use cap in Linux and add openssf badge

2026-05-24 09:28:37 +00:00 · 2023-10-26 00:07:11 +02:00 · 2023-10-26 00:07:11 +02:00 · 58d6b81423
commit 58d6b81423
parent 0975de1238
7 changed files with 23 additions and 17 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -19,6 +19,8 @@
 - [MISC] Add HTML sanitization when injecting code in pages in the UI
 - [MISC] Optimize the way the UI handles services creation and edition
 - [MISC] Optimize certbot renew script to renew all domains in one command
+- [MISC] Use capability instead of sudo in Linux
+- [SECURITY] Init work on OpenSSF best practices

 ## v1.5.2 - 2023/09/10

--- a/README.md
+++ b/README.md
@ -12,8 +12,8 @@
 	<br />
 	<img src="https://img.shields.io/github/issues/bunkerity/bunkerweb">
 	<img src="https://img.shields.io/github/issues-pr/bunkerity/bunkerweb">
-	<a href="https://securityscorecards.dev/viewer/?uri=github.com/bunkerity/bunkerweb">
-		<img src="https://api.securityscorecards.dev/projects/github.com/bunkerity/bunkerweb/badge" />
+	<a href="https://www.bestpractices.dev/projects/8001">
+		<img src="https://www.bestpractices.dev/projects/8001/badge">
 	</a>
 </p>

--- a/src/linux/scripts/beforeInstall.sh
+++ b/src/linux/scripts/beforeInstall.sh
@ -29,7 +29,7 @@ if [ -f /etc/os-release ]; then
            echo "ℹ️ Copy /var/tmp/ui.env to /etc/bunkerweb/ui.env"
            do_and_check_cmd cp -f /var/tmp/ui.env /etc/bunkerweb/ui.env
        fi
-    elif [[ "$OS" == "CentOS Linux" || "$OS" == "Fedora" ]]; then
+    elif [[ "$OS" == "Red Hat Enterprise Linux" || "$OS" == "Fedora" ]]; then
        # Get the version of the package
        VERSION=$(rpm -q --queryformat '%{VERSION}' bunkerweb)
        if [ "$(printf '%s\n' "$VERSION" "$(echo '1.5.3' | tr -d ' ')" | sort -V | head -n 1)" = "$VERSION" ] && [ -f /var/tmp/variables.env ] && [ -f /var/tmp/ui.env ]; then
--- a/src/linux/scripts/start.sh
+++ b/src/linux/scripts/start.sh
@ -91,7 +91,7 @@ function start() {

    log "SYSTEMCTL" "ℹ️" "Starting BunkerWeb service ..."

-    echo "nginx ALL=(ALL) NOPASSWD: /usr/sbin/nginx" > /etc/sudoers.d/bunkerweb
+    setcap 'CAP_NET_BIND_SERVICE=+eip' /usr/sbin/nginx
    chown -R nginx:nginx /etc/nginx

    # Create dummy variables.env
@ -107,6 +107,10 @@ function start() {
    stop_nginx

    # Generate temp conf for jobs and start nginx
+    DNS_RESOLVERS="$(grep "^DNS_RESOLVERS=" /etc/bunkerweb/variables.env | cut -d '=' -f 2)"
+    if [ "$DNS_RESOLVERS" = "" ] ; then
+        DNS_RESOLVERS="8.8.8.8 8.8.4.4"
+    fi
    API_HTTP_PORT="$(grep "^API_HTTP_PORT=" /etc/bunkerweb/variables.env | cut -d '=' -f 2)"
    if [ "$API_HTTP_PORT" = "" ] ; then
        API_HTTP_PORT="5000"
@ -137,13 +141,13 @@ function start() {
    fi
    HTTP_PORT="$(grep "^HTTP_PORT=" /etc/bunkerweb/variables.env | cut -d '=' -f 2)"
    if [ "$HTTP_PORT" = "" ] ; then
-        HTTP_PORT="8080"
+        HTTP_PORT="80"
    fi
    HTTPS_PORT="$(grep "^HTTPS_PORT=" /etc/bunkerweb/variables.env | cut -d '=' -f 2)"
    if [ "$HTTPS_PORT" = "" ] ; then
-        HTTPS_PORT="8443"
+        HTTPS_PORT="443"
    fi
-    sudo -E -u nginx -g nginx /bin/bash -c "echo -ne 'IS_LOADING=yes\nUSE_BUNKERNET=no\nSERVER_NAME=\nAPI_HTTP_PORT=${API_HTTP_PORT}\nAPI_SERVER_NAME=${API_SERVER_NAME}\nAPI_WHITELIST_IP=${API_WHITELIST_IP}\nUSE_REAL_IP=${USE_REAL_IP}\nUSE_PROXY_PROTOCOL=${USE_PROXY_PROTOCOL}\nREAL_IP_FROM=${REAL_IP_FROM}\nREAL_IP_HEADER=${REAL_IP_HEADER}\nHTTP_PORT=${HTTP_PORT}\nHTTPS_PORT=${HTTPS_PORT}\n' > /var/tmp/bunkerweb/tmp.env"
+    sudo -E -u nginx -g nginx /bin/bash -c "echo -ne 'IS_LOADING=yes\nUSE_BUNKERNET=no\nSERVER_NAME=\nDNS_RESOLVERS=${DNS_RESOLVERS}\nAPI_HTTP_PORT=${API_HTTP_PORT}\nAPI_SERVER_NAME=${API_SERVER_NAME}\nAPI_WHITELIST_IP=${API_WHITELIST_IP}\nUSE_REAL_IP=${USE_REAL_IP}\nUSE_PROXY_PROTOCOL=${USE_PROXY_PROTOCOL}\nREAL_IP_FROM=${REAL_IP_FROM}\nREAL_IP_HEADER=${REAL_IP_HEADER}\nHTTP_PORT=${HTTP_PORT}\nHTTPS_PORT=${HTTPS_PORT}\n' > /var/tmp/bunkerweb/tmp.env"
    sudo -E -u nginx -g nginx /bin/bash -c "PYTHONPATH=/usr/share/bunkerweb/deps/python/ /usr/share/bunkerweb/gen/main.py --variables /var/tmp/bunkerweb/tmp.env --no-linux-reload"
    # shellcheck disable=SC2181
    if [ $? -ne 0 ] ; then
@ -157,8 +161,8 @@ function start() {
    fi

    # Start nginx
-    log "SYSTEMCTL" "ℹ️" "Starting temp nginx ..."
-    nginx -e /var/log/bunkerweb/error.log
+    log "SYSTEMCTL" "ℹ️" "Starting nginx ..."
+    sudo -E -u nginx -g nginx /usr/sbin/nginx -e /var/log/bunkerweb/error.log
    # shellcheck disable=SC2181
    if [ $? -ne 0 ] ; then
        log "SYSTEMCTL" "❌" "Error while executing temp nginx"
--- a/src/scheduler/JobScheduler.py
+++ b/src/scheduler/JobScheduler.py
@ -160,7 +160,7 @@ class JobScheduler(ApiCaller):
        if self.__integration not in ("Autoconf", "Swarm", "Kubernetes", "Docker"):
            self.__logger.info("Reloading nginx ...")
            proc = run(
-                ["sudo", join(sep, "usr", "sbin", "nginx"), "-s", "reload"],
+                [join(sep, "usr", "sbin", "nginx"), "-s", "reload"],
                stdin=DEVNULL,
                stderr=PIPE,
                env=self.__env,
--- a/src/scheduler/main.py
+++ b/src/scheduler/main.py
@ -527,7 +527,7 @@ if __name__ == "__main__":
                    # Stop temp nginx
                    logger.info("Stopping temp nginx ...")
                    proc = subprocess_run(
-                        ["sudo", join(sep, "usr", "sbin", "nginx"), "-s", "stop"],
+                        [join(sep, "usr", "sbin", "nginx"), "-s", "stop"],
                        stdin=DEVNULL,
                        stderr=STDOUT,
                        env=env.copy(),
@ -548,7 +548,7 @@ if __name__ == "__main__":
                            # Start nginx
                            logger.info("Starting nginx ...")
                            proc = subprocess_run(
-                                ["sudo", join(sep, "usr", "sbin", "nginx")],
+                                [join(sep, "usr", "sbin", "nginx")],
                                stdin=DEVNULL,
                                stderr=STDOUT,
                                env=env.copy(),
--- a/src/ui/src/Instances.py
+++ b/src/ui/src/Instances.py
@ -46,7 +46,7 @@ class Instance:
        if self._type == "local":
            return (
                run(
-                    ["sudo", join(sep, "usr", "sbin", "nginx"), "-s", "reload"],
+                    [join(sep, "usr", "sbin", "nginx"), "-s", "reload"],
                    stdin=DEVNULL,
                    stderr=STDOUT,
                    check=False,
@ -60,7 +60,7 @@ class Instance:
        if self._type == "local":
            return (
                run(
-                    ["sudo", join(sep, "usr", "sbin", "nginx")],
+                    [join(sep, "usr", "sbin", "nginx")],
                    stdin=DEVNULL,
                    stderr=STDOUT,
                    check=False,
@ -74,7 +74,7 @@ class Instance:
        if self._type == "local":
            return (
                run(
-                    ["sudo", join(sep, "usr", "sbin", "nginx"), "-s", "stop"],
+                    [join(sep, "usr", "sbin", "nginx"), "-s", "stop"],
                    stdin=DEVNULL,
                    stderr=STDOUT,
                    check=False,
@ -87,7 +87,7 @@ class Instance:
    def restart(self) -> bool:
        if self._type == "local":
            proc = run(
-                ["sudo", join(sep, "usr", "sbin", "nginx"), "-s", "stop"],
+                [join(sep, "usr", "sbin", "nginx"), "-s", "stop"],
                stdin=DEVNULL,
                stderr=STDOUT,
                check=False,
@ -96,7 +96,7 @@ class Instance:
                return False
            return (
                run(
-                    ["sudo", join(sep, "usr", "sbin", "nginx")],
+                    [join(sep, "usr", "sbin", "nginx")],
                    stdin=DEVNULL,
                    stderr=STDOUT,
                    check=False,