Not a security vulnerability (at least in a way I can think of)
I assume I'm just very unlucky today and I triggered a somewhat dangerous bug in https://github.com/ArchiveBox/ArchiveBox/blob/dev/bin/setup.sh.
Preconditions
- No docker-compose binary (N.B. I don't think this binary is shipped anymore, so that detection will never pass, you might want to consider changing this)
- Having already previously manually ran a command like this, which initializes a archivebox data folder:
docker run -v ~/archivebox:/data -it -d -p 8000:8000 --name=archivebox archivebox/archivebox:latest init --setup
Notice that this chown's ~/archivebox, resulting in permission denied if you try to cd in it. This sets the stage for the bug.
Bug
Going through setup.sh, starting at line 52
|
mkdir -p ~/archivebox/data |
This fails, but the script continues.
This fails, but the script keeps running.
We are still in the user's home!
This fails, but the script keeps running.
We are still in the user's home!
|
docker run -v "$PWD":/data -it --rm archivebox/archivebox:latest init --setup |
This fails because it will refuse to init if folder is non-empty.
We are still in the user's home!
|
docker run -v "$PWD":/data -it -d -p 8000:8000 --name=archivebox archivebox/archivebox:latest |
This runs in the user's home. Many files get chown'd to the user ID 911, including the user's home directory itself. This renders the user unable to access his own files, and requires root to recover.
Some general advice
In general, any commands that can possibly fail in a shell script, when it fails unexpectedly (like the first mkdir -p command) should terminate the entire script. You might want to include a die function and use mkdir -p ~/archivebox/data || die, then it would have killed the script instead of letting it keep going.
Reference: https://stackoverflow.com/questions/7868818/in-bash-is-there-an-equivalent-of-die-error-msg
Questions
What does the program do after that command runs besides chown'ing the files? I'm considering recovering from a backup in case it changed any files.
Not a security vulnerability (at least in a way I can think of)
I assume I'm just very unlucky today and I triggered a somewhat dangerous bug in https://github.com/ArchiveBox/ArchiveBox/blob/dev/bin/setup.sh.
Preconditions
docker run -v ~/archivebox:/data -it -d -p 8000:8000 --name=archivebox archivebox/archivebox:latest init --setupNotice that this chown's ~/archivebox, resulting in permission denied if you try to cd in it. This sets the stage for the bug.
Bug
Going through setup.sh, starting at line 52
ArchiveBox/bin/setup.sh
Line 53 in 1148cad
This fails, but the script continues.
ArchiveBox/bin/setup.sh
Line 54 in 1148cad
This fails, but the script keeps running. We are still in the user's home!
ArchiveBox/bin/setup.sh
Line 58 in 1148cad
This fails, but the script keeps running. We are still in the user's home!
ArchiveBox/bin/setup.sh
Line 59 in 1148cad
This fails because it will refuse to init if folder is non-empty. We are still in the user's home!
ArchiveBox/bin/setup.sh
Line 62 in 1148cad
This runs in the user's home. Many files get chown'd to the user ID 911, including the user's home directory itself. This renders the user unable to access his own files, and requires root to recover.
Some general advice
In general, any commands that can possibly fail in a shell script, when it fails unexpectedly (like the first mkdir -p command) should terminate the entire script. You might want to include a
diefunction and usemkdir -p ~/archivebox/data || die, then it would have killed the script instead of letting it keep going.Reference: https://stackoverflow.com/questions/7868818/in-bash-is-there-an-equivalent-of-die-error-msg
Questions
What does the program do after that command runs besides chown'ing the files? I'm considering recovering from a backup in case it changed any files.