core: harden shell scripts against injection and insecure permissions (#13239)

2026-03-24 10:53:00 +01:00 · 2026-03-23 22:22:23 +01:00
parent 283e762b83
commit c8606e9fcc
6 changed files with 25 additions and 13 deletions
--- a/misc/tools.func
+++ b/misc/tools.func
@@ -242,7 +242,7 @@ download_gpg_key() {

    # Process based on mode
    if [[ "$mode" == "dearmor" ]]; then
-      if gpg --dearmor --yes -o "$output" <"$temp_key" 2>/dev/null; then
+      if gpg --dearmor --yes -o "$output" <"$temp_key" 2>/dev/null && [[ -s "$output" ]]; then
        rm -f "$temp_key"
        debug_log "GPG key installed (dearmored): $output"
        return 0
@@ -5192,7 +5192,7 @@ _setup_gpu_permissions() {
    for nvidia_dev in /dev/nvidia*; do
      [[ -e "$nvidia_dev" ]] && {
        chgrp video "$nvidia_dev" 2>/dev/null || true
-        chmod 666 "$nvidia_dev" 2>/dev/null || true
+        chmod 660 "$nvidia_dev" 2>/dev/null || true
      }
    done
    if [[ -d /dev/nvidia-caps ]]; then
@@ -5200,7 +5200,7 @@ _setup_gpu_permissions() {
      for caps_dev in /dev/nvidia-caps/*; do
        [[ -e "$caps_dev" ]] && {
          chgrp video "$caps_dev" 2>/dev/null || true
-          chmod 666 "$caps_dev" 2>/dev/null || true
+          chmod 660 "$caps_dev" 2>/dev/null || true
        }
      done
    fi
@@ -5217,7 +5217,8 @@ _setup_gpu_permissions() {

  # /dev/kfd permissions (AMD ROCm)
  if [[ -e /dev/kfd ]]; then
-    chmod 666 /dev/kfd 2>/dev/null || true
+    chgrp render /dev/kfd 2>/dev/null || true
+    chmod 660 /dev/kfd 2>/dev/null || true
    msg_info "AMD ROCm compute device configured"
  fi