Merge pull request splunk#629 from splunk/bugfix/provide-user-info-vi…

…a-params introduced secure-start shell to disable shell access for container p…
kruj0 · Feb 5, 2024 · dc4ebfc · dc4ebfc
2 parents 9665366 + d229186
commit dc4ebfc
Showing 1 changed file with 23 additions and 0 deletions.
diff --git a/splunk/common-files/entrypoint.sh b/splunk/common-files/entrypoint.sh
@@ -67,6 +67,9 @@ watch_for_failure(){
 		echo Ansible playbook complete, will begin streaming ${SPLUNK_TAIL_FILE}
 		${RUN_AS_SPLUNK} tail -n 0 -f ${SPLUNK_TAIL_FILE} &
 	fi
+	if [[ "$DISABLE_ENTIRE_SHELL_ACCESS" == "true" ]]; then
+		disable_entire_shell_access_for_container
+	fi
 	wait
 }
 
@@ -90,6 +93,12 @@ start() {
 	watch_for_failure
 }
 
+secure_start() {
+    start_and_exit
+    export DISABLE_ENTIRE_SHELL_ACCESS="true"
+    watch_for_failure
+}
+
 configure_multisite() {
 	prep_ansible
 	ansible-playbook $ANSIBLE_EXTRA_FLAGS -i inventory/environ.py -l localhost multisite.yml
@@ -103,6 +112,16 @@ restart(){
 	watch_for_failure
 }
 
+disable_entire_shell_access_for_container() {
+	if [[ "$DISABLE_ENTIRE_SHELL_ACCESS" == "true" ]]; then
+		bash -c "sudo usermod -s /sbin/nologin splunk"
+		bash -c "sudo usermod -s /sbin/nologin ansible"
+		sudo rm /bin/sh
+		sudo rm /bin/bash
+		sudo ln -s /bin/busybox /bin/sh
+	fi
+}
+
 user_permission_change(){
 	if [[ "$STEPDOWN_ANSIBLE_USER" == "true" ]]; then
 		bash -c "sudo deluser -q ansible sudo"
@@ -175,6 +194,10 @@ case "$1" in
 		tail -n 0 -f /etc/hosts &
 		wait
 		;;
+	secure-start|secure-start-service)
+		shift
+		secure_start $@
+		;;
 	bash|splunk-bash)
 		/bin/bash --init-file ${SPLUNK_HOME}/bin/setSplunkEnv
 		;;