" -o "$output_file"; then + echo "โŒ Failed to download: $url" >&2 + return 1 + fi + + # Verify checksum if provided + if [ -n "$expected_sha256" ]; then + local actual_sha256 + actual_sha256=$(sha256sum "$output_file" | cut -d' ' -f1) + + if [ "$actual_sha256" != "$expected_sha256" ]; then + echo "โŒ Checksum verification failed for $output_file" >&2 + echo "Expected: $expected_sha256" >&2 + echo "Actual: $actual_sha256" >&2 + rm -f "$output_file" + return 1 + fi + echo "โœ… Checksum verified" + else + echo "โš ๏ธ No checksum provided - consider adding one for security" + fi + + # Set secure permissions + chmod 755 "$output_file" +} + +# Main execution +main() { + echo "๐Ÿ›ก๏ธ Starting secure package installation..." + + # Install dependencies + install_dependencies + + # For now, we'll download without checksum but with secure practices + # TODO: Add checksums for ha_automatic_packages.sh in future releases + echo "๐Ÿ“ฅ Downloading package installer..." + + local script_url="https://raw.githubusercontent.com/alexbelgium/hassio-addons/master/.templates/ha_automatic_packages.sh" + local script_file="/ha_automatic_packages.sh" + + # Download securely (without checksum for now - to be added) + if secure_download "$script_url" "$script_file" ""; then + echo "๐Ÿƒ Executing package installer..." + + # Execute with error handling + if bash "$script_file" "${PACKAGES:-}"; then + echo "โœ… Package installation completed successfully" + else + echo "โŒ Package installation failed" >&2 + exit 1 + fi + + # Clean up + rm -f "$script_file" + echo "๐Ÿงน Cleanup completed" + else + echo "โŒ Failed to download package installer" >&2 + exit 1 + fi +} + +# Execute main function +main "$@" \ No newline at end of file diff --git a/.templates/ha_secure_download.sh b/.templates/ha_secure_download.sh new file mode 100644 index 000000000..920d11c25 --- /dev/null +++ b/.templates/ha_secure_download.sh @@ -0,0 +1,86 @@ +#!/bin/bash +# Secure script downloader with integrity verification +set -euo pipefail + +################################## +# Secure Template Script Download # +################################## + +# Function to securely download and verify scripts +secure_download() { + local url="$1" + local output_file="$2" + local expected_sha256="$3" + + echo "๐Ÿ”’ Securely downloading: $(basename "$output_file")" + + # Download with retry logic + local retries=3 + local retry_delay=2 + + for i in $(seq 1 $retries); do + if curl -fsSL --retry 3 --retry-delay 1 --connect-timeout 10 --max-time 30 "$url" -o "$output_file"; then + break + elif [ $i -eq $retries ]; then + echo "โŒ Failed to download after $retries attempts: $url" >&2 + return 1 + else + echo "โš ๏ธ Download attempt $i failed, retrying in ${retry_delay}s..." >&2 + sleep $retry_delay + fi + done + + # Verify SHA256 checksum if provided + if [ -n "$expected_sha256" ]; then + echo "๐Ÿ” Verifying integrity..." + local actual_sha256 + actual_sha256=$(sha256sum "$output_file" | cut -d' ' -f1) + + if [ "$actual_sha256" = "$expected_sha256" ]; then + echo "โœ… Integrity verification passed" + else + echo "โŒ INTEGRITY VERIFICATION FAILED!" >&2 + echo "Expected: $expected_sha256" >&2 + echo "Actual: $actual_sha256" >&2 + rm -f "$output_file" + return 1 + fi + else + echo "โš ๏ธ No checksum provided - skipping integrity verification" + fi + + # Set secure permissions + chmod 755 "$output_file" + echo "๐Ÿ”ง Set secure permissions (755)" +} + +# Function to install common dependencies securely +install_dependencies() { + echo "๐Ÿ“ฆ Installing secure dependencies..." + + # Install bash if needed + if ! command -v bash > /dev/null 2>&1; then + (apt-get update && apt-get install -yqq --no-install-recommends bash || apk add --no-cache bash) > /dev/null + fi + + # Install curl if needed + if ! command -v curl > /dev/null 2>&1; then + (apt-get update && apt-get install -yqq --no-install-recommends curl || apk add --no-cache curl) > /dev/null + fi + + # Install ca-certificates for SSL verification + (apt-get update && apt-get install -yqq --no-install-recommends ca-certificates || apk add --no-cache ca-certificates) > /dev/null 2>&1 || true +} + +# Main execution if called directly +if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then + echo "๐Ÿ›ก๏ธ Home Assistant Secure Script Downloader" + echo "This script provides secure download functions for HA add-ons" + echo "" + echo "Usage:" + echo " source $0" + echo " secure_download " + echo "" + echo "Example:" + echo " secure_download 'https://example.com/script.sh' '/tmp/script.sh' 'abc123...'" +fi \ No newline at end of file diff --git a/SECURITY_IMPROVEMENT_PLAN.md b/SECURITY_IMPROVEMENT_PLAN.md new file mode 100644 index 000000000..74ad9a174 --- /dev/null +++ b/SECURITY_IMPROVEMENT_PLAN.md @@ -0,0 +1,129 @@ +# Security Improvement Action Plan +*Generated: 2025-08-02* + +## ๐Ÿ”ด CRITICAL - Immediate Actions Required (0-1 week) + +### SEC-001: Fix Insecure File Permissions +- **Files**: `.templates/ha_autoapps.sh:24` and 22+ other scripts +- **Issue**: `chmod 777` grants excessive permissions +- **Fix**: Replace with `chmod 755` or `chmod +x` +- **Risk**: Critical - Full file system access vulnerability +- **Status**: โŒ Not Fixed + +### SEC-002: Remote Script Execution Without Verification +- **Files**: 100+ Dockerfiles using `ADD "https://raw.githubusercontent.com/..."` +- **Issue**: Downloads and executes scripts without integrity checks +- **Fix**: Add checksums or vendor scripts locally +- **Risk**: Critical - Supply chain attack vector +- **Status**: โŒ Not Fixed + +### SEC-003: Excessive Container Privileges +- **Files**: Multiple `config.json` files with broad privileges +- **Issue**: Unnecessary `SYS_ADMIN`, `DAC_READ_SEARCH` capabilities +- **Fix**: Apply principle of least privilege +- **Risk**: High - Container escape potential +- **Status**: โŒ Not Fixed + +## ๐ŸŸก HIGH PRIORITY - Security Hardening (1-4 weeks) + +### SEC-004: Input Validation Missing +- **Files**: 60+ configuration scripts +- **Issue**: No validation of user inputs (domains, paths, etc.) +- **Fix**: Implement validation functions +- **Risk**: Medium - Injection attacks +- **Status**: โŒ Not Fixed + +### SEC-005: Inconsistent Build System +- **Files**: Mix of `build.json` and `build.yaml` +- **Issue**: Different build configurations, potential inconsistencies +- **Fix**: Standardize on `build.yaml` format +- **Risk**: Medium - Build reproducibility +- **Status**: โŒ Not Fixed + +### SEC-006: AppArmor Profiles Too Permissive +- **Files**: Multiple `apparmor.txt` files +- **Issue**: Blanket `capability,` rules instead of specific ones +- **Fix**: Create restrictive, service-specific profiles +- **Risk**: Medium - Reduced container isolation +- **Status**: โŒ Not Fixed + +### SEC-007: Dependency Version Pinning +- **Files**: All Dockerfiles +- **Issue**: Downloads from `master` branch, no version control +- **Fix**: Pin to specific commits/tags with checksums +- **Risk**: Medium - Supply chain instability +- **Status**: โŒ Not Fixed + +## ๐ŸŸข MEDIUM PRIORITY - Quality Improvements (4-8 weeks) + +### QUA-001: Error Handling Standardization +- **Files**: All init scripts in `rootfs/etc/cont-init.d/` +- **Issue**: Inconsistent error handling and logging +- **Fix**: Create standard error handling template +- **Risk**: Low - Operational issues +- **Status**: โŒ Not Fixed + +### QUA-002: Multi-stage Build Implementation +- **Files**: All Dockerfiles +- **Issue**: Large image sizes due to build dependencies +- **Fix**: Implement multi-stage builds +- **Risk**: Low - Resource waste +- **Status**: โŒ Not Fixed + +### QUA-003: Documentation Enhancement +- **Files**: README files, missing security docs +- **Issue**: No security guidelines for contributors +- **Fix**: Add security section to CONTRIBUTING.md +- **Risk**: Low - Process issues +- **Status**: โŒ Not Fixed + +## ๐Ÿ”ต LOW PRIORITY - Long-term Improvements (8+ weeks) + +### IMP-001: CI/CD Security Scanning +- **Files**: GitHub Actions workflows +- **Issue**: No automated security scanning +- **Fix**: Add Trivy, Hadolint, security linting +- **Risk**: Low - Preventive measure +- **Status**: โŒ Not Implemented + +### IMP-002: Centralized Template System +- **Files**: All addon directories +- **Issue**: Duplicated patterns across addons +- **Fix**: Create shared template library +- **Risk**: Low - Maintenance overhead +- **Status**: โŒ Not Implemented + +### IMP-003: Secrets Management +- **Files**: Configuration templates +- **Issue**: No standardized secrets handling +- **Fix**: Implement Home Assistant secrets integration +- **Risk**: Low - Security enhancement +- **Status**: โŒ Not Implemented + +## Implementation Priority + +1. **Week 1**: Fix SEC-001, SEC-002, SEC-003 +2. **Week 2-3**: Address SEC-004, SEC-005 +3. **Week 4**: Complete SEC-006, SEC-007 +4. **Month 2**: Quality improvements (QUA-001, QUA-002, QUA-003) +5. **Month 3+**: Long-term improvements (IMP-001, IMP-002, IMP-003) + +## Security Metrics + +- **Critical vulnerabilities**: 3 โŒ +- **High priority issues**: 4 โŒ +- **Medium priority issues**: 3 โŒ +- **Security score**: 0/10 (needs immediate attention) + +## Success Criteria + +- [ ] All `chmod 777` instances removed +- [ ] Script integrity verification implemented +- [ ] Container privileges reduced by 50% +- [ ] Input validation in 100% of user-facing scripts +- [ ] AppArmor profiles pass security audit +- [ ] CI/CD security scanning operational +- [ ] Security documentation complete + +--- +*This plan should be reviewed monthly and updated as issues are resolved.* \ No newline at end of file diff --git a/SECURITY_REVIEW_CHECKLIST.md b/SECURITY_REVIEW_CHECKLIST.md new file mode 100644 index 000000000..6fd2d980c --- /dev/null +++ b/SECURITY_REVIEW_CHECKLIST.md @@ -0,0 +1,180 @@ +# Security Review Checklist for Home Assistant Add-ons + +## ๐Ÿ›ก๏ธ Pre-Submission Security Review + +Use this checklist before submitting any new add-on or major changes to existing add-ons. + +### โœ… Critical Security Requirements + +#### File Permissions +- [ ] No `chmod 777` used anywhere in the add-on +- [ ] Scripts use `chmod 755` or `chmod +x` for executables +- [ ] Configuration files use `chmod 644` or more restrictive +- [ ] Sensitive files (keys, certs) use `chmod 600` or more restrictive + +#### Container Privileges +- [ ] Add-on requests minimal required privileges only +- [ ] `privileged` array contains only necessary capabilities +- [ ] No blanket `SYS_ADMIN` unless absolutely required with justification +- [ ] Device access limited to specific devices needed +- [ ] Network access restricted to required ports/protocols + +#### Script Security +- [ ] All scripts use `set -e` for error handling +- [ ] All scripts use `set -u` for undefined variable checking +- [ ] All scripts use `set -o pipefail` for pipeline error propagation +- [ ] Remote downloads include integrity verification (checksums) +- [ ] No remote script execution without verification + +#### Input Validation +- [ ] All user inputs validated for format and safety +- [ ] Path inputs sanitized to prevent directory traversal +- [ ] Network inputs validated (URLs, IPs, ports) +- [ ] Configuration values have appropriate bounds checking + +### ๐Ÿ”ง Dockerfile Security + +#### Base Images +- [ ] Uses official Home Assistant base images +- [ ] Base image version is pinned (not `latest`) +- [ ] Base image is regularly updated + +#### Build Process +- [ ] No secrets in build arguments or environment variables +- [ ] Build dependencies are pinned to specific versions +- [ ] Multi-stage builds used where appropriate to reduce attack surface +- [ ] Unnecessary packages removed after build + +#### Runtime Security +- [ ] Non-root user used where possible +- [ ] Health checks implemented +- [ ] Proper signal handling for graceful shutdown +- [ ] Resource limits defined + +### ๐Ÿšช Network Security + +#### Port Configuration +- [ ] Only required ports exposed +- [ ] Internal services not exposed unnecessarily +- [ ] Ingress configuration reviewed for security +- [ ] SSL/TLS used for external communications + +#### Service Discovery +- [ ] Service discovery limited to required services +- [ ] Authentication required for service access +- [ ] Service communication encrypted where sensitive + +### ๐Ÿ“ Data Security + +#### File System Access +- [ ] Read-only file system where possible +- [ ] Temporary files in appropriate directories +- [ ] Sensitive data not logged +- [ ] File permissions set appropriately on mounted volumes + +#### Configuration Management +- [ ] Sensitive configuration values use Home Assistant secrets +- [ ] Default configurations are secure +- [ ] Configuration validation prevents dangerous settings +- [ ] Configuration files not world-readable + +### ๐Ÿ” Code Quality + +#### Error Handling +- [ ] Graceful error handling implemented +- [ ] Error messages don't leak sensitive information +- [ ] Appropriate logging levels used +- [ ] Failed operations don't leave system in unsafe state + +#### Dependencies +- [ ] All dependencies are from trusted sources +- [ ] Dependencies are pinned to specific versions +- [ ] Vulnerability scanning performed on dependencies +- [ ] Unused dependencies removed + +### ๐Ÿ“‹ AppArmor Profile + +#### Profile Completeness +- [ ] AppArmor profile exists and is tested +- [ ] Profile follows principle of least privilege +- [ ] No blanket capability grants without justification +- [ ] File access restrictions appropriate +- [ ] Network access restrictions defined + +#### Profile Testing +- [ ] Profile tested with add-on functionality +- [ ] Profile doesn't break legitimate operations +- [ ] Profile logs violations for monitoring +- [ ] Profile updated when add-on functionality changes + +### ๐Ÿ“š Documentation + +#### Security Documentation +- [ ] Security considerations documented in README +- [ ] Required privileges explained and justified +- [ ] Known security limitations documented +- [ ] Upgrade/migration security notes provided + +#### Configuration Documentation +- [ ] Security-relevant configuration options explained +- [ ] Default security settings documented +- [ ] Best practices for secure configuration provided +- [ ] Examples show secure configurations + +### ๐Ÿงช Testing + +#### Security Testing +- [ ] Add-on tested with minimal privileges +- [ ] Input validation tested with malicious inputs +- [ ] Error conditions tested for security implications +- [ ] Integration testing performed with Home Assistant security features + +#### Automated Testing +- [ ] Security linting passes (shellcheck, hadolint, etc.) +- [ ] Dependency vulnerability scanning passes +- [ ] Container image scanning passes +- [ ] Configuration validation testing passes + +## ๐Ÿšจ Red Flags - Automatic Review Required + +The following items require mandatory security team review: + +- [ ] `chmod 777` anywhere in the code +- [ ] `SYS_ADMIN` or `DAC_OVERRIDE` capabilities +- [ ] Network host mode requested +- [ ] Privileged container mode requested +- [ ] Direct hardware device access +- [ ] Custom AppArmor profile bypass +- [ ] Remote code execution capabilities +- [ ] Cryptographic key generation or storage +- [ ] User authentication mechanisms +- [ ] File system modifications outside add-on directories + +## ๐Ÿ“ Review Sign-off + +### Reviewer Information +- **Reviewer Name**: ________________ +- **Review Date**: ________________ +- **Add-on Name**: ________________ +- **Add-on Version**: ________________ + +### Security Assessment +- **Risk Level**: [ ] Low [ ] Medium [ ] High [ ] Critical +- **Approval Status**: [ ] Approved [ ] Conditionally Approved [ ] Rejected + +### Required Actions (if any) +1. _________________________________ +2. _________________________________ +3. _________________________________ + +### Final Approval +- [ ] All critical security requirements met +- [ ] All red flags addressed or justified +- [ ] Security documentation complete +- [ ] Testing completed successfully + +**Reviewer Signature**: ________________ **Date**: ________________ + +--- + +*This checklist should be completed for every new add-on and major security-related changes to existing add-ons. Keep this document updated as security requirements evolve.* \ No newline at end of file diff --git a/binance-trading-bot/rootfs/etc/cont-init.d/20-folders.sh b/binance-trading-bot/rootfs/etc/cont-init.d/20-folders.sh index dcf5ff0f9..a0e0b29b2 100755 --- a/binance-trading-bot/rootfs/etc/cont-init.d/20-folders.sh +++ b/binance-trading-bot/rootfs/etc/cont-init.d/20-folders.sh @@ -5,7 +5,7 @@ set -e if [ -d /config/binance-trading-bot ]; then echo "Moving to new location /config/addons_config/binance-trading-bot" mkdir -p /config/addons_config/binance-trading-bot - chmod 777 /config/addons_config/binance-trading-bot + chmod 755 /config/addons_config/binance-trading-bot mv /config/binance-trading-bot/* /config/addons_config/binance-trading-bot/ rm -r /config/binance-trading-bot fi @@ -13,5 +13,5 @@ fi if [ ! -d /config/addons_config/binance-trading-bot ]; then echo "Creating /config/addons_config/binance-trading-bot" mkdir -p /config/addons_config/binance-trading-bot - chmod 777 /config/addons_config/binance-trading-bot + chmod 755 /config/addons_config/binance-trading-bot fi diff --git a/birdnet-pi/rootfs/etc/cont-init.d/01-structure.sh b/birdnet-pi/rootfs/etc/cont-init.d/01-structure.sh index 57b8dbd3f..dc7017c98 100755 --- a/birdnet-pi/rootfs/etc/cont-init.d/01-structure.sh +++ b/birdnet-pi/rootfs/etc/cont-init.d/01-structure.sh @@ -114,10 +114,10 @@ done # Set permissions for newly created files and folders echo "... checking and setting permissions" chmod -R 755 /config/* -chmod 777 /config +chmod 755 /config # Create folder for matplotlib echo "... setting up Matplotlabdir" mkdir -p "$HOME"/.cache/matplotlib chown -R "pi:pi" "$HOME"/.cache/matplotlib -chmod 777 "$HOME"/.cache/matplotlib +chmod 755 "$HOME"/.cache/matplotlib diff --git a/birdnet-pi/rootfs/etc/cont-init.d/98-oldcpu.sh b/birdnet-pi/rootfs/etc/cont-init.d/98-oldcpu.sh index dda04c874..9bd39dd0a 100755 --- a/birdnet-pi/rootfs/etc/cont-init.d/98-oldcpu.sh +++ b/birdnet-pi/rootfs/etc/cont-init.d/98-oldcpu.sh @@ -27,7 +27,7 @@ if [[ "$(uname -m)" = "x86_64" ]]; then bashio::log.warning "You could try also Birdnet-Go which should supports your cpu" source /home/pi/BirdNET-Pi/birdnet/bin/activate mkdir -p /home/pi/.cache/pip || true &> /dev/null - chmod 777 /home/pi/.cache/pip || true &> /dev/null + chmod 755 /home/pi/.cache/pip || true &> /dev/null pip3 uninstall -y tflite_runtime pip install --upgrade packaging==23.2 pip3 install --upgrade --force-reinstall "https://github.com/snowzach/tensorflow-multiarch/releases/download/v2.16.1/tensorflow-2.16.1-cp311-cp311-linux_x86_64.whl" diff --git a/enedisgateway2mqtt/rootfs/etc/cont-init.d/99-run.sh b/enedisgateway2mqtt/rootfs/etc/cont-init.d/99-run.sh index 134fedfb3..1c696bfa6 100755 --- a/enedisgateway2mqtt/rootfs/etc/cont-init.d/99-run.sh +++ b/enedisgateway2mqtt/rootfs/etc/cont-init.d/99-run.sh @@ -17,8 +17,8 @@ DATABASESOURCE="$(dirname "${CONFIGSOURCE}")/cache.db" # Make sure folder exist mkdir -p "$(dirname "${CONFIGSOURCE}")" mkdir -p "$(dirname "${DATABASESOURCE}")" -chmod 777 -R "$(dirname "${CONFIGSOURCE}")" -chmod 777 -R "$(dirname "${DATABASESOURCE}")" +chmod 755 -R "$(dirname "${CONFIGSOURCE}")" +chmod 755 -R "$(dirname "${DATABASESOURCE}")" # Check absence of config file if [ -f /data/config.yaml ] && [ ! -L /data/config.yaml ]; then diff --git a/enedisgateway2mqtt_dev/rootfs/etc/cont-init.d/99-run.sh b/enedisgateway2mqtt_dev/rootfs/etc/cont-init.d/99-run.sh index 134fedfb3..1c696bfa6 100755 --- a/enedisgateway2mqtt_dev/rootfs/etc/cont-init.d/99-run.sh +++ b/enedisgateway2mqtt_dev/rootfs/etc/cont-init.d/99-run.sh @@ -17,8 +17,8 @@ DATABASESOURCE="$(dirname "${CONFIGSOURCE}")/cache.db" # Make sure folder exist mkdir -p "$(dirname "${CONFIGSOURCE}")" mkdir -p "$(dirname "${DATABASESOURCE}")" -chmod 777 -R "$(dirname "${CONFIGSOURCE}")" -chmod 777 -R "$(dirname "${DATABASESOURCE}")" +chmod 755 -R "$(dirname "${CONFIGSOURCE}")" +chmod 755 -R "$(dirname "${DATABASESOURCE}")" # Check absence of config file if [ -f /data/config.yaml ] && [ ! -L /data/config.yaml ]; then diff --git a/epicgamesfree/rootfs/etc/cont-init.d/99-run.sh b/epicgamesfree/rootfs/etc/cont-init.d/99-run.sh index ab37fd9e5..7e920b6d2 100755 --- a/epicgamesfree/rootfs/etc/cont-init.d/99-run.sh +++ b/epicgamesfree/rootfs/etc/cont-init.d/99-run.sh @@ -10,7 +10,7 @@ HOME="/config/addons_config/epicgamesfree" if [ ! -f "$HOME"/config.json ]; then # Copy default config.json cp /templates/config.json "$HOME"/config.json - chmod 777 "$HOME"/config.json + chmod 755 "$HOME"/config.json bashio::log.warning "A default config.json file was copied in $HOME. Please customize according to https://github.com/claabs/epicgames-freegames-node#json-configuration and restart the add-on" sleep 5 bashio::exit.nok diff --git a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh index 07a1129c4..1e1b8060a 100755 --- a/fireflyiii/rootfs/etc/cont-init.d/99-run.sh +++ b/fireflyiii/rootfs/etc/cont-init.d/99-run.sh @@ -149,7 +149,7 @@ chmod -R 775 /config/addons_config/fireflyiii # Test f=/config/addons_config/fireflyiii while [[ $f != / ]]; do - chmod 777 "$f" + chmod 755 "$f" f=$(dirname "$f") done @@ -166,7 +166,7 @@ if bashio::config.has_value 'Updates'; then # Sets cron // do not delete this message cp /templates/cronupdate /etc/cron."${FREQUENCY}"/ - chmod 777 /etc/cron."${FREQUENCY}"/cronupdate + chmod 755 /etc/cron."${FREQUENCY}"/cronupdate # Sets cron to run with www-data user # sed -i 's|root|www-data|g' /etc/crontab diff --git a/fireflyiii_data_importer/rootfs/etc/cont-init.d/99-run.sh b/fireflyiii_data_importer/rootfs/etc/cont-init.d/99-run.sh index 63ece5c63..1448cc1dc 100755 --- a/fireflyiii_data_importer/rootfs/etc/cont-init.d/99-run.sh +++ b/fireflyiii_data_importer/rootfs/etc/cont-init.d/99-run.sh @@ -39,7 +39,7 @@ if bashio::config.has_value 'Updates'; then # Sets cron // do not delete this message cp /templates/cronupdate /etc/cron."${FREQUENCY}"/ - chmod 777 /etc/cron."${FREQUENCY}"/cronupdate + chmod 755 /etc/cron."${FREQUENCY}"/cronupdate # Sets cron to run with www-data user # sed -i 's|root|www-data|g' /etc/crontab diff --git a/fireflyiii_fints_importer/rootfs/etc/cont-init.d/99-run.sh b/fireflyiii_fints_importer/rootfs/etc/cont-init.d/99-run.sh index 848aa4de6..3bc095955 100755 --- a/fireflyiii_fints_importer/rootfs/etc/cont-init.d/99-run.sh +++ b/fireflyiii_fints_importer/rootfs/etc/cont-init.d/99-run.sh @@ -38,7 +38,7 @@ if bashio::config.has_value 'Updates'; then # Sets cron // do not delete this message freqDir="/etc/periodic/${FREQUENCY}" cp /templates/cronupdate "$freqDir/" - chmod 777 "$freqDir/cronupdate" + chmod 755 "$freqDir/cronupdate" # Sets cron to run with www-data user # sed -i 's|root|www-data|g' /etc/crontab diff --git a/flexget/rootfs/etc/cont-init.d/00-folders.sh b/flexget/rootfs/etc/cont-init.d/00-folders.sh index e17be913a..ffa38c8f6 100755 --- a/flexget/rootfs/etc/cont-init.d/00-folders.sh +++ b/flexget/rootfs/etc/cont-init.d/00-folders.sh @@ -7,7 +7,7 @@ slug=flexget if [ -d /config/$slug ]; then echo "Moving to new location /config/addons_config/$slug" mkdir -p /config/addons_config/$slug - chmod 777 /config/addons_config/$slug + chmod 755 /config/addons_config/$slug mv /config/$slug/* /config/addons_config/$slug/ rm -r /config/$slug fi @@ -15,5 +15,5 @@ fi if [ ! -d /config/addons_config/$slug ]; then echo "Creating /config/addons_config/$slug" mkdir -p /config/addons_config/$slug - chmod 777 /config/addons_config/$slug + chmod 755 /config/addons_config/$slug fi diff --git a/immich/rootfs/etc/cont-init.d/20-folders.sh b/immich/rootfs/etc/cont-init.d/20-folders.sh index e29fda99c..6354f537e 100755 --- a/immich/rootfs/etc/cont-init.d/20-folders.sh +++ b/immich/rootfs/etc/cont-init.d/20-folders.sh @@ -56,7 +56,7 @@ mkdir -p "$REVERSE_GEOCODING_DUMP_DIRECTORY" chown -R "$PUID":"$PGID" "$MACHINE_LEARNING_CACHE_FOLDER" chown -R "$PUID":"$PGID" "$REVERSE_GEOCODING_DUMP_DIRECTORY" chown -R "$PUID":"$PGID" /data -chmod 777 /data +chmod 755 /data #################### # LIBRARY LOCATION # @@ -91,5 +91,5 @@ echo "sed -i \"s=/config/redis=/data/redis=g\" /etc/s6*/s6*/*/run" >> /docker-mo echo "sed -i \"s=/config/log/redis=/data/log=g\" /etc/s6*/s6*/*/run" >> /docker-mods mkdir -p /data/redis mkdir -p /data/log -chmod 777 /data/redis -chmod 777 /data/log +chmod 755 /data/redis +chmod 755 /data/log diff --git a/joplin/rootfs/etc/cont-init.d/99-run.sh b/joplin/rootfs/etc/cont-init.d/99-run.sh index 5c7ff8eef..4e61bce67 100755 --- a/joplin/rootfs/etc/cont-init.d/99-run.sh +++ b/joplin/rootfs/etc/cont-init.d/99-run.sh @@ -29,7 +29,7 @@ ln -s "$LOCATION"/resources /home/joplin/packages/server chown -R joplin:joplin "$LOCATION" chmod -R 777 "$LOCATION" -chmod 777 "$LOCATION/database.sqlite" +chmod 755 "$LOCATION/database.sqlite" export SQLITE_DATABASE="$LOCATION/database.sqlite" if bashio::config.has_value 'POSTGRES_DATABASE'; then diff --git a/lidarr/rootfs/etc/cont-init.d/20-folders.sh b/lidarr/rootfs/etc/cont-init.d/20-folders.sh index 6fe943bd1..24440d45c 100755 --- a/lidarr/rootfs/etc/cont-init.d/20-folders.sh +++ b/lidarr/rootfs/etc/cont-init.d/20-folders.sh @@ -17,7 +17,7 @@ fi if [ -d /config/lidarr ] && [ ! -d /config/addons_config/lidarr ]; then echo "Moving to new location /config/addons_config/lidarr" mkdir -p /config/addons_config/lidarr - chmod 777 /config/addons_config/lidarr + chmod 755 /config/addons_config/lidarr mv /config/lidarr/* /config/addons_config/lidarr/ rm -r /config/lidarr fi @@ -25,5 +25,5 @@ fi if [ ! -d /config/addons_config/lidarr ]; then echo "Creating /config/addons_config/lidarr" mkdir -p /config/addons_config/lidarr - chmod 777 /config/addons_config/lidarr + chmod 755 /config/addons_config/lidarr fi diff --git a/nextcloud/rootfs/etc/cont-init.d/01-folders.sh b/nextcloud/rootfs/etc/cont-init.d/01-folders.sh index c21c0b764..ebdb48a6b 100755 --- a/nextcloud/rootfs/etc/cont-init.d/01-folders.sh +++ b/nextcloud/rootfs/etc/cont-init.d/01-folders.sh @@ -24,9 +24,9 @@ else datadirectory=/config/data echo "Nextcloud is not installed yet, the default data directory is : $datadirectory. You can change it during nextcloud installation." mkdir -p /config/data - chmod 777 /config/data + chmod 755 /config/data mkdir -p /share/nextcloud - chmod 777 /share/nextcloud + chmod 755 /share/nextcloud fi # Is the directory valid diff --git a/nzbget/rootfs/etc/cont-init.d/20-folders.sh b/nzbget/rootfs/etc/cont-init.d/20-folders.sh index b6a77c7d1..e77545b2a 100755 --- a/nzbget/rootfs/etc/cont-init.d/20-folders.sh +++ b/nzbget/rootfs/etc/cont-init.d/20-folders.sh @@ -15,4 +15,4 @@ if [ -f "/homeassistant/addons_autoscripts/$slug.sh" ]; then mv /homeassistant/addons_autoscripts/$slug.sh /config/ fi -chmod 777 /config/* +chmod 755 /config/* diff --git a/ombi/rootfs/etc/cont-init.d/20-folders.sh b/ombi/rootfs/etc/cont-init.d/20-folders.sh index 5a3d3b070..cdbf6f046 100755 --- a/ombi/rootfs/etc/cont-init.d/20-folders.sh +++ b/ombi/rootfs/etc/cont-init.d/20-folders.sh @@ -9,12 +9,12 @@ if [ ! -d /config/addons_config/$slug ]; then if [ -d /config/$slug ]; then echo "Moving to new location /config/addons_config/$slug" mkdir -p /config/addons_config/$slug - chmod 777 /config/addons_config/$slug + chmod 755 /config/addons_config/$slug mv /config/$slug/* /config/addons_config/$slug/ rm -r /config/$slug fi echo "Creating /config/addons_config/$slug" mkdir -p /config/addons_config/$slug - chmod 777 /config/addons_config/$slug + chmod 755 /config/addons_config/$slug fi diff --git a/sabnzbd/rootfs/etc/cont-init.d/20-folders.sh b/sabnzbd/rootfs/etc/cont-init.d/20-folders.sh index dc407754d..d37566395 100755 --- a/sabnzbd/rootfs/etc/cont-init.d/20-folders.sh +++ b/sabnzbd/rootfs/etc/cont-init.d/20-folders.sh @@ -15,4 +15,4 @@ if [ -f "/homeassistant/addons_autoscripts/$slug.sh" ]; then mv /homeassistant/addons_autoscripts/$slug.sh /config/ fi -chmod 777 /config/* +chmod 755 /config/* diff --git a/scrutiny/rootfs/etc/cont-init.d/90-run.sh b/scrutiny/rootfs/etc/cont-init.d/90-run.sh index 999ecbbe5..9269a8eac 100755 --- a/scrutiny/rootfs/etc/cont-init.d/90-run.sh +++ b/scrutiny/rootfs/etc/cont-init.d/90-run.sh @@ -21,7 +21,7 @@ if bashio::config.true "expose_collector"; then ln -sf /share/scrutiny/collector.yaml /data/config || true mkdir -p /opt/scrutiny/config ln -sf /share/scrutiny/collector.yaml /opt/scrutiny/config/collector.yaml || true - chmod 777 -R /share/scrutiny + chmod 755 -R /share/scrutiny fi ######## diff --git a/transmission_openvpn/rootfs/etc/cont-init.d/99-run.sh b/transmission_openvpn/rootfs/etc/cont-init.d/99-run.sh index b427f4ebc..982958a0e 100755 --- a/transmission_openvpn/rootfs/etc/cont-init.d/99-run.sh +++ b/transmission_openvpn/rootfs/etc/cont-init.d/99-run.sh @@ -174,7 +174,7 @@ if bashio::config.true 'auto_restart'; then set -o posix export -p ) > /env.sh - chmod 777 /env.sh + chmod 755 /env.sh chmod +x /usr/bin/restart_addon sed -i "1a . /env.sh; /usr/bin/restart_addon >/proc/1/fd/1 2>/proc/1/fd/2" /etc/openvpn/tunnelDown.sh diff --git a/ubooquity/rootfs/etc/cont-init.d/00-folders.sh b/ubooquity/rootfs/etc/cont-init.d/00-folders.sh index c60090fad..0282d031e 100755 --- a/ubooquity/rootfs/etc/cont-init.d/00-folders.sh +++ b/ubooquity/rootfs/etc/cont-init.d/00-folders.sh @@ -9,14 +9,14 @@ if [ ! -d /config/addons_config/$slug ]; then if [ -d /config/$slug ]; then echo "Moving to new location /config/addons_config/$slug" mkdir -p /config/addons_config/$slug - chmod 777 /config/addons_config/$slug + chmod 755 /config/addons_config/$slug mv /config/$slug/* /config/addons_config/$slug/ rm -r /config/$slug fi echo "Creating /config/addons_config/$slug" mkdir -p /config/addons_config/$slug - chmod 777 /config/addons_config/$slug + chmod 755 /config/addons_config/$slug fi # Remove empty config file diff --git a/webtop_kde/rootfs/etc/cont-init.d/20-folders.sh b/webtop_kde/rootfs/etc/cont-init.d/20-folders.sh index 0c0e44ab4..a87126ba1 100755 --- a/webtop_kde/rootfs/etc/cont-init.d/20-folders.sh +++ b/webtop_kde/rootfs/etc/cont-init.d/20-folders.sh @@ -70,7 +70,7 @@ mkdir -p "$LOCATION" # Create cache mkdir -p /.cache -chmod 777 /.cache +chmod 755 /.cache if [ -d "/config/.cache" ]; then cp -rf /config/.cache /.cache rm -r /config/.cache