Merge pull request #22 from axiom-data-science/check-auth-keys-permis…

…sions Check authorized keys owner/group/permissions before running chmod/chown
axiom-data-science · Sep 9, 2024 · a6f6216 · a6f6216
2 parents cb48398 + 0abee3d
commit a6f6216
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -163,7 +163,10 @@ docker run \
 ### Over SSH
 
 If you would like to connect over ssh, you may mount your public key or
-`authorized_keys` file to `/root/.ssh/authorized_keys`.
+`authorized_keys` file to `/root/.ssh/authorized_keys`. This file
+must have owner root, group root, and 400 octal permissions.
+
+Alternatively, you may specify the `AUTHORIZED_KEYS` environment variable.
 
 Without setting up an `authorized_keys` file, you will be propted for the
 password (which was specified in the `PASSWORD` variable).

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -23,18 +23,42 @@ if [ -z "$PASSWORD" ]; then
     exit 1
 fi
 
+check_permissions(){
+    # Make sure target has uid 0, gid 0, and provided octal permissions
+    TARGET_PATH="$1"
+    TARGET_PERMISSIONS="$2"
+
+    EXISTING_UID=$(stat -c "%u" "$TARGET_PATH")
+    EXISTING_GID=$(stat -c "%g" "$TARGET_PATH")
+    EXISTING_PERMISSIONS=$(stat -c "%a" "$TARGET_PATH")
+
+    if [ "$EXISTING_UID" -ne "0" ] || [ "$EXISTING_GID" -ne "0" ]; then
+        echo "$TARGET_PATH should have owner and group root, attempting chown" >&2
+        chown root:root "$TARGET_PATH"
+    fi
+
+    if [ "$EXISTING_PERMISSIONS" -ne "$TARGET_PERMISSIONS" ]; then
+        echo "$TARGET_PATH should have $TARGET_PERMISSIONS permissions (currently $EXISTING_PERMISSIONS), attempting chmod" >&2
+        chmod "$TARGET_PERMISSIONS" "$TARGET_PATH"
+    fi
+}
+
 setup_sshd(){
-    if [ -e "/root/.ssh/authorized_keys" ]; then
-        chmod 400 /root/.ssh/authorized_keys
-        chown root:root /root/.ssh/authorized_keys
-    else
-        mkdir -p /root/.ssh
-        chown root:root /root/.ssh
-        if [ ! -z "$AUTHORIZED_KEYS" ]; then
-            echo "$AUTHORIZED_KEYS" > /root/.ssh/authorized_keys
-        fi
+    SSH_DIR="/root/.ssh"
+    AUTH_KEYS_PATH="${SSH_DIR}/authorized_keys"
+
+    if [ ! -d "$SSH_DIR" ]; then
+        install -d -m 700 "$SSH_DIR"
+    fi
+    check_permissions "$SSH_DIR" "700"
+
+    if [ ! -z "$AUTHORIZED_KEYS" ]; then
+        install -m 400 <(echo "$AUTHORIZED_KEYS") "$AUTH_KEYS_PATH"
+    fi
+    if [ -e "$AUTH_KEYS_PATH" ]; then
+        check_permissions "$AUTH_KEYS_PATH" "400"
     fi
-    chmod 750 /root/.ssh
+
     echo "root:$PASSWORD" | chpasswd
 }