From 1b2f1ba941ed2b042a7c57232c3cd7005d38d497 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 6 Aug 2024 17:04:16 +0200 Subject: [PATCH] fix: avoid operand evaluation as argument Explicit end option parsing as the shell can be quite dangerous without it. --- salt/dom0/files/backup/qusal.conf.example | 2 +- salt/dom0/files/bin/qubes-kde-win-rules | 4 +- salt/dom0/files/bin/qvm-mgmt | 4 +- salt/dom0/files/bin/qvm-pci-regain | 6 +-- salt/dom0/files/bin/qvm-port-forward | 17 +++---- salt/dom0/files/bin/qvm-screenshot | 10 ++-- salt/dotfiles | 2 +- .../files/client/rpc/qusal.InstallElectrum | 10 ++-- salt/mail/README.md | 6 +-- salt/mail/files/reader/rpc/qusal.MailFetch | 4 +- salt/mail/files/sender/rpc/qusal.MailEnqueue | 4 +- .../files/client/bin/bitcoin-rpcauth-save | 4 +- .../files/client/bin/bitcoin-tx-notify | 2 +- .../files/server/bin/bitcoin-dbcache | 4 +- .../server/bin/bitcoin-rpcwhitelist-cookie | 2 +- .../files/server/bin/bitcoin-whitepaper | 8 ++-- .../files/server/rpc/qusal.BitcoinAuthGet | 11 +++-- .../files/server/rpc/qusal.InstallBitcoin | 16 +++---- salt/sys-cacher/README.md | 4 +- .../files/browser/rc.local.d/50-sys-cacher.rc | 2 +- .../files/client/bin/apt-cacher-ng-repo | 48 +++++++++---------- .../apt-cacher-ng.service.d/50_qusal.conf | 2 +- .../files/server/rpc/qusal.InstallElectrs | 8 ++-- .../files/server/bin/electrumx-cookie-save | 5 +- .../files/server/rpc/qusal.InstallElectrumx | 8 ++-- .../files/client/git-core/git-remote-qrexec | 13 ++--- .../client/git-core/git-remote-qrexec-connect | 5 +- salt/sys-git/files/server/rpc/qusal.GitInit | 4 +- salt/sys-pgp/README.md | 2 +- salt/sys-pihole/files/admin/prefs.sh | 2 +- .../files/browser/rc.local.d/50-sys-pihole.rc | 2 +- .../server/network-hooks.d/50-sys-pihole.sh | 4 +- salt/sys-ssh-agent/README.md | 6 +-- .../qusal-ssh-agent-forwarder@.service | 2 +- .../files/server/bin/qvm-ssh-agent | 10 ++-- .../files/server/rpc/qusal.SshAgent | 2 +- salt/sys-ssh/README.md | 2 +- .../browser/rc.local.d/50-sys-syncthing.rc | 2 +- .../files/admin/bin/qvm-wireguard | 4 +- .../server/network-hooks.d/50-sys-wireguard | 2 +- .../qubes-firewall.d/50-sys-wireguard-var | 19 ++++---- scripts/pgp-lint.sh | 4 +- scripts/qubesbuilder-gen.sh | 14 +++--- scripts/salt-fix.sh | 12 ++--- scripts/salt-lint.sh | 6 +-- scripts/setup.sh | 8 ++-- scripts/shell-lint.sh | 2 +- scripts/spec-build.sh | 12 ++--- scripts/spec-gen.sh | 37 +++++++------- scripts/spec-get.sh | 10 ++-- scripts/toc-gen.sh | 2 +- scripts/yumrepo-gen.sh | 4 +- 52 files changed, 196 insertions(+), 189 deletions(-) diff --git a/salt/dom0/files/backup/qusal.conf.example b/salt/dom0/files/backup/qusal.conf.example index 8254a9c..8d0f4dc 100644 --- a/salt/dom0/files/backup/qusal.conf.example +++ b/salt/dom0/files/backup/qusal.conf.example @@ -17,7 +17,7 @@ compression: true passphrase_text: my-password destination_vm: backup-ssh -destination_path: ssh backup 'cat | tee /dir/qubes-backup-$(date +%Y-%m-%d-%H-%M-%S) >/dev/null' +destination_path: ssh backup 'cat | tee -- /dir/qubes-backup-$(date +%Y-%m-%d-%H-%M-%S) >/dev/null' ## $ qvm-backup-find-last backup-ssh /dir/ 'ssh backup' ## $ qvm-backup-restore --verify-only -d backup-ssh \ diff --git a/salt/dom0/files/bin/qubes-kde-win-rules b/salt/dom0/files/bin/qubes-kde-win-rules index d69fcfe..89bc4c3 100755 --- a/salt/dom0/files/bin/qubes-kde-win-rules +++ b/salt/dom0/files/bin/qubes-kde-win-rules @@ -25,10 +25,10 @@ writeconf(){ key="$2" value="$3" - group_id="$(grep -B1 -- "^Description=${group}$" "${file}" | head -1 | + group_id="$(grep -B1 -e "^Description=${group}$" -- "${file}" | head -1 | tr -d "[" | tr -d "]")" if test -z "${group_id}"; then - highest_id="$(grep -- "\[[0-9]\+\]" "${file}" | tr -d "[" | tr -d "]" | + highest_id="$(grep -e "\[[0-9]\+\]" -- "${file}" | tr -d "[" | tr -d "]" | sort | tail -1)" if test -n "${highest_id}"; then group_id="$((highest_id+1))" diff --git a/salt/dom0/files/bin/qvm-mgmt b/salt/dom0/files/bin/qvm-mgmt index 334975a..ee6c0dc 100755 --- a/salt/dom0/files/bin/qvm-mgmt +++ b/salt/dom0/files/bin/qvm-mgmt @@ -13,8 +13,8 @@ usage(){ get_qube_feat(){ qube="${1}" qvm-features "${qube}" | \ - grep -E "^(os-(distribution|version)|template-(release|name))" | \ - sed "s/ / /g;s/ /: /;s/^/ /" + grep -E -e "^(os-(distribution|version)|template-(release|name))" | \ + sed -e "s/ / /g;s/ /: /;s/^/ /" } case "${1-}" in diff --git a/salt/dom0/files/bin/qvm-pci-regain b/salt/dom0/files/bin/qvm-pci-regain index 2e3aaf7..d8aa9f4 100755 --- a/salt/dom0/files/bin/qvm-pci-regain +++ b/salt/dom0/files/bin/qvm-pci-regain @@ -37,7 +37,7 @@ esac uid="$(id -u)" test "${uid}" = "0" || exec sudo "${0}" -echo "${device}" | tee /sys/bus/pci/drivers/pciback/unbind -modalias="$(cat "/sys/bus/pci/devices/${device}/modalias")" +echo "${device}" | tee -- /sys/bus/pci/drivers/pciback/unbind +modalias="$(cat -- "/sys/bus/pci/devices/${device}/modalias")" module="$(modprobe -R "${modalias}" | head -n 1)" -echo "${device}" | tee "/sys/bus/pci/drivers/${module}/bind" +echo "${device}" | tee -- "/sys/bus/pci/drivers/${module}/bind" diff --git a/salt/dom0/files/bin/qvm-port-forward b/salt/dom0/files/bin/qvm-port-forward index 3fa59c1..03fea46 100755 --- a/salt/dom0/files/bin/qvm-port-forward +++ b/salt/dom0/files/bin/qvm-port-forward @@ -21,7 +21,7 @@ run_qube(){ create_net_dir(){ qube="${1}" - run_qube "${qube}" mkdir -p "${hook_dir}" + run_qube "${qube}" mkdir -p -- "${hook_dir}" } validate_handle(){ @@ -78,7 +78,7 @@ get_rule_handle(){ rule="${3}" run_qube "${qube}" \ "nft --handle --stateless list chain ip qubes ${chain} | - tr -d '\"' | grep '^\s\+${rule} # handle ' | awk '{print \$NF}' | + tr -d '\"' | grep -e '^\s\+${rule} # handle ' | awk '{print \$NF}' | tr '\n' ' '" 2>/dev/null } @@ -165,7 +165,7 @@ get_handle(){ chain=\\\${1} rule=\\\${2} nft --handle --stateless list chain ip qubes \\\${chain} | \\\ - tr -d '\\\"' | grep '^\\\s\\\+\\\${rule} \\# handle ' | \\\ + tr -d '\\\"' | grep -e '^\\\s\\\+\\\${rule} \\# handle ' | \\\ awk '{print \\\$NF}' | tr \\\"\\\n\\\" \\\" \\\" } @@ -187,8 +187,8 @@ ${full_rule}" create_net_dir "${from_qube}" run_qube "${from_qube}" \ - "echo \"${full_rule}\" | tee \"${hook}\" >/dev/null" - run_qube "${from_qube}" "chmod +x ${hook}" + "echo \"${full_rule}\" | tee -- \"${hook}\" >/dev/null" + run_qube "${from_qube}" "chmod -- +x ${hook}" fi fi } @@ -216,7 +216,7 @@ get_handle(){ chain=\\\${1} rule=\\\${2} nft --handle --stateless list chain ip qubes \\\${chain} | \\\ - tr -d '\\\"' | grep '^\\\s\\\+\\\${rule} \\# handle ' | \\\ + tr -d '\\\"' | grep -e '^\\\s\\\+\\\${rule} \\# handle ' | \\\ awk '{print \\\$NF}' | tr \\\"\\\n\\\" \\\" \\\" } @@ -229,8 +229,9 @@ fi ${input_rule}" - run_qube "${qube}" "echo \"${input_rule}\" | tee \"${hook}\" >/dev/null" - run_qube "${qube}" "chmod +x ${hook}" + run_qube "${qube}" \ + "echo \"${input_rule}\" | tee -- \"${hook}\" >/dev/null" + run_qube "${qube}" "chmod -- +x ${hook}" fi fi } diff --git a/salt/dom0/files/bin/qvm-screenshot b/salt/dom0/files/bin/qvm-screenshot index 7446aac..ef641e4 100755 --- a/salt/dom0/files/bin/qvm-screenshot +++ b/salt/dom0/files/bin/qvm-screenshot @@ -70,7 +70,7 @@ Development mode: ## Expand directory only in the qube. qube_pictures_dir="\$(xdg-user-dir PICTURES)" guivm_pictures_dir="$(xdg-user-dir PICTURES)" -mkdir -p "${guivm_pictures_dir}" || exit 1 +mkdir -p -- "${guivm_pictures_dir}" || exit 1 current_date="$(date +"%Y-%m-%d-%H%M%S")" screenshot_basename="${current_date}.png" @@ -292,14 +292,14 @@ if test -z "${qube}"; then dialog_title="Select destination qube (Unix based):" case "${dialog_cmd}" in zenity) - qube_list="$(echo "${qube_list}" | sed "s/^/FALSE /")" + qube_list="$(echo "${qube_list}" | sed -e "s/^/FALSE /")" # shellcheck disable=SC2086 qube="$(zenity --list --width=200 --height=390 \ --text "${dialog_title}" \ --radiolist --column "Pick" --column "qube" ${qube_list})" ;; kdialog) - qube_list="$(echo "${qube_list}" | sed "s/\(.*\)/\1 \1 off/")" + qube_list="$(echo "${qube_list}" | sed -e "s/\(.*\)/\1 \1 off/")" # shellcheck disable=SC2086 qube="$(kdialog --radiolist "${dialog_title}" ${qube_list})" ;; @@ -328,12 +328,12 @@ if ! qvm-check -- "${qube}" >/dev/null 2>&1; then exit 1 fi -qvm-run "${qube}" -- "mkdir -p \"${qube_pictures_dir}\"" +qvm-run "${qube}" -- "mkdir -p -- \"${qube_pictures_dir}\"" qvm-run --pass-io "${qube}" -- "cat > \"${qube_screenshot_file}\"" \ < "${screenshot_file}" if test "${file_move}" = "1"; then - rm -f "${screenshot_file}" + rm -f -- "${screenshot_file}" fi if test "${file_manager}" = "1"; then diff --git a/salt/dotfiles b/salt/dotfiles index 7e2502b..b38834d 160000 --- a/salt/dotfiles +++ b/salt/dotfiles @@ -1 +1 @@ -Subproject commit 7e2502b70a0f336ef74e31b4d9bf3e4aadd785a3 +Subproject commit b38834d66b8d7c7cf2d29726f5f7e608bd0b2e78 diff --git a/salt/electrum/files/client/rpc/qusal.InstallElectrum b/salt/electrum/files/client/rpc/qusal.InstallElectrum index 4f6f121..95342b0 100755 --- a/salt/electrum/files/client/rpc/qusal.InstallElectrum +++ b/salt/electrum/files/client/rpc/qusal.InstallElectrum @@ -10,13 +10,13 @@ bin_dir="/usr/bin" app_dir="/usr/share/applications" tmp_dir="/tmp/electrum-upload" -rm -rf "${tmp_dir}" -mkdir -p "${tmp_dir}" +rm -rf -- "${tmp_dir}" +mkdir -p -- "${tmp_dir}" qfile-unpacker 0 "${tmp_dir}" cd "${tmp_dir}" -cp -r electrum "${python_dir}"/ -cp electrum.desktop "${app_dir}"/ -cp run_electrum "${bin_dir}"/electrum +cp -r -- electrum "${python_dir}"/ +cp -- electrum.desktop "${app_dir}"/ +cp -- run_electrum "${bin_dir}"/electrum ## Qube needs to shutdown for the app qube to have the uploaded files. shutdown now diff --git a/salt/mail/README.md b/salt/mail/README.md index 63096bd..ac1aff9 100644 --- a/salt/mail/README.md +++ b/salt/mail/README.md @@ -130,7 +130,7 @@ mails will be done in `disp-mail-fetcher`. Copy example configuration file to where the program can read automatically: ```sh -cp ~/.fdm.conf.example ~/.fdm.conf +cp -- ~/.fdm.conf.example ~/.fdm.conf ``` Edit the configuration according to your needs: @@ -166,7 +166,7 @@ according to your needs. Copy example configuration file to where the program can read automatically: ```sh -cp ~/.mporc.example ~/.mpoprc +cp -- ~/.mporc.example ~/.mpoprc ``` Edit the configuration according to your needs: @@ -249,7 +249,7 @@ mails are done in `disp-mail-sender`. Copy example configuration file to where the program can read automatically: ```sh -cp ~/.msmtprc.example ~/.msmtprc +cp -- ~/.msmtprc.example ~/.msmtprc ``` Edit the configuration according to your needs: diff --git a/salt/mail/files/reader/rpc/qusal.MailFetch b/salt/mail/files/reader/rpc/qusal.MailFetch index baca9e6..d02b7fb 100755 --- a/salt/mail/files/reader/rpc/qusal.MailFetch +++ b/salt/mail/files/reader/rpc/qusal.MailFetch @@ -9,7 +9,7 @@ inbox_dir="${HOME}/mail/INBOX" uid="$(id -u user)" # shellcheck disable=SC2174 -mkdir -p "${inbox_dir}" -chmod 0700 "${inbox_dir}" +mkdir -p -- "${inbox_dir}" +chmod -- 0700 "${inbox_dir}" qfile-unpacker "${uid}" "${inbox_dir}" diff --git a/salt/mail/files/sender/rpc/qusal.MailEnqueue b/salt/mail/files/sender/rpc/qusal.MailEnqueue index 9e8021a..e95deb7 100755 --- a/salt/mail/files/sender/rpc/qusal.MailEnqueue +++ b/salt/mail/files/sender/rpc/qusal.MailEnqueue @@ -9,7 +9,7 @@ queue_dir="${MSMTP_Q:-"${Q:-"${HOME}/.msmtp.queue"}"}" uid="$(id -u user)" # shellcheck disable=SC2174 -mkdir -p "${queue_dir}" -chmod 0700 "${queue_dir}" +mkdir -p -- "${queue_dir}" +chmod -- 0700 "${queue_dir}" exec qfile-unpacker "${uid}" "${queue_dir}" diff --git a/salt/sys-bitcoin/files/client/bin/bitcoin-rpcauth-save b/salt/sys-bitcoin/files/client/bin/bitcoin-rpcauth-save index 41c9cdf..6d3c1dd 100755 --- a/salt/sys-bitcoin/files/client/bin/bitcoin-rpcauth-save +++ b/salt/sys-bitcoin/files/client/bin/bitcoin-rpcauth-save @@ -11,8 +11,8 @@ fi auth="$(qrexec-client-vm -tT -- @default qusal.BitcoinAuthGet)" if test -n "${auth}"; then - mkdir -p ~/.bitcoin/.cookie - echo "${auth}" | tee ~/.bitcoin/.cookie >/dev/null + mkdir -p -- ~/.bitcoin/.cookie + echo "${auth}" | tee -- ~/.bitcoin/.cookie >/dev/null else echo "failed to get Bitcoin Authentication" >&2 exit 1 diff --git a/salt/sys-bitcoin/files/client/bin/bitcoin-tx-notify b/salt/sys-bitcoin/files/client/bin/bitcoin-tx-notify index 987b705..14bdeca 100755 --- a/salt/sys-bitcoin/files/client/bin/bitcoin-tx-notify +++ b/salt/sys-bitcoin/files/client/bin/bitcoin-tx-notify @@ -18,7 +18,7 @@ else body="TXID ${txid} is in block ${block_height} ${block_hash}" fi -echo "${date} ${title}: ${body}" | tee ~/.bitcoin/walletnotify.log +echo "${date} ${title}: ${body}" | tee -- ~/.bitcoin/walletnotify.log if command -v notify-send >/dev/null; then notify-send -t 10000 "${title}" "${body}" fi diff --git a/salt/sys-bitcoin/files/server/bin/bitcoin-dbcache b/salt/sys-bitcoin/files/server/bin/bitcoin-dbcache index ee06c14..44a74f6 100755 --- a/salt/sys-bitcoin/files/server/bin/bitcoin-dbcache +++ b/salt/sys-bitcoin/files/server/bin/bitcoin-dbcache @@ -6,6 +6,6 @@ set -eu conf="${HOME}/.bitcoin/conf.d/dbcache.conf" -cache_Mi="$(awk '/^MemTotal:/{printf "%.0f", $2/1024}' /proc/meminfo)" +cache_Mi="$(awk -- '/^MemTotal:/{printf "%.0f", $2/1024}' /proc/meminfo)" cache="$((cache_Mi*75/100))" -echo "dbcache=${cache}" | tee "${conf}" >/dev/null +echo "dbcache=${cache}" | tee -- "${conf}" >/dev/null diff --git a/salt/sys-bitcoin/files/server/bin/bitcoin-rpcwhitelist-cookie b/salt/sys-bitcoin/files/server/bin/bitcoin-rpcwhitelist-cookie index 9ea5c6e..b558dc8 100755 --- a/salt/sys-bitcoin/files/server/bin/bitcoin-rpcwhitelist-cookie +++ b/salt/sys-bitcoin/files/server/bin/bitcoin-rpcwhitelist-cookie @@ -15,4 +15,4 @@ fi rpc_list="$(bitcoin-cli help | awk '/^[a-z]/{print $1}' | tr "\n" ",")" -echo "rpcwhitelist=__cookie__:${rpc_list}" | tee "${conf}" >/dev/null +echo "rpcwhitelist=__cookie__:${rpc_list}" | tee -- "${conf}" >/dev/null diff --git a/salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper b/salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper index db87da5..00a980d 100755 --- a/salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper +++ b/salt/sys-bitcoin/files/server/bin/bitcoin-whitepaper @@ -49,25 +49,25 @@ getblock(){ | tail -c+92167 \ | for ((o=0;o<946;++o)); do \ read -rN420 x; \ - echo -n "${x::130}${x:132:130}${x:264:130}"; \ + printf '%s' "${x::130}${x:132:130}${x:264:130}"; \ done \ | xxd -r -p \ | tail -c+9 \ | head -c184292 \ - | tee "${output_file}" >/dev/null + | tee -- "${output_file}" >/dev/null } getrawtransaction(){ check_installed bitcoin-cli xxd # shellcheck disable=SC2312 bitcoin-cli getrawtransaction "${txid}" 0 "${block_hash}" \ - | sed 's/0100000000000000/\n/g' \ + | sed -e 's/0100000000000000/\n/g' \ | tail -n +2 \ | cut -c7-136,139-268,271-400 \ | tr -d '\n' \ | cut -c17-368600 \ | xxd -p -r \ - | tee "${output_file}" >/dev/null + | tee -- "${output_file}" >/dev/null } gettxout(){ diff --git a/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet b/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet index a9c199f..3585171 100755 --- a/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet +++ b/salt/sys-bitcoin/files/server/rpc/qusal.BitcoinAuthGet @@ -21,8 +21,8 @@ if ! systemctl is-active bitcoind >/dev/null 2>&1; then fi if test -r "${bitcoin_conf}"; then - if grep -qs "^\s*rpcauth=${user}:" "${bitcoin_conf}"; then - grep -m1 "^${user}:" "${bitcoin_pass}" + if grep -qs -e "^\s*rpcauth=${user}:" -- "${bitcoin_conf}"; then + grep -m1 -e "^${user}:" -- "${bitcoin_pass}" exit fi fi @@ -32,13 +32,14 @@ if ! command -v bitcoin-rpcauth >/dev/null; then exit 127 fi -full_auth="$(bitcoin-rpcauth "${user}" | sed -n '2p;4p')" +full_auth="$(bitcoin-rpcauth "${user}" | sed -n -e '2p;4p')" rpcauth="$(echo "${full_auth}" | head -1)" user="$(echo "${rpcauth}" | cut -d "=" -f2 | cut -d ":" -f1)" password="$(echo "${full_auth}" | tail -1)" -echo "${rpcauth}" | sudo -u user tee -a "${bitcoin_conf}" >/dev/null -echo "${user}:${password}" | sudo -u user tee -a "${bitcoin_pass}" >/dev/null +echo "${rpcauth}" | sudo -u user -- tee -a -- "${bitcoin_conf}" >/dev/null +echo "${user}:${password}" | \ + sudo -u user -- tee -a -- "${bitcoin_pass}" >/dev/null echo "${user}:${password}" ## Restart bitcoind to apply the configuration changes. Currently, there is no diff --git a/salt/sys-bitcoin/files/server/rpc/qusal.InstallBitcoin b/salt/sys-bitcoin/files/server/rpc/qusal.InstallBitcoin index 5a5e605..e6d1af4 100755 --- a/salt/sys-bitcoin/files/server/rpc/qusal.InstallBitcoin +++ b/salt/sys-bitcoin/files/server/rpc/qusal.InstallBitcoin @@ -11,21 +11,21 @@ share_dir="${prefix_dir}/share/bitcoin" share_examples_dir="${share_dir}/examples" tmp_dir="/tmp/bitcoin-upload" -rm -rf "${tmp_dir}" -mkdir -p "${tmp_dir}" -mkdir -p "${share_dir}" -mkdir -p "${share_examples_dir}" +rm -rf -- "${tmp_dir}" +mkdir -p -- "${tmp_dir}" +mkdir -p -- "${share_dir}" +mkdir -p -- "${share_examples_dir}" qfile-unpacker 0 "${tmp_dir}" cd "${tmp_dir}" -cp -r bin share "${prefix_dir}"/ +cp -r -- bin share "${prefix_dir}"/ if test -f README.md; then - cp -r README.md "${share_dir}"/ + cp -r -- README.md "${share_dir}"/ fi if test -f bitcoin.conf; then - cp -r bitcoin.conf "${share_examples_dir}"/ + cp -r -- bitcoin.conf "${share_examples_dir}"/ fi -cp share/rpcauth/rpcauth.py "${bin_dir}"/bitcoin-rpcauth +cp -- share/rpcauth/rpcauth.py "${bin_dir}"/bitcoin-rpcauth ## Qube needs to shutdown for the app qube to have the uploaded files. shutdown now diff --git a/salt/sys-cacher/README.md b/salt/sys-cacher/README.md index df3df24..2c59cb9 100644 --- a/salt/sys-cacher/README.md +++ b/salt/sys-cacher/README.md @@ -102,7 +102,7 @@ administrative access to the cacher qube. You should add the following to the end of `sys-cacher` rc.local: ```sh -echo "AdminAuth: username:password" | tee /etc/qusal-apt-cacher-ng/zzz_security.conf +echo "AdminAuth: username:password" | tee -- /etc/qusal-apt-cacher-ng/zzz_security.conf ``` Where username and password are HTTP Auth strings. @@ -158,7 +158,7 @@ qvm-tags QUBE add updatevm-sys-cacher qvm-features QUBE service.updates-proxy-setup 1 sudo qubesctl --skip-dom0 --targets=QUBE state.apply sys-cacher.install-client qvm-run --user=root QUBE -- " -touch /var/run/qubes-service/updates-proxy-setup +touch -- /var/run/qubes-service/updates-proxy-setup /usr/bin/apt-cacher-ng-repo systemctl restart qubes-updates-proxy-forwarder.socket" ``` diff --git a/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc b/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc index a671612..f5e8f9b 100755 --- a/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc +++ b/salt/sys-cacher/files/browser/rc.local.d/50-sys-cacher.rc @@ -4,7 +4,7 @@ # # SPDX-License-Identifier: AGPL-3.0-or-later -cp -r /rw/config/systemd/qusal-acng-browser-forwarder* \ +cp -r -- /rw/config/systemd/qusal-acng-browser-forwarder* \ /usr/lib/systemd/system/ systemctl daemon-reload systemctl --no-block restart qusal-acng-browser-forwarder.socket diff --git a/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo b/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo index e83a51f..4365c53 100755 --- a/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo +++ b/salt/sys-cacher/files/client/bin/apt-cacher-ng-repo @@ -28,18 +28,18 @@ set_proxy_marker(){ proxy_file="${1}" proxy_options="${2}" - if ! grep -q "^${marker_begin}$" "${proxy_file}"; then - if grep -q "^${marker_end}$" "${proxy_file}"; then + if ! grep -q -e "^${marker_begin}$" -- "${proxy_file}"; then + if grep -q -e "^${marker_end}$" -- "${proxy_file}"; then msg="found marker ${marker_end_text} but not ${marker_begin_text}" msg="${msg} in ${proxy_file}." msg="${msg} fix it by removing markers or adding missing ones and retry" echo "Error: ${msg}" >&2 exit 1 fi - cp "${proxy_file}" "${proxy_file}.qubes-orig" - echo "${marker_begin}" | tee -a "${proxy_file}" >/dev/null - echo "${marker_end}" | tee -a "${proxy_file}" >/dev/null - elif ! grep -q "^${marker_end}$" "${proxy_file}"; then + cp -- "${proxy_file}" "${proxy_file}.qubes-orig" + echo "${marker_begin}" | tee -a -- "${proxy_file}" >/dev/null + echo "${marker_end}" | tee -a -- "${proxy_file}" >/dev/null + elif ! grep -q -e "^${marker_end}$" -- "${proxy_file}"; then msg="found marker ${marker_begin_text} but not ${marker_end_text}" msg="${msg} in ${proxy_file}." msg="${msg} fix it by removing markers or adding missing ones and retry" @@ -56,16 +56,16 @@ ${proxy_options} EOF ## Couldn't figure out how to write only changes on the next sed. - if ! grep -q "${proxy_options}" "${proxy_file}"; then - tee -a "${changes_file}" <"${proxy_tmp_file}" >/dev/null + if ! grep -q -e "${proxy_options}" -- "${proxy_file}"; then + tee -a -- "${changes_file}" <"${proxy_tmp_file}" >/dev/null fi ## GNU Sed, only reliable while we don't support BSD. sed -i -e "/^${marker_begin}$/,/^${marker_end}$/{ /^${marker_end}$/b /^${marker_begin}$/!d r ${proxy_tmp_file} - }" "${proxy_file}" - rm -f "${proxy_tmp_file}" + }" -- "${proxy_file}" + rm -f -- "${proxy_tmp_file}" } check_netvm_cacher(){ @@ -108,7 +108,7 @@ ${proxy_conf}" ${proxy_conf} EOF else - rm -f /etc/yum.conf.d/qubes-proxy.conf + rm -f -- /etc/yum.conf.d/qubes-proxy.conf fi set -- @@ -132,7 +132,7 @@ EOF meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}" find "${@}" -type f -exec sed -i \ -e "${baseurl_expr}" -e "${meta_expr}" \ - {} \+ + -- {} \+ set -- for repo in \ @@ -153,7 +153,7 @@ EOF meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}" find "${@}" -type f -exec sed -i \ -e "${baseurl_expr}" -e "${meta_expr}" \ - {} \+ + -- {} \+ ;; uninstall) @@ -165,7 +165,7 @@ EOF meta_expr="s|${meta_search}|${meta_repl}|w ${changes_file}" find "${@}" -type f -exec sed -i \ -e "${baseurl_expr}" -e "${meta_expr}" \ - {} \+ + -- {} \+ set -- for repo in \ @@ -181,7 +181,7 @@ EOF find "${@}" -type f -exec sed -i \ -e "s|^\s*baseurl|#baseurl|w ${changes_file}" \ -e "s|^\s*#.*metalink\s*=|metalink=|w ${changes_file}" \ - {} \+ 2>/dev/null || true + -- {} \+ 2>/dev/null || true ;; *) echo "Unsupported action" >&2; exit 1 esac @@ -196,7 +196,7 @@ Acquire::http::Proxy "${proxy_url}"; Acquire::tor::proxy "${proxy_url}"; EOF else - rm -f /etc/apt/apt.conf.d/50cacher-proxy + rm -f -- /etc/apt/apt.conf.d/50cacher-proxy fi set -- @@ -222,7 +222,7 @@ EOF list_expr="s|${list_search}|${list_repl}|w ${changes_file}" find "${@}" -type f -exec sed -i \ -e "${list_expr}" -e "${sources_expr}" \ - {} \+ + -- {} \+ ;; uninstall) @@ -234,7 +234,7 @@ EOF list_expr="s|${list_search}|${list_repl}|w ${changes_file}" find "${@}" -type f -exec sed -i \ -e "${list_expr}" -e "${sources_expr}" \ - {} \+ + -- {} \+ ;; *) echo "Unsupported action" >&2; exit 1 esac @@ -244,18 +244,18 @@ EOF if test -n "${proxy_addr}"; then if ! test -d /run/qubes/bin; then - mkdir -p /run/qubes/bin + mkdir -p -- /run/qubes/bin fi cat >/run/qubes/bin/pacman </etc/profile.d/qubes-proxy.sh << EOF export PATH=/run/qubes/bin:\${PATH} EOF else - rm -f /run/qubes/bin/pacman /etc/profile.d/qubes-proxy.sh + rm -f -- /run/qubes/bin/pacman /etc/profile.d/qubes-proxy.sh fi set -- @@ -278,7 +278,7 @@ EOF repo_regex="s|${repo_search}|${repo_repl}|w ${changes_file}" find "${@}" -type f -exec sed -i \ -e "${repo_regex}" \ - {} \+ + -- {} \+ ;; uninstall) @@ -287,7 +287,7 @@ EOF repo_regex="s|${repo_search}|${repo_repl}|w ${changes_file}" find "${@}" -type f -exec sed -i \ -e "${repo_regex}" \ - {} \+ + -- {} \+ ;; *) echo "Unsupported action" >&2; exit 1 esac @@ -312,7 +312,7 @@ usage(){ } changes_file="$(mktemp)" -trap 'rm -f "${changes_file}"' HUP INT QUIT ABRT EXIT +trap 'rm -f -- "${changes_file}"' HUP INT QUIT ABRT EXIT if test -f /var/run/qubes-service/updates-proxy-setup || test -f /var/run/qubes-service/netvm-cacher diff --git a/salt/sys-cacher/files/server/systemd/apt-cacher-ng.service.d/50_qusal.conf b/salt/sys-cacher/files/server/systemd/apt-cacher-ng.service.d/50_qusal.conf index 651fc9f..3fc9338 100644 --- a/salt/sys-cacher/files/server/systemd/apt-cacher-ng.service.d/50_qusal.conf +++ b/salt/sys-cacher/files/server/systemd/apt-cacher-ng.service.d/50_qusal.conf @@ -8,6 +8,6 @@ After=qubes-sysinit.service Before=qubes-qrexec-agent.service [Service] -ExecStartPre=chown -R apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng /var/cache/apt-cacher-ng +ExecStartPre=chown -R -- apt-cacher-ng:apt-cacher-ng /var/log/apt-cacher-ng /var/cache/apt-cacher-ng ExecStart= ExecStart=/usr/sbin/apt-cacher-ng -c "/etc/qusal-apt-cacher-ng" ForeGround=1 diff --git a/salt/sys-electrs/files/server/rpc/qusal.InstallElectrs b/salt/sys-electrs/files/server/rpc/qusal.InstallElectrs index 0d5e666..1f3db66 100755 --- a/salt/sys-electrs/files/server/rpc/qusal.InstallElectrs +++ b/salt/sys-electrs/files/server/rpc/qusal.InstallElectrs @@ -9,12 +9,12 @@ bin_dir="/usr/bin" tmp_dir="/tmp/electrs-upload" man1_dir="/usr/share/man/man1" -rm -rf "${tmp_dir}" -mkdir -p "${tmp_dir}" +rm -rf -- "${tmp_dir}" +mkdir -p -- "${tmp_dir}" qfile-unpacker 0 "${tmp_dir}" cd "${tmp_dir}" -cp electrs "${bin_dir}"/ -cp electrs.1 "${man1_dir}"/ +cp -- electrs "${bin_dir}"/ +cp -- electrs.1 "${man1_dir}"/ ## Qube needs to shutdown for the app qube to have the uploaded files. shutdown now diff --git a/salt/sys-electrumx/files/server/bin/electrumx-cookie-save b/salt/sys-electrumx/files/server/bin/electrumx-cookie-save index 71277bb..f2ecd90 100755 --- a/salt/sys-electrumx/files/server/bin/electrumx-cookie-save +++ b/salt/sys-electrumx/files/server/bin/electrumx-cookie-save @@ -18,6 +18,7 @@ if ! test -r "${cookie}"; then exit 1 fi -auth="$(cat "${cookie}")" +auth="$(cat -- "${cookie}")" -echo "DAEMON_URL=${auth}@127.0.0.1:8332" | tee "${electrumx_conf}" >/dev/null +echo "DAEMON_URL=${auth}@127.0.0.1:8332" | \ + tee -- "${electrumx_conf}" >/dev/null diff --git a/salt/sys-electrumx/files/server/rpc/qusal.InstallElectrumx b/salt/sys-electrumx/files/server/rpc/qusal.InstallElectrumx index 5e341b1..42b685a 100755 --- a/salt/sys-electrumx/files/server/rpc/qusal.InstallElectrumx +++ b/salt/sys-electrumx/files/server/rpc/qusal.InstallElectrumx @@ -9,12 +9,12 @@ python_dir="/usr/lib/python3/dist-packages" bin_dir="/usr/bin" tmp_dir="/tmp/electrumx-upload" -rm -rf "${tmp_dir}" -mkdir -p "${tmp_dir}" +rm -rf -- "${tmp_dir}" +mkdir -p -- "${tmp_dir}" qfile-unpacker 0 "${tmp_dir}" cd "${tmp_dir}" -cp -r electrumx "${python_dir}"/ -cp electrumx_server electrumx_rpc electrumx_compact_history "${bin_dir}"/ +cp -r -- electrumx "${python_dir}"/ +cp -- electrumx_server electrumx_rpc electrumx_compact_history "${bin_dir}"/ ## Qube needs to shutdown for the app qube to have the uploaded files. shutdown now diff --git a/salt/sys-git/files/client/git-core/git-remote-qrexec b/salt/sys-git/files/client/git-core/git-remote-qrexec index 13c9b84..5d3c274 100755 --- a/salt/sys-git/files/client/git-core/git-remote-qrexec +++ b/salt/sys-git/files/client/git-core/git-remote-qrexec @@ -34,7 +34,7 @@ log(){ validate_url(){ url_valid="" url_check="${1?}" - scheme_user_url="$(echo "${url_check}" | sed "s|://.*||")" + scheme_user_url="$(echo "${url_check}" | sed -e "s|://.*||")" ## Scheme must be the same as the one in the name of this script. ## Checks if Authority and Path exist, but not if they are valid, this is @@ -48,7 +48,7 @@ validate_url(){ esac urn_pattern="[0-9A-Za-z@:_.-]+/[0-9A-Za-z_.-]+(\?[0-9A-Za-z=&_-]*)?" - if ! (echo "${url_valid}" | grep -qE "^${scheme}://${urn_pattern}$") + if ! (echo "${url_valid}" | grep -qE -e "^${scheme}://${urn_pattern}$") then die "URL contains forbidden characters" fi @@ -86,11 +86,12 @@ find_capabilities(){ if test -z "${cap_helpers}"; then cap_helpers="${f##*"${script}-"}" else - cap_helpers="${cap_helpers}\n${f##*"${script}-"}" + cap_helpers="${cap_helpers} +${f##*"${script}-"}" fi done - echo "${cap_helpers}" + printf '%s\n' "${cap_helpers}" } ## Send capabilities to remote helper specific for that capability. @@ -98,7 +99,7 @@ send_cap(){ cap="${1}" shift - if ! (echo "${capabilities}" | grep -q "^${cap}$"); then + if ! (echo "${capabilities}" | grep -q -e "^${cap}$"); then die "Unsupported capability: '${cap}'" fi @@ -169,7 +170,7 @@ while read -r cmd arg; do case "${cmd}" in capabilities) for c in ${capabilities}; do log "-> ${c}"; done; log "->" - printf %s"${capabilities}\n\n";; + printf '%s\n\n' "${capabilities}";; *) send_cap "${cmd}" "${arg}";; esac done diff --git a/salt/sys-git/files/client/git-core/git-remote-qrexec-connect b/salt/sys-git/files/client/git-core/git-remote-qrexec-connect index 3e41ffd..6bfbf48 100755 --- a/salt/sys-git/files/client/git-core/git-remote-qrexec-connect +++ b/salt/sys-git/files/client/git-core/git-remote-qrexec-connect @@ -26,7 +26,7 @@ log(){ ## Establish capability working. log "->" -printf "\n" +printf '\n' helper="${0##*/git-}" parent_helper="${helper%-*}" @@ -61,7 +61,8 @@ vendor="qusal" default_qube="sys-git" rpc_cmd="${vendor}.${rpc}+${path}" -if echo "${query}" | grep -qE "(^|&)verify_signatures=(1|[tT]rue|yes|on)($|&)" +if echo "${query}" | \ + grep -qE -e "(^|&)verify_signatures=(1|[tT]rue|yes|on)($|&)" then die "Remote helper does not support signature verification yet" fi diff --git a/salt/sys-git/files/server/rpc/qusal.GitInit b/salt/sys-git/files/server/rpc/qusal.GitInit index e415509..652b47b 100644 --- a/salt/sys-git/files/server/rpc/qusal.GitInit +++ b/salt/sys-git/files/server/rpc/qusal.GitInit @@ -23,7 +23,7 @@ if test -z "${untrusted_repo}"; then die "Repository name is empty" fi -if ! (echo "${untrusted_repo}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$") +if ! (echo "${untrusted_repo}" | grep -q -e "^[A-Za-z0-9][A-Za-z0-9_.-]\+$") then msg="Forbidden characters in agent name." msg="${msg} Allowed chars: letters, numbers, hyphen, underscore and dot." @@ -64,7 +64,7 @@ fi if ! test -d "${base_path}"; then # shellcheck disable=SC2174 - mkdir -m 0700 -p "${base_path}" >/dev/null 2>&1 || + mkdir -m 0700 -p -- "${base_path}" >/dev/null 2>&1 || die "Cannot create directory: ${base_path}" fi diff --git a/salt/sys-pgp/README.md b/salt/sys-pgp/README.md index fef191e..66b8422 100644 --- a/salt/sys-pgp/README.md +++ b/salt/sys-pgp/README.md @@ -81,7 +81,7 @@ qvm-features dev service.split-gpg2-client 1 On the qube `sys-pgp`, generate or import keys for the client qube `dev`: ```sh -mkdir -p ~/.gnupg/split-gpg/dev +mkdir -p -- ~/.gnupg/split-gpg/dev gpg --homedir ~/.gnupg/split-gpg/dev --import /path/to/secret.key gpg --homedir ~/.gnupg/split-gpg/dev --list-secret-keys ``` diff --git a/salt/sys-pihole/files/admin/prefs.sh b/salt/sys-pihole/files/admin/prefs.sh index f079717..32e850c 100755 --- a/salt/sys-pihole/files/admin/prefs.sh +++ b/salt/sys-pihole/files/admin/prefs.sh @@ -13,7 +13,7 @@ for qube in $(qvm-ls --raw-data --fields=NAME,NETVM | do ## Avoid overwriting netvm to sys-pihole when instead it should use the ## default_netvm, so better to prevent overwriting user choices. - qvm-prefs "${qube}" | grep -q "^netvm[[:space:]]\+D" && continue + qvm-prefs "${qube}" | grep -q -e "^netvm[[:space:]]\+D" && continue ## Set netvm for qubes that were using (disp-)sys-firewall to sys-pihole. qvm-prefs "${qube}" netvm sys-pihole done diff --git a/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc b/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc index 66c34fc..85cd75d 100755 --- a/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc +++ b/salt/sys-pihole/files/browser/rc.local.d/50-sys-pihole.rc @@ -4,6 +4,6 @@ # # SPDX-License-Identifier: AGPL-3.0-or-later -cp -r /rw/config/systemd/qubes-http-forwarder* /usr/lib/systemd/system/ +cp -r -- /rw/config/systemd/qubes-http-forwarder* /usr/lib/systemd/system/ systemctl daemon-reload systemctl --no-block restart qubes-http-forwarder.socket diff --git a/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh b/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh index 2cf2d7d..0241a0d 100644 --- a/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh +++ b/salt/sys-pihole/files/server/network-hooks.d/50-sys-pihole.sh @@ -11,9 +11,9 @@ nft -f /rw/config/qubes-firewall.d/50-sys-pihole for vif in /proc/sys/net/ipv4/conf/vif*/route_localnet; do test -w "${vif}" || continue - echo 1 | tee "${vif}" >/dev/null + echo 1 | tee -- "${vif}" >/dev/null done if test -f /var/run/qubes-service/local-dns-server; then - echo "nameserver 127.0.0.1" | tee /etc/resolv.conf >/dev/null + echo "nameserver 127.0.0.1" | tee -- /etc/resolv.conf >/dev/null fi diff --git a/salt/sys-ssh-agent/README.md b/salt/sys-ssh-agent/README.md index 1f5e3d3..753449e 100644 --- a/salt/sys-ssh-agent/README.md +++ b/salt/sys-ssh-agent/README.md @@ -131,14 +131,14 @@ Import preexisting keys to the agent directory or generate keys for a specific agent: ```sh -mkdir -m 0700 -p ~/.ssh/identities.d/ +mkdir -m 0700 -p -- ~/.ssh/identities.d/ ssh-keygen -t ed25519 -f ~/.ssh/identities.d//id_example ``` You would do the following for the `work` agent: ```sh -mkdir -m 0700 -p ~/.ssh/identities.d/work +mkdir -m 0700 -p -- ~/.ssh/identities.d/work ssh-keygen -t ed25519 -f ~/.ssh/identities.d/work/id_example ``` @@ -218,7 +218,7 @@ agent: ```sh echo 'export SSH_AUTH_SOCK=/tmp/qusal-ssh-agent-forwarder/work.sock; SSH_AGENT_PID="$(pgrep -f "/tmp/qusal-ssh-agent-forwarder/work.sock")"; -' | tee -a ~/.profile +' | tee -a -- ~/.profile ``` #### Multiple agents per client diff --git a/salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service b/salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service index b841abb..e0e5ad7 100644 --- a/salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service +++ b/salt/sys-ssh-agent/files/client/systemd/qusal-ssh-agent-forwarder@.service @@ -10,7 +10,7 @@ User=user Group=user Type=simple UMask=0177 -ExecStartPre=/usr/bin/mkdir -m 700 -p %T/%p +ExecStartPre=/usr/bin/mkdir -m 700 -p -- %T/%p ExecStartPre=/usr/bin/ssh-agent -a %T/%p/%i.sock ExecStart=/usr/bin/socat UNIX-LISTEN:"%T/%p/%i.sock,unlink-early,reuseaddr,fork" EXEC:"qrexec-client-vm -- @default qusal.SshAgent+%i" diff --git a/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent b/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent index e84fd13..af10baa 100755 --- a/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent +++ b/salt/sys-ssh-agent/files/server/bin/qvm-ssh-agent @@ -23,14 +23,14 @@ Example: ls_agent(){ socket="/tmp/${service}/${agent}.sock" test -S "${socket}" || return 1 - agent="$(echo "${socket}" | sed "s|.*${service}/||;s/\.sock//")" + agent="$(echo "${socket}" | sed -e "s|.*${service}/||;s/\.sock//")" echo "Agent: (${agent}) ${socket}" SSH_AUTH_SOCK="${socket}" ssh-add -l || true } add_agent(){ # shellcheck disable=SC2174 - mkdir -m 0700 -p "/tmp/${service}" + mkdir -m 0700 -p -- "/tmp/${service}" dir="${HOME}/.ssh/identities.d/${agent}" if ! test -d "${dir}"; then echo "Directory not found: ${dir}" >&2 @@ -45,8 +45,8 @@ add_agent(){ if ! test "${reload_agent}" = "1"; then return fi - keys="$(grep -sl -- "-----BEGIN OPENSSH PRIVATE KEY-----" \ - "${HOME}/.ssh/identities.d/${dir}"/* || true)" + keys="$(grep -sl -e "-----BEGIN OPENSSH PRIVATE KEY-----" \ + -- "${HOME}/.ssh/identities.d/${dir}"/* || true)" if test -z "${keys}"; then echo "Directory has no key: ${dir}" >&2 return 1 @@ -56,7 +56,7 @@ add_agent(){ test -f "${k}" || continue ssh_add_option="" if test -f "${k}.ssh-add-option"; then - ssh_add_option="$(cat "${k}.ssh-add-option")" + ssh_add_option="$(cat -- "${k}.ssh-add-option")" fi # shellcheck disable=SC2086 SSH_AUTH_SOCK="${socket}" ssh-add ${ssh_add_option} "${k}" diff --git a/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent b/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent index 8c708a0..d5f61d3 100644 --- a/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent +++ b/salt/sys-ssh-agent/files/server/rpc/qusal.SshAgent @@ -18,7 +18,7 @@ if test -z "${untrusted_agent}"; then die "Agent name is empty" fi -if ! (echo "${untrusted_agent}" | grep -q "^[A-Za-z0-9][A-Za-z0-9_.-]\+$") +if ! (echo "${untrusted_agent}" | grep -q -e "^[A-Za-z0-9][A-Za-z0-9_.-]\+$") then msg="Forbidden characters in agent name." msg="${msg} Allowed chars: letters, numbers, hyphen, underscore and dot." diff --git a/salt/sys-ssh/README.md b/salt/sys-ssh/README.md index 48e7c50..0ae66f6 100644 --- a/salt/sys-ssh/README.md +++ b/salt/sys-ssh/README.md @@ -94,7 +94,7 @@ From the client, mount the server `/home/user` directory as a SSH File System in the client `/home/user/sshfs` directory: ```sh -mkdir ~/sshfs +mkdir -- ~/sshfs sshfs -p 1840 localhost:/home/user /home/user/sshfs ``` diff --git a/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc b/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc index 83b4c8a..d76ec7d 100755 --- a/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc +++ b/salt/sys-syncthing/files/browser/rc.local.d/50-sys-syncthing.rc @@ -4,7 +4,7 @@ # # SPDX-License-Identifier: AGPL-3.0-or-later -cp -r /rw/config/systemd/qusal-syncthing-browser-forwarder* \ +cp -r -- /rw/config/systemd/qusal-syncthing-browser-forwarder* \ /usr/lib/systemd/system/ systemctl daemon-reload systemctl --no-block restart qusal-syncthing-browser-forwarder.socket diff --git a/salt/sys-wireguard/files/admin/bin/qvm-wireguard b/salt/sys-wireguard/files/admin/bin/qvm-wireguard index b91e6eb..11a7739 100755 --- a/salt/sys-wireguard/files/admin/bin/qvm-wireguard +++ b/salt/sys-wireguard/files/admin/bin/qvm-wireguard @@ -45,13 +45,13 @@ qvm-run "${qube}" -- "test -f ${user_conf}" || { exit 1 } -qvm-run -u root "${qube}" -- "cp ${user_conf} ${system_conf}" +qvm-run -u root "${qube}" -- "cp -- \"${user_conf}\" \"${system_conf}\"" ## TOFU # shellcheck disable=SC2016 endpoint="$(qvm-run -p -u root "${qube}" -- awk '/Endpoint/{print $3}' \ "${system_conf}")" -if echo "${endpoint}" | grep -qF "["; then +if echo "${endpoint}" | grep -qF -e "["; then ip="${ip##[\[]}" ip="${ip%%\]*}" port="${endpoint##*:}" diff --git a/salt/sys-wireguard/files/server/network-hooks.d/50-sys-wireguard b/salt/sys-wireguard/files/server/network-hooks.d/50-sys-wireguard index 8837b2b..1231389 100755 --- a/salt/sys-wireguard/files/server/network-hooks.d/50-sys-wireguard +++ b/salt/sys-wireguard/files/server/network-hooks.d/50-sys-wireguard @@ -6,6 +6,6 @@ set -eu -ln -sf /run/resolvconf/resolv.conf /etc/resolv.conf +ln -sf -- /run/resolvconf/resolv.conf /etc/resolv.conf /rw/config/qubes-firewall.d/50-sys-wireguard-var nft -f /rw/config/qubes-firewall.d/60-sys-wireguard-nat diff --git a/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var b/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var index 5f90c2f..275fe3c 100755 --- a/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var +++ b/salt/sys-wireguard/files/server/qubes-firewall.d/50-sys-wireguard-var @@ -9,12 +9,12 @@ set -eu wg_conf="/etc/wireguard/wireguard.conf" nft_conf="/var/run/wireguard/dnat.nft" -mkdir -p "${nft_conf%/*}" -rm -f "${nft_conf}" -touch "${nft_conf}" +mkdir -p -- "${nft_conf%/*}" +rm -f -- "${nft_conf}" +touch -- "${nft_conf}" set_nft(){ - echo "${*}" | tee -a "${nft_conf}" >/dev/null + echo "${*}" | tee -a -- "${nft_conf}" >/dev/null } set_nft_dnat(){ @@ -26,7 +26,8 @@ set_nft_dnat(){ set_nft "${rule_prefix} ${rule_suffix}" } -dns="$(grep -s "^\s*DNS\s*=\s*\S\+" "${wg_conf}" | sed "s/.*=//;s/ //g")" +dns="$(grep -s -e "^\s*DNS\s*=\s*\S\+" -- "${wg_conf}" | + sed -e "s/.*=//;s/ //g")" if test -z "${dns}"; then set_nft "insert rule ip qubes custom-dnat drop" @@ -38,22 +39,22 @@ dns_primary="$(echo "${dns}" | cut -d "," -f 1)" dns_secondary="$(echo "${dns}" | cut -d "," -f 2)" dns_primary_ipv="" -if echo "${dns_primary}" | grep -qF ":"; then +if echo "${dns_primary}" | grep -qF -e ":"; then dns_primary_ipv=6 fi dns_secondary_ipv="" -if echo "${dns_secondary}" | grep -qF ":"; then +if echo "${dns_secondary}" | grep -qF -e ":"; then dns_secondary_ipv=6 fi if test -n "${dns}"; then set_nft_dnat "${dns_primary_ipv}" udp "${dns_primary}" set_nft_dnat "${dns_primary_ipv}" tcp "${dns_primary}" - if echo "${dns}" | grep -qF ","; then + if echo "${dns}" | grep -qF -e ","; then set_nft_dnat "${dns_secondary_ipv}" udp "${dns_secondary}" set_nft_dnat "${dns_secondary_ipv}" tcp "${dns_secondary}" fi fi -ln -sf /run/resolvconf/resolv.conf /etc/resolv.conf +ln -sf -- /run/resolvconf/resolv.conf /etc/resolv.conf diff --git a/scripts/pgp-lint.sh b/scripts/pgp-lint.sh index 2243266..82ec54c 100755 --- a/scripts/pgp-lint.sh +++ b/scripts/pgp-lint.sh @@ -12,7 +12,7 @@ test -d "${repo_toplevel}" || exit 1 cd "${repo_toplevel}" unset repo_toplevel -now="$(date +%s)" +now="$(date -- +%s)" fail="0" find_tool="$(./scripts/best-program.sh fd fdfind find)" @@ -46,7 +46,7 @@ fi for key in ${files}; do data="$(gpg --no-keyring --no-auto-check-trustdb --no-autostart \ --with-colons --show-keys "${key}")" - nr="$(echo "${data}" | grep -Ec '^(p|s)ub:')" + nr="$(echo "${data}" | grep -Ec -e '^(p|s)ub:')" ## Threshold in days. threshold="${PGP_LINT_THRESHOLD:-30}" tty_stderr=0 diff --git a/scripts/qubesbuilder-gen.sh b/scripts/qubesbuilder-gen.sh index b7c5fa1..08ff37b 100755 --- a/scripts/qubesbuilder-gen.sh +++ b/scripts/qubesbuilder-gen.sh @@ -23,14 +23,14 @@ if test "${1-}" = "test"; then fi ignored="$(git ls-files --exclude-standard --others --ignored salt/)" untracked="$(git ls-files --exclude-standard --others salt/)" -unwanted="$(printf %s"${ignored}\n${untracked}\n" | - grep "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)" +unwanted="$(printf '%s\n%s\n' "${ignored}" "${untracked}" | + grep -e "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)" group="$(./scripts/spec-get.sh dom0 group)" projects="$(find salt/ -mindepth 1 -maxdepth 1 -type d | sort -d | - sed "s|^salt/\(\S\+\)| - rpm_spec/${group}-\1.spec|")" + sed -e "s|^salt/\(\S\+\)| - rpm_spec/${group}-\1.spec|")" for unwanted_project in ${unwanted}; do projects="$(echo "${projects}" | - sed "\@rpm_spec/${group}-${unwanted_project}.spec@d")" + sed -e "\@rpm_spec/${group}-${unwanted_project}.spec@d")" done if test "${1-}" = "print"; then @@ -38,10 +38,10 @@ if test "${1-}" = "print"; then exit 0 fi -sed -e "/@SPEC@/d" "${template}" | tee "${target}" >/dev/null -echo "${projects}" | tee -a "${target}" >/dev/null +sed -e "/@SPEC@/d" -- "${template}" | tee -- "${target}" >/dev/null +echo "${projects}" | tee -a -- "${target}" >/dev/null if test "${1-}" = "test"; then - if ! cmp -s "${target}" "${intended_target}"; then + if ! cmp -s -- "${target}" "${intended_target}"; then echo "${0##*/}: error: File ${intended_target} is not up to date" >&2 echo "${0##*/}: error: Update the builder file with: ${0##/*}" >&2 exit 1 diff --git a/scripts/salt-fix.sh b/scripts/salt-fix.sh index dba8a53..dfd7b1f 100755 --- a/scripts/salt-fix.sh +++ b/scripts/salt-fix.sh @@ -24,24 +24,24 @@ case "${find_tool}" in fd|fdfind) conf_files="$(${find_tool} . minion.d/ -e conf)" sls_files="$(${find_tool} . salt/ -d 2 -t f -e sls)" - files="${conf_files}\n${sls_files}" + set -- ${conf_files} ${sls_files} ;; find) conf_files="$(find minion.d/ -type f -name "*.conf")" sls_files="$(find salt/ -maxdepth 2 -type f -name '*.sls')" - files="${conf_files}\n${sls_files}" + set -- ${conf_files} ${sls_files} ;; *) echo "Unsupported find tool" >&2; exit 1;; esac ## 201 - Fix trailing whitespace: -sed -i'' -e's/[[:space:]]*$//' ${files} +sed -i'' -e 's/[[:space:]]*$//' -- "${@}" ## 206 - Fix spacing around {{ var_name }}, eg. {{env}} --> {{ env }}: -sed -i'' -E "s/\{\{\s?([^}]*[^} ])\s?\}\}/\{\{ \1 \}\}/g" ${files} +sed -i'' -E -e "s/\{\{\s?([^}]*[^} ])\s?\}\}/\{\{ \1 \}\}/g" -- "${@}" ## 207 - Add quotes around numeric values that start with a 0: -sed -i'' -E "s/\b(minute|hour): (0[0-7]?)\$/\1: '\2'/" ${files} +sed -i'' -E -e "s/\b(minute|hour): (0[0-7]?)\$/\1: '\2'/" -- "${@}" ## 208 - Make dir_mode, file_mode and mode arguments in the desired syntax: -sed -i'' -E "s/\b(dir_|file_|)mode: 0?([0-7]{3})/\1mode: '0\2'/" ${files} +sed -i'' -E -e "s/\b(dir_|file_|)mode: 0?([0-7]{3})/\1mode: '0\2'/" -- "${@}" diff --git a/scripts/salt-lint.sh b/scripts/salt-lint.sh index fca6e5b..ed31b0a 100755 --- a/scripts/salt-lint.sh +++ b/scripts/salt-lint.sh @@ -38,16 +38,16 @@ case "${find_tool}" in conf_files="$(${find_tool} . minion.d/ -e conf)" sls_files="$(${find_tool} . salt/ -d 2 -t f -e sls -e top -e jinja \ -e j2 -e tmpl -e tst | sort -d)" - files="${conf_files}\n${sls_files}" + set -- ${conf_files} ${sls_files} ;; find) conf_files="$(find minion.d/ -type f -name "*.conf")" sls_files="$(find salt/* -maxdepth 2 -type f \ \( -name '*.sls' -o -name '*.top' -o -name '*.jinja' \ -o -name '*.j2' -o -name '*.tmpl' -o -name '*.tst' \) | sort -d)" - files="${conf_files}\n${sls_files}" + set -- ${conf_files} ${sls_files} ;; *) echo "Unsupported find tool" >&2; exit 1;; esac -exec salt-lint ${conf} ${files} +exec salt-lint ${conf} "${@}" diff --git a/scripts/setup.sh b/scripts/setup.sh index 8146465..5262be8 100755 --- a/scripts/setup.sh +++ b/scripts/setup.sh @@ -17,7 +17,7 @@ file_roots="/srv/salt/${group}" cd "${0%/*}"/.. ## Avoid having extra unwanted files. -rm -rf "${file_roots}" -cp -f minion.d/*.conf /etc/salt/minion.d/ -mkdir -p "${file_roots}" -cp -r salt/* "${file_roots}" +rm -rf -- "${file_roots}" +cp -f -- minion.d/*.conf /etc/salt/minion.d/ +mkdir -p -- "${file_roots}" +cp -r -- salt/* "${file_roots}" diff --git a/scripts/shell-lint.sh b/scripts/shell-lint.sh index 061d16f..7e552c2 100755 --- a/scripts/shell-lint.sh +++ b/scripts/shell-lint.sh @@ -24,7 +24,7 @@ show_long_lines(){ if test -t 2; then tty_stderr=1 fi - awk -v color="${tty_stderr}" ' + awk -v color="${tty_stderr}" -- ' BEGIN { exit_code=0 MAGENTA="" diff --git a/scripts/spec-build.sh b/scripts/spec-build.sh index 59e677f..74cc627 100755 --- a/scripts/spec-build.sh +++ b/scripts/spec-build.sh @@ -25,17 +25,17 @@ build_rpm(){ rpmlint "${spec}" fi - if grep -q "^BuildRequires: " "${spec}"; then + if grep -q -e "^BuildRequires: " -- "${spec}"; then sudo dnf build-dep "${spec}" fi - mkdir -p \ + mkdir -p -- \ "${build_dir}/BUILD/${group}-${project}/LICENSES/" \ "${build_dir}/SOURCES/${group}-${project}/LICENSES" ## TODO: generate tarball to sources. - cp -r . "${build_dir}/BUILD/${group}-${project}/" - cp -r . "${build_dir}/SOURCES/${group}-${project}/" + cp -r -- . "${build_dir}/BUILD/${group}-${project}/" + cp -r -- . "${build_dir}/SOURCES/${group}-${project}/" ## TODO: use qubes-builderv2 with mock or qubes executor rpmbuild -ba --quiet --clean -- "${spec}" @@ -49,7 +49,7 @@ build_rpm(){ dbpath="$(mktemp -d)" trap 'rm -rf -- "${dbpath}"' EXIT INT HUP QUIT ABRT tmp_file="${dbpath}/${key_id}.asc" - "${gpg}" --export --armor "${key_id}" | tee "${tmp_file}" >/dev/null + "${gpg}" --export --armor "${key_id}" | tee -- "${tmp_file}" >/dev/null rpmkeys --dbpath="${dbpath}" --import "${tmp_file}" ## TODO: target only the latest release rpmkeys --dbpath="${dbpath}" --checksig --verbose \ @@ -73,7 +73,7 @@ build_dir="${HOME}/rpmbuild" if command -v rpmdev-setuptree >/dev/null; then rpmdev-setuptree else - mkdir -p \ + mkdir -p -- \ "${build_dir}/BUILD" "${build_dir}/BUILDROOT" "${build_dir}/RPMS" \ "${build_dir}/SOURCES" "${build_dir}/SPECS" "${build_dir}/SRPMS" fi diff --git a/scripts/spec-gen.sh b/scripts/spec-gen.sh index 9854d88..43a531e 100755 --- a/scripts/spec-gen.sh +++ b/scripts/spec-gen.sh @@ -14,9 +14,9 @@ usage(){ escape_key(){ key_type="${1}" if test "${key_type}" = "scriptlet"; then - echo "${2}" | sed ':a;N;$!ba;s/\n/\\n /g' | sed 's/\$/\\$/' + echo "${2}" | sed -e ':a;N;$!ba;s/\n/\\n /g' | sed -e 's/\$/\\$/' elif test "${key_type}" = "text"; then - echo "${2}" | sed ':a;N;$!ba;s/\n/\\n/g' | sed 's/\$/\\$/' + echo "${2}" | sed -e ':a;N;$!ba;s/\n/\\n/g' | sed -e 's/\$/\\$/' else return 1 fi @@ -29,9 +29,9 @@ get_scriptlet(){ scriptlet="$1" scriptlet_begin="-- pkg:begin:${scriptlet} --" scriptlet_end="-- pkg:end:${scriptlet} --" - scriptlet="$(sed -n \ + scriptlet="$(sed -n -e \ "/^<\!${scriptlet_begin}>$/,/^<\!${scriptlet_end}>$/p" \ - "${readme}" | sed '/^```.*/d;/^\S*$/d;/^<\!-- pkg:/d;s/^sudo //')" + -- "${readme}" | sed -e '/^```.*/d;/^\S*$/d;/^<\!-- pkg:/d;s/^sudo //')" if test -z "${scriptlet}"; then echo true return 0 @@ -44,13 +44,13 @@ get_spec(){ } gen_spec(){ - project="$(echo "${1}" | sed "s|salt/||;s|/.*||")" - if echo "${projects_seen}" | grep -qF " ${project} "; then + project="$(echo "${1}" | sed -e "s|salt/||;s|/.*||")" + if echo "${projects_seen}" | grep -qF -e " ${project} "; then return fi projects_seen="${projects_seen} ${project} " - if echo "${unwanted}" | grep -q "^${project}$"; then + if echo "${unwanted}" | grep -q -e "^${project}$"; then echo "warn: skipping spec generation of untracked formula: ${project}" >&2 return 0 fi @@ -74,7 +74,7 @@ gen_spec(){ version="$(get_spec version)" license_csv="$(get_spec license_csv)" ## Ideally we would query the license, but it is a heavy call. - license="$(echo "${license_csv}" | sed "s/\,/ AND /g")" + license="$(echo "${license_csv}" | sed -e "s/\,/ AND /g")" vendor="$(get_spec vendor)" packager="$(get_spec packager)" url="$(get_spec url)" @@ -118,22 +118,23 @@ gen_spec(){ -e "s|@URL@|${url}|" \ -e "s|@DESCRIPTION@|${description}|" \ -e "/@CHANGELOG@/d" \ - "${template}" | tee "${target}" >/dev/null + -- "${template}" | tee -- "${target}" >/dev/null requires_key="" - for r in $(printf %s"${requires}" | tr " " "\n" | sort -u); do + for r in $(printf '%s' "${requires}" | tr " " "\n" | sort -u); do requires_key="${requires_key:-}Requires: ${group}-${r}\n" done - sed -i "s/@REQUIRES@/${requires_key}/" "${target}" >/dev/null - echo "${changelog}" | tee -a "${target}" >/dev/null + sed -i -e "s/@REQUIRES@/${requires_key}/" -- "${target}" >/dev/null + echo "${changelog}" | tee -a -- "${target}" >/dev/null if test "${2-}" = "test"; then - if ! cmp -s "${target}" "${intended_target}"; then + if ! cmp -s -- "${target}" "${intended_target}"; then echo "error: ${intended_target} is not up to date" >&2 - diff --color=auto "${intended_target}" "${target}" || true + diff --color=auto -- "${intended_target}" "${target}" || true fail=1 else - unstaged_target="$(git diff --name-only "${intended_target}")" || true + unstaged_target="$(git diff --name-only -- "${intended_target}")" || + true if test -n "${unstaged_target}"; then echo "warn: ${intended_target} is up to date but it is not staged" >&2 fi @@ -155,8 +156,8 @@ unset repo_toplevel spec_get="./scripts/spec-get.sh" ignored="$(git ls-files --exclude-standard --others --ignored salt/)" untracked="$(git ls-files --exclude-standard --others salt/)" -unwanted="$(printf %s"${ignored}\n${untracked}\n" \ - | grep "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)" +unwanted="$(printf '%s\n%s\n' "${ignored}" "${untracked}" \ + | grep -e "^salt/\S\+/README.md" | cut -d "/" -f2 | sort -u)" fail="" gen_mode="" @@ -166,7 +167,7 @@ if test "${1-}" = "test"; then shift fi -if echo "${@}" | grep -qE "(^scripts/| scripts/|/template.spec)" || +if echo "${@}" | grep -qE -e "(^scripts/| scripts/|/template.spec)" || test -z "${1-}" then # shellcheck disable=SC2046,SC2312 diff --git a/scripts/spec-get.sh b/scripts/spec-get.sh index 46c4180..02be8e8 100755 --- a/scripts/spec-get.sh +++ b/scripts/spec-get.sh @@ -142,10 +142,10 @@ if test "${key}" = "saltfiles" || test "${key}" = "requires"; then saltfiles="$(find "${project_dir}" -maxdepth 1 -name "*.sls")" # shellcheck disable=SC2086 if test -n "${saltfiles}"; then - requires="$(sed -n '/^include:$/,/^\s*$/p' -- ${saltfiles} | - sed "/^\s*- \./d;/{/d" | grep "^\s*- " | cut -d "." -f1 | sort -u | - sed "s/- //")" - if grep -qrn "{%-\? from \('\|\"\)utils" ${saltfiles}; then + requires="$(sed -n -e '/^include:$/,/^\s*$/p' -- ${saltfiles} | + sed -e "/^\s*- \./d;/{/d" | grep -e "^\s*- " | cut -d "." -f1 | + sort -u | sed -e "s/- //")" + if grep -qrn -e "{%-\? from \('\|\"\)utils" ${saltfiles}; then if test -n "${requires}"; then requires="${requires} utils" else @@ -156,7 +156,7 @@ if test "${key}" = "saltfiles" || test "${key}" = "requires"; then requires="" fi requires_valid="" - for r in $(printf %s"${requires}" | tr " " "\n"); do + for r in $(printf '%s' "${requires}" | tr " " "\n"); do if ! test -d "salt/${r}"; then continue fi diff --git a/scripts/toc-gen.sh b/scripts/toc-gen.sh index 11833e4..ffbcebe 100755 --- a/scripts/toc-gen.sh +++ b/scripts/toc-gen.sh @@ -31,7 +31,7 @@ for f in "${@}"; do echo "Error: Not a regular file: ${f}" >&2 exit 1 fi - if ! grep -q "^## Table of Contents$" "${f}"; then + if ! grep -q -e "^## Table of Contents$" -- "${f}"; then echo "Could not find table of contents in file: ${f}, skipping" >&2 continue fi diff --git a/scripts/yumrepo-gen.sh b/scripts/yumrepo-gen.sh index 10cf3cd..5aaee2c 100755 --- a/scripts/yumrepo-gen.sh +++ b/scripts/yumrepo-gen.sh @@ -21,9 +21,9 @@ dist="fc37" yum_repo_root="${HOME}/rpmrepo" yum_repo="${yum_repo_root}/${qubes_release}/${repo}/host/${dist}" -mkdir -p "${yum_repo}/rpm" +mkdir -p -- "${yum_repo}/rpm" find "${build_dir}/RPMS/" -type f -name "*.rpm" \ - -exec cp {} "${yum_repo}/rpm/" \; + -exec cp -- {} "${yum_repo}/rpm/" \; createrepo_args="" if test -d "${yum_repo}/repodata"; then