From 3c4941bb88ac6bcfd93e297a922be4b80b8991ea Mon Sep 17 00:00:00 2001 From: Egor Tensin Date: Sat, 3 Dec 2022 03:39:44 +0100 Subject: docker: chmod o-rwx the output directory --- docker/Dockerfile | 3 ++- docker/entrypoint.sh | 8 ++++++++ docker/get_output_dir.py | 25 +++++++++++++++++++++++++ 3 files changed, 35 insertions(+), 1 deletion(-) create mode 100755 docker/get_output_dir.py diff --git a/docker/Dockerfile b/docker/Dockerfile index 08b7ad4..6bc6847 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -14,13 +14,14 @@ LABEL maintainer="Egor Tensin " RUN apk add --no-cache bash git openssh-client python3 tini COPY --from=build ["/deps", "/deps/"] -ENV PYTHONPATH="/deps" +ENV PYTHONPATH="/deps:/usr/src" ARG ssh_sock_dir=/ ARG ssh_sock_path="$ssh_sock_dir/ssh-agent.sock" ENV SSH_AUTH_SOCK "$ssh_sock_path" COPY ["docker/entrypoint.sh", "/"] +COPY ["docker/get_output_dir.py", "/"] COPY ["cgitize/", "/usr/src/cgitize/"] WORKDIR /usr/src diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 5674e36..61ecd1e 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -8,6 +8,13 @@ set -o errexit -o nounset -o pipefail readonly base_dir=/usr/src +readonly cfg_path=/etc/cgitize/cgitize.toml + +secure_repo_dir() { + local dir + dir="$( /get_output_dir.py -- "$cfg_path" )" + chmod -- o-rwx "$dir" +} schedule_to_cron() { local schedule @@ -55,6 +62,7 @@ setup_cron_task() { } main() { + secure_repo_dir setup_cron_task "$@" } diff --git a/docker/get_output_dir.py b/docker/get_output_dir.py new file mode 100755 index 0000000..9c21a72 --- /dev/null +++ b/docker/get_output_dir.py @@ -0,0 +1,25 @@ +#!/usr/bin/env python + +from argparse import ArgumentParser +import sys + +from cgitize.config import Config + + +def parse_args(argv=None): + if argv is None: + argv = sys.argv[1:] + parser = ArgumentParser() + parser.add_argument('config', metavar='PATH', + help='config file path') + return parser.parse_args(argv) + + +def main(argv=None): + args = parse_args(argv) + cfg = Config.read(args.config) + print(cfg.main.output_dir) + + +if __name__ == '__main__': + main() -- cgit v1.2.3