update/refactor

2025-05-25 12:48:57 +03:00
parent 91d3a48177
commit af04718692
10 changed files with 211 additions and 104 deletions
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -20,11 +20,6 @@ ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
    PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1

-## local development
-# ENV PIP_INDEX="http://127.0.0.1:8081/repository/proxy_pypi/pypi/" \
-#     PIP_INDEX_URL="http://127.0.0.1:8081/repository/proxy_pypi/simple/" \
-#     PIP_TRUSTED_HOST="localhost"
-
 COPY /apt/preferences.backports  /etc/apt/preferences.d/backports
 COPY /apt/sources.debian         /etc/apt/sources.list.d/debian.sources

@@ -56,7 +51,6 @@ RUN apt-env.sh apt-get update ; \
      brotli \
      cron \
      curl \
-      dumb-init \
      file \
      gettext-base \
      gnupg \
@@ -65,6 +59,8 @@ RUN apt-env.sh apt-get update ; \
      jdupes \
      jq \
      less \
+      libcap2-bin \
+      libjemalloc2 \
      libnss-wrapper \
      logrotate \
      lsof \
@@ -83,9 +79,20 @@ RUN apt-env.sh apt-get update ; \
    apt-clean.sh

 ## perl-base: hardlink->symlink
-RUN d=/usr/bin ; \
-    find "$d/" -wholename "$d/perl5*" -exec ln -fsv perl {} ';' ; \
-    ls -li "$d/perl"*
+RUN set +e ; \
+    d=/usr/bin ; \
+    ls -li "$d/perl" ; \
+    find "$d/" -xdev -samefile "$d/perl" 2>/dev/null \
+    | grep -Fxv -e "$d/perl" \
+    | while read -r p ; do \
+        [ -n "$p" ] || continue ; \
+        [ -e "$p" ] || continue ; \
+        ls -li "$p" ; \
+        rm -fv "$p" ; \
+        ln -fsv perl "$p" ; \
+        ls -li "$p" ; \
+        echo ; \
+    done

 ## remove unwanted binaries
 RUN set -f ; \
@@ -195,22 +202,30 @@ RUN set -f ; \
     'write.*' \
      zramctl \
    ; do \
-        for d in /usr/sbin /usr/bin /sbin /bin ; do \
-            find "$d/" ! -type d -wholename "$d/$i" \
-            | while read -r p ; do \
-                [ -n "$p" ] || continue ; \
-                [ -e "$p" ] || continue ; \
-                dpkg -S "$p" >/dev/null 2>&1 || continue ; \
-                divert-rm.sh "$p" ; \
-            done ; \
+        ## try dpkg-divert first
+        for d in /usr/sbin /usr/bin ; do \
+            find "$d/" ! -type d -wholename "$d/$i" ; \
+        done \
+        | while read -r p ; do \
+            [ -n "$p" ] || continue ; \
+            [ -e "$p" ] || continue ; \
+            dpkg-search.sh "$p" || continue ; \
+        done \
+        | sed -E '/^diversion by/d' \
+        | sort -uV \
+        | while read -r pkg path ; do \
+            [ -n "${pkg}" ] || continue ; \
+            [ -e "${path}" ] || continue ; \
+            divert-rm.sh "${path}" ; \
        done ; \
-        for d in /usr/sbin /usr/bin /sbin /bin ; do \
-            find "$d/" ! -type d -wholename "$d/$i" \
-            | while read -r p ; do \
-                [ -n "$p" ] || continue ; \
-                [ -e "$p" ] || continue ; \
-                rm -fv "$p" ; \
-            done ; \
+        ## remove if still exists
+        for d in /usr/sbin /usr/bin ; do \
+            find "$d/" ! -type d -wholename "$d/$i" ; \
+        done \
+        | while read -r p ; do \
+            [ -n "$p" ] || continue ; \
+            [ -e "$p" ] || continue ; \
+            rm -fv "$p" ; \
        done ; \
    done ; \
    ## fixup
@@ -220,60 +235,42 @@ RUN set -f ; \
      /sbin/getty \
    ; :

-## remove excessive privileges from binaries
-RUN set -f ; \
-    for i in \
-      passwd \
-      su \
-    ; do \
-        for d in /usr/sbin /usr/bin /sbin /bin ; do \
-            find "$d/" ! -type d -wholename "$d/$i" \
-            | while read -r p ; do \
-                [ -n "$p" ] || continue ; \
-                [ -e "$p" ] || continue ; \
-                dpkg -S "$p" >/dev/null 2>&1 || continue ; \
-                o=$(env stat -c '%U' "$p") ; \
-                g=$(env stat -c '%G' "$p") ; \
-                ls -l "$p" ; \
-                dpkg-statoverride --update --add "$o" "$g" 0755 "$p" ; \
-                ls -l "$p" ; \
-                done ; \
-        done ; \
+## remove excessive privileges from binaries: setuid/setgid
+RUN find / -xdev -type f -perm /7000 \
+    | sort -V \
+    | while read -r p ; do \
+        [ -n "$p" ] || continue ; \
+        ## clear setuid/setgid bit
+        m=$(env stat -c '0%a' "$p") ; \
+        m=$(printf '0%o\n' $((m & 00777)) ) ; \
+        ## try to lookup in dpkg database
+        n=$(set +e ; dpkg-search.sh "$p" | sed -E '/^diversion by/d' | cut -d ' ' -f2-) ; \
+        ls -l "$p" ; \
+        if [ "$p" = "$n" ] ; then \
+            o=$(env stat -c '%U' "$n") ; \
+            g=$(env stat -c '%G' "$n") ; \
+            dpkg-statoverride --force --update --add "$o" "$g" "$m" "$n" ; \
+        else \
+            env printf 'unable to find in dpkg database: %q\n' "$n" ; \
+            chmod "$m" "$p" ; \
+        fi ; \
+        ls -l "$p" ; \
+    done
+
+## remove excessive privileges from binaries: setcap
+RUN find / -xdev -type f -executable -exec getcap {} + \
+    | sort -V \
+    | while read -r path caps ; do \
+        [ -n "${path}" ] || continue ; \
+        if [ "${path}" = /usr/bin/ping ] ; then continue ; fi ; \
+        getcap -v "${path}" ; \
+        setcap -r "${path}" "${caps}" 2>/dev/null || : ; \
+        getcap -v "${path}" ; \
    done

 ## "docker.io/python"-specific cleanup
 RUN env -C /root rm -f .bash_history .python_history .wget-hsts

-RUN pip-env.sh pip list --format freeze \
-    | grep -F '==' | awk -F= '{print $1}' \
-    | xargs -r pip-env.sh pip install -U ; \
-    python-rm-cache.sh "${PYTHON_SITE_PACKAGES}"
-
-RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
-    rm -rfv \
-      /usr/local/bin/idle* \
-      /usr/local/bin/pydoc* \
-      "${libpython}/ensurepip/_bundled" \
-      "${libpython}/idlelib" \
-      "${libpython}/pydoc.py" \
-      "${libpython}/pydoc_data" \
-      "${libpython}/tkinter" \
-      "${libpython}/turtle.py" \
-      "${libpython}/turtledemo" \
-    ; \
-    find "${PYTHON_SITE_PACKAGES}/" -iname '*.exe' -ls -delete ; \
-    python-rm-cache.sh /usr/local
-
-## adjust pip/certifi
-RUN certifi_pem="${PYTHON_SITE_PACKAGES}/pip/_vendor/certifi/cacert.pem" ; \
-    rm -f "${certifi_pem}" ; \
-    ln -s /etc/ssl/certs/ca-certificates.crt "${certifi_pem}"
-
-RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
-    find /run/ -mindepth 1 -ls -delete || : ; \
-    install -d -m 01777 /run/lock ; \
-    jdupes -1LSpr /usr/
-
 ## ---

 FROM base-intermediate AS certs
@@ -336,5 +333,40 @@ FROM base-intermediate AS base
 COPY --from=certs    /etc/ssl/certs/ca-certificates.*  /etc/ssl/certs/
 COPY --from=apt-gpg  /etc/apt/keyrings/                /etc/apt/keyrings/

+RUN python-rm-cache.sh /usr/local
+
+RUN pip-env.sh pip list --format freeze \
+    | grep -F '==' | awk -F= '{print $1}' \
+    | xargs -r pip-env.sh pip install -U ; \
+    python-rm-cache.sh /usr/local
+
+RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
+    rm -rfv \
+      /usr/local/bin/idle* \
+      /usr/local/bin/pydoc* \
+      "${libpython}/ensurepip/_bundled" \
+      "${libpython}/idlelib" \
+      "${libpython}/pydoc.py" \
+      "${libpython}/pydoc_data" \
+      "${libpython}/tkinter" \
+      "${libpython}/turtle.py" \
+      "${libpython}/turtledemo" \
+    ; \
+    find "${PYTHON_SITE_PACKAGES}/" -iname '*.exe' -ls -delete
+
+## adjust pip/certifi
+RUN certifi_pem="${PYTHON_SITE_PACKAGES}/pip/_vendor/certifi/cacert.pem" ; \
+    [ -d "${certifi_pem%/*}" ] || exit 0 ; \
+    rm -f "${certifi_pem}" ; \
+    ln -sv /etc/ssl/certs/ca-certificates.crt "${certifi_pem}"
+
+RUN apt-clean.sh
+
+RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
+    find /run/ -mindepth 1 -ls -delete || : ; \
+    install -d -m 01777 /run/lock ; \
+    jdupes -1LSpr /usr/local/ ; \
+    jdupes -1LSpr /usr/
+
 ENTRYPOINT [ ]
 CMD [ "bash" ]