From 5dd9ea36ae5fd6b477a32ec283b928eef9900303 2018-11-17 23:19:33 From: Unknown Date: 2018-11-17 23:19:33 Subject: [PATCH] fixes - replaced backticks with $() - enhanced iptables fix - more escape fixes thx to shellcheck.net (no sponsor just a nice page) - if-conditions (!-z equals -n) - if piping find in xargs - use -print0 | -0 (shellcheck.net) - added selecting mmc dev 0 in uboot.mkimg --- diff --git a/bootstrap.d/13-kernel.sh b/bootstrap.d/13-kernel.sh index 7805160..054b554 100644 --- a/bootstrap.d/13-kernel.sh +++ b/bootstrap.d/13-kernel.sh @@ -28,8 +28,8 @@ if [ "$BUILD_KERNEL" = true ] ; then as_nobody -H git -C "${temp_dir}" clone --depth=1 "${KERNEL_URL}" linux else as_nobody -H git -C "${temp_dir}" clone --depth=1 --branch "${KERNEL_BRANCH}" "${KERNEL_URL}" linux - fi - + fi + # Copy downloaded kernel sources cp -r "${temp_dir}/linux/"* "${R}/usr/src/linux/" @@ -107,9 +107,9 @@ if [ "$BUILD_KERNEL" = true ] ; then echo "CONFIG_CRYPTO_CBC=y" echo "CONFIG_CRYPTO_XTS=y" echo "CONFIG_CRYPTO_SHA512=y" - echo "CONFIG_CRYPTO_MANAGER=y" + echo "CONFIG_CRYPTO_MANAGER=y" } >> ${KERNEL_DIR}/.config - fi + fi fi # Copy custom kernel configuration file @@ -176,14 +176,14 @@ if [ "$BUILD_KERNEL" = true ] ; then mkdir "${BOOT_DIR}" # Get kernel release version - KERNEL_VERSION=`cat "${KERNEL_DIR}/include/config/kernel.release"` + KERNEL_VERSION=$(cat "${KERNEL_DIR}/include/config/kernel.release") # Copy kernel configuration file to the boot directory install_readonly "${KERNEL_DIR}/.config" "${R}/boot/config-${KERNEL_VERSION}" # Prepare device tree directory mkdir "${BOOT_DIR}/overlays" - + # Ensure the proper .dtb is located if [ "$KERNEL_ARCH" = "arm" ] ; then for dtb in "${KERNEL_DIR}/arch/${KERNEL_ARCH}/boot/dts/"*.dtb ; do diff --git a/bootstrap.d/21-firewall.sh b/bootstrap.d/21-firewall.sh index 1cabec2..d078ba1 100644 --- a/bootstrap.d/21-firewall.sh +++ b/bootstrap.d/21-firewall.sh @@ -9,10 +9,11 @@ if [ "$ENABLE_IPTABLES" = true ] ; then # Create iptables configuration directory mkdir -p "${ETC_DIR}/iptables" - # make sure iptables-legacy,iptables-legacy-restore and iptables-legacy-save are the used alternatives - chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy - chroot_exec update-alternatives --verbose --set iptables-save /usr/sbin/iptables-legacy-save - chroot_exec update-alternatives --verbose --set iptables-restore /usr/sbin/iptables-legacy-restore + # make sure iptables-legacy is the used alternatives + #iptables-save and -restore are slaves of iptables and thus are set accordingly + if ! [ "$RELEASE" = jessie ] ; then + chroot_exec update-alternatives --verbose --set iptables /usr/sbin/iptables-legacy + fi # Install iptables systemd service install_readonly files/iptables/iptables.service "${ETC_DIR}/systemd/system/iptables.service" diff --git a/bootstrap.d/30-security.sh b/bootstrap.d/30-security.sh index 8b0e464..5fbfc7a 100644 --- a/bootstrap.d/30-security.sh +++ b/bootstrap.d/30-security.sh @@ -6,8 +6,8 @@ . ./functions.sh # Generate crypt(3) password string -ENCRYPTED_PASSWORD=`mkpasswd -m sha-512 "${PASSWORD}"` -ENCRYPTED_USER_PASSWORD=`mkpasswd -m sha-512 "${USER_PASSWORD}"` +ENCRYPTED_PASSWORD=$(mkpasswd -m sha-512 "${PASSWORD}") +ENCRYPTED_USER_PASSWORD=$(mkpasswd -m sha-512 "${USER_PASSWORD}") # Setup default user if [ "$ENABLE_USER" = true ] ; then diff --git a/bootstrap.d/32-sshd.sh b/bootstrap.d/32-sshd.sh index 162fdb2..9d28d51 100644 --- a/bootstrap.d/32-sshd.sh +++ b/bootstrap.d/32-sshd.sh @@ -28,7 +28,7 @@ if [ "$ENABLE_SSHD" = true ] ; then fi # Add SSH (v2) public key for user root - if [ ! -z "$SSH_ROOT_PUB_KEY" ] ; then + if [ -n "$SSH_ROOT_PUB_KEY" ] ; then # Create root SSH config directory mkdir -p "${R}/root/.ssh" @@ -52,20 +52,20 @@ if [ "$ENABLE_SSHD" = true ] ; then if [ "$ENABLE_USER" = true ] ; then # Add SSH (v2) public key for user $USER_NAME - if [ ! -z "$SSH_USER_PUB_KEY" ] ; then + if [ -n "$SSH_USER_PUB_KEY" ] ; then # Create $USER_NAME SSH config directory mkdir -p "${R}/home/${USER_NAME}/.ssh" # Set permissions of $USER_NAME SSH config directory chroot_exec chmod 700 "/home/${USER_NAME}/.ssh" - chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh" + chroot_exec chown "${USER_NAME}":"${USER_NAME}" "/home/${USER_NAME}/.ssh" # Add SSH (v2) public key(s) to authorized_keys file cat "$SSH_USER_PUB_KEY" >> "${R}/home/${USER_NAME}/.ssh/authorized_keys" # Set permissions of $USER_NAME SSH config directory chroot_exec chmod 600 "/home/${USER_NAME}/.ssh/authorized_keys" - chroot_exec chown ${USER_NAME}:${USER_NAME} "/home/${USER_NAME}/.ssh/authorized_keys" + chroot_exec chown "${USER_NAME}":"${USER_NAME}" "/home/${USER_NAME}/.ssh/authorized_keys" if [ "$ENABLE_REDUCE" = false ] || [ "$REDUCE_SSHD" = false ] ; then # Allow SSH public key authentication @@ -85,7 +85,7 @@ if [ "$ENABLE_SSHD" = true ] ; then allowed_users="${allowed_users} ${USER_NAME}" fi - if [ ! -z "$allowed_users" ] ; then + if [ -n "$allowed_users" ] ; then echo "AllowUsers ${allowed_users}" >> "${ETC_DIR}/ssh/sshd_config" fi fi @@ -113,4 +113,4 @@ if [ "$ENABLE_SSHD" = true ] ; then if [ "$ENABLE_REDUCE" = true ] && [ "$REDUCE_SSHD" = true ] ; then sed "s|^DROPBEAR_EXTRA_ARGS=.*|DROPBEAR_EXTRA_ARGS=\"${DROPBEAR_ARGS}\"|g" "${ETC_DIR}/default/dropbear" fi -fi +fi \ No newline at end of file diff --git a/bootstrap.d/41-uboot.sh b/bootstrap.d/41-uboot.sh index a7f4709..67c4657 100644 --- a/bootstrap.d/41-uboot.sh +++ b/bootstrap.d/41-uboot.sh @@ -32,7 +32,7 @@ if [ "$ENABLE_UBOOT" = true ] ; then fi # Build and install U-Boot inside chroot - chroot_exec make -j${KERNEL_THREADS} -C /tmp/u-boot/ ${UBOOT_CONFIG} all + chroot_exec make -j"${KERNEL_THREADS}" -C /tmp/u-boot/ "${UBOOT_CONFIG}" all # Copy compiled bootloader binary and set config.txt to load it install_exec "${R}/tmp/u-boot/tools/mkimage" "${R}/usr/sbin/mkimage" diff --git a/bootstrap.d/99-reduce.sh b/bootstrap.d/99-reduce.sh index c339e0d..25ec9fe 100644 --- a/bootstrap.d/99-reduce.sh +++ b/bootstrap.d/99-reduce.sh @@ -25,8 +25,8 @@ if [ "$ENABLE_REDUCE" = true ] ; then # Remove all doc files if [ "$REDUCE_DOC" = true ] ; then - find "${R}/usr/share/doc" -depth -type f ! -name copyright | xargs rm || true - find "${R}/usr/share/doc" -empty | xargs rmdir || true + find "${R}/usr/share/doc" -depth -type f ! -name copyright -print0 | xargs -0 rm || true + find "${R}/usr/share/doc" -empty -print0 | xargs -0 rmdir || true fi # Remove all man pages and info files @@ -36,7 +36,7 @@ if [ "$ENABLE_REDUCE" = true ] ; then # Remove all locale translation files if [ "$REDUCE_LOCALE" = true ] ; then - find "${R}/usr/share/locale" -mindepth 1 -maxdepth 1 ! -name 'en' | xargs rm -r + find "${R}/usr/share/locale" -mindepth 1 -maxdepth 1 ! -name 'en' -print0 | xargs -0 rm -r fi # Remove hwdb PCI device classes (experimental) diff --git a/files/boot/uboot.mkimage b/files/boot/uboot.mkimage index 6ce6500..13267f6 100644 --- a/files/boot/uboot.mkimage +++ b/files/boot/uboot.mkimage @@ -8,6 +8,7 @@ setenv machid 0x00000c42 saveenv # Load the existing Linux kernel into RAM +mmc dev 0 fatload mmc 0:1 ${kernel_addr_r} kernel7.img fatload mmc 0:1 ${fdt_addr_r} ${dtbfile} fatload mmc 0:1 ${ramdisk_addr_r} ${initramfs}