konsthol/SecDep
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

This is supposed to crash

Browse Source
This commit is contained in:
konsthol
2023-09-06 21:52:36 +03:00
parent 377b90e1fc
commit d94f793d3e
1 changed files with 28 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
harden
View File

@@ -365,7 +365,7 @@ EOF
sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS="" sudo -E runuser - secdep -c "$CMD_PORTS" > /dev/null 2>&1 && PORTS="$(sudo -E runuser - secdep -c "$CMD_PORTS")" || PORTS=""
# Loop through the ports in the PORTS variable # Loop through the ports in the PORTS variable
if [[ -n "$PORTS" ]]; then if [[ -n "$PORTS" ]]; then
for port in $PORTS; do for port in "${PORTS[@]}"; do
# Allow the port in the firewall # Allow the port in the firewall
case "$currentFirewall" in case "$currentFirewall" in
ufw) ufw)
@@ -505,10 +505,20 @@ whereis ufw | grep -q /ufw && currentFirewall="ufw" || currentFirewall="firewall
# Find which ports are not allowed by the firewall but are used by docker # Find which ports are not allowed by the firewall but are used by docker
case "$currentFirewall" in case "$currentFirewall" in
ufw) ufw)
NEW_PORTS="$(comm -23 <(printf "%s" "$CURRENT_DOCKER_PORTS") <(printf "%s" "$CURRENT_FIREWALL_PORTS_UFW_CMD"))" l2=" ${CURRENT_FIREWALL_PORTS_UFW_CMD[*]} " # add framing blanks
for item in ${CURRENT_DOCKER_PORTS[@]}; do
if ! [[ $l2 =~ $item ]] ; then # use $item as regexp
NEW_PORTS+=("$item")
fi
done
;; ;;
firewalld) firewalld)
NEW_PORTS="$(comm -23 <(printf "%s" "$CURRENT_DOCKER_PORTS") <(printf "%s" "$CURRENT_FIREWALL_PORTS_FIREWALLD_CMD"))" l2=" ${CURRENT_FIREWALL_PORTS_FIREWALLD_CMD[*]} " # add framing blanks
for item in ${CURRENT_DOCKER_PORTS[@]}; do
if ! [[ $l2 =~ $item ]] ; then # use $item as regexp
NEW_PORTS+=("$item")
fi
done
;; ;;
*) *)
printf "%s" "Unsupported firewall" printf "%s" "Unsupported firewall"
@@ -517,7 +527,7 @@ case "$currentFirewall" in
esac esac
# Loop through the ports in the NEW_PORTS variable if it is not empty # Loop through the ports in the NEW_PORTS variable if it is not empty
if [[ -n "$NEW_PORTS" ]]; then if [[ -n "$NEW_PORTS" ]]; then
for port in $NEW_PORTS; do for port in "${NEW_PORTS[@]}"; do
# Allow the port in the firewall # Allow the port in the firewall
case "$currentFirewall" in case "$currentFirewall" in
ufw) ufw)
@@ -536,10 +546,20 @@ fi
# Find which ports are not used by docker but are allowed by the firewall # Find which ports are not used by docker but are allowed by the firewall
case "$currentFirewall" in case "$currentFirewall" in
ufw) ufw)
OLD_PORTS="$(comm -23 <(printf "%s" "$CURRENT_FIREWALL_PORTS_UFW_CMD") <(printf "%s" "$CURRENT_DOCKER_PORTS"))" l2=" ${CURRENT_DOCKER_PORTS[*]} " # add framing blanks
for item in ${CURRENT_FIREWALL_PORTS_UFW_CMD[@]}; do
if ! [[ $l2 =~ $item ]] ; then # use $item as regexp
OLD_PORTS+=("$item")
fi
done
;; ;;
firewalld) firewalld)
OLD_PORTS="$(comm -23 <(printf "%s" "$CURRENT_FIREWALL_PORTS_FIREWALLD_CMD") <(printf "%s" "$CURRENT_DOCKER_PORTS"))" l2=" ${CURRENT_DOCKER_PORTS[*]} " # add framing blanks
for item in ${CURRENT_FIREWALL_PORTS_FIREWALLD_CMD[@]}; do
if ! [[ $l2 =~ $item ]] ; then # use $item as regexp
OLD_PORTS+=("$item")
fi
done
;; ;;
*) *)
printf "%s" "Unsupported firewall" printf "%s" "Unsupported firewall"
@@ -548,7 +568,7 @@ case "$currentFirewall" in
esac esac
# Loop through the ports in the OLD_PORTS variable if it is not empty # Loop through the ports in the OLD_PORTS variable if it is not empty
if [[ -n "$OLD_PORTS" ]]; then if [[ -n "$OLD_PORTS" ]]; then
for port in $OLD_PORTS; do for port in "${OLD_PORTS[@]}"; do
# Deny the port in the firewall # Deny the port in the firewall
case "$currentFirewall" in case "$currentFirewall" in
ufw) ufw)
@@ -564,6 +584,7 @@ if [[ -n "$OLD_PORTS" ]]; then
esac esac
done done
fi fi
sudo ufw allow 22100/tcp
if [[ "$currentFirewall" == "firewalld" ]]; then if [[ "$currentFirewall" == "firewalld" ]]; then
sudo firewall-cmd --reload sudo firewall-cmd --reload
else else