From aa614f82f9bd98dadef87d48c5fba66d915e49d1 Mon Sep 17 00:00:00 2001
From: bunkerity <contact@bunkerity.com>
Date: Fri, 9 Apr 2021 14:54:15 +0200
Subject: [PATCH] print error when permissions are wrong on common volumes

---
 autoconf/entrypoint.sh   |  6 ++++++
 confs/site/main-lua.conf |  1 +
 entrypoint/entrypoint.sh |  6 ++++++
 scripts/permissions.sh   | 25 +++++++++++++++++++++++++
 4 files changed, 38 insertions(+)
 create mode 100644 scripts/permissions.sh

diff --git a/autoconf/entrypoint.sh b/autoconf/entrypoint.sh
index 16edf8b..ea1edc3 100644
--- a/autoconf/entrypoint.sh
+++ b/autoconf/entrypoint.sh
@@ -2,6 +2,12 @@
 
 echo "[*] Starting autoconf ..."
 
+# check permissions
+su -s "/opt/entrypoint/permissions.sh" nginx
+if [ "$?" -ne 0 ] ; then
+	exit 1
+fi
+
 if [ "$SWARM_MODE" = "yes" ] ; then
 	cp -r /opt/confs/nginx/* /etc/nginx
 	chown -R root:nginx /etc/nginx
diff --git a/confs/site/main-lua.conf b/confs/site/main-lua.conf
index 213d026..2d3a7f6 100644
--- a/confs/site/main-lua.conf
+++ b/confs/site/main-lua.conf
@@ -96,6 +96,7 @@ end
 
 -- check if user-agent is allowed
 if use_user_agent and ngx.var.bad_user_agent == "yes" then
+	local block = false
 	for k, v in pairs(whitelist_user_agent) then
 		if string.match(ngx.var.http_user_agent, v) then
 			ngx.log(ngx.WARN, "[ALLOW] User-Agent " .. ngx.var.http_user_agent .. " is whitelisted")
diff --git a/entrypoint/entrypoint.sh b/entrypoint/entrypoint.sh
index 087bf3c..3b56651 100644
--- a/entrypoint/entrypoint.sh
+++ b/entrypoint/entrypoint.sh
@@ -52,6 +52,12 @@ if [ ! -f "/opt/installed" ] ; then
 
 	echo "[*] Configuring bunkerized-nginx ..."
 
+	# check permissions
+	/opt/entrypoint/permissions.sh
+	if [ "$?" -ne 0 ] ; then
+		exit 1
+	fi
+
 	# logs config
 	/opt/entrypoint/logs.sh
 
diff --git a/scripts/permissions.sh b/scripts/permissions.sh
new file mode 100644
index 0000000..4e4597a
--- /dev/null
+++ b/scripts/permissions.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# /etc/letsencrypt
+if [ ! -w "/etc/letsencrypt" ] || [ ! -r "/etc/letsencrypt" ] || [ ! -x "/etc/letsencrypt" ] ; then
+	echo "[!] ERROR - wrong permissions on /etc/letsencrypt"
+	exit 1
+fi
+
+# /www
+if [ ! -r "/www" ] || [ ! -x "/www" ] ; then
+	echo "[!] ERROR - wrong permissions on /www"
+	exit 2
+fi
+
+# /etc/nginx
+if [ ! -w "/etc/nginx" ] || [ ! -r "/etc/nginx" ] || [ ! -x "/etc/nginx" ] ; then
+	echo "[!] ERROR - wrong permissions on /etc/nginx"
+	exit 3
+fi
+
+# /acme-challenge
+if [ ! -w "/acme-challenge" ] || [ ! -r "/acme-challenge" ] || [ ! -x "/acme-challenge" ] ; then
+	echo "[!] ERROR - wrong permissions on /acme-challenge"
+	exit 4
+fi