Update author information in homebrew.sh

Add homebrew (addon)
Update CHANGELOG.md (#13245 )
2026-03-24 10:53:00 +01:00 · 2026-03-24 09:48:28 +01:00 · 2026-03-24 08:47:17 +00:00 · 2026-03-23 21:22:47 +00:00 · 2026-03-23 22:22:23 +01:00
8 changed files with 204 additions and 13 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -428,6 +428,12 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit

 ## 2026-03-23

+### 🚀 Updated Scripts
+
+  - #### 🔧 Refactor
+
+    - core: harden shell scripts against injection and insecure permissions [@MickLesk](https://github.com/MickLesk) ([#13239](https://github.com/community-scripts/ProxmoxVE/pull/13239))
+
 ## 2026-03-22

 ### 🆕 New Scripts
--- a/install/shinobi-install.sh
+++ b/install/shinobi-install.sh
@@ -35,7 +35,7 @@ cd Shinobi
 gitVersionNumber=$(git rev-parse HEAD)
 theDateRightNow=$(date)
 touch version.json
-chmod 777 version.json
+chmod 644 version.json
 echo '{"Product" : "'"Shinobi"'" , "Branch" : "'"master"'" , "Version" : "'"$gitVersionNumber"'" , "Date" : "'"$theDateRightNow"'" , "Repository" : "'"https://gitlab.com/Shinobi-Systems/Shinobi.git"'"}' >version.json
 msg_ok "Cloned Shinobi"

--- a/install/tasmoadmin-install.sh
+++ b/install/tasmoadmin-install.sh
@@ -23,7 +23,7 @@ fetch_and_deploy_gh_release "tasmoadmin" "TasmoAdmin/TasmoAdmin" "prebuild" "lat
 msg_info "Configuring TasmoAdmin"
 rm -rf /etc/php/8.4/apache2/conf.d/10-opcache.ini
 chown -R www-data:www-data /var/www/tasmoadmin
-chmod 777 /var/www/tasmoadmin/tmp /var/www/tasmoadmin/data
+chmod 775 /var/www/tasmoadmin/tmp /var/www/tasmoadmin/data
 cat <<EOF >/etc/apache2/sites-available/tasmoadmin.conf
 <VirtualHost *:9999>
 	ServerName tasmoadmin
--- a/misc/build.func
+++ b/misc/build.func
@@ -221,6 +221,11 @@ update_motd_ip() {
    local current_hostname="$(hostname)"
    local current_ip="$(hostname -I | awk '{print $1}')"

+    # Escape sed special chars in replacement strings (& \ |)
+    current_os="${current_os//\\/\\\\}"; current_os="${current_os//&/\\&}"
+    current_hostname="${current_hostname//\\/\\\\}"; current_hostname="${current_hostname//&/\\&}"
+    current_ip="${current_ip//\\/\\\\}"; current_ip="${current_ip//&/\\&}"
+
    # Update only if values actually changed
    if ! grep -q "OS:.*$current_os" "$PROFILE_FILE" 2>/dev/null; then
      sed -i "s|OS:.*|OS: \${GN}$current_os\${CL}\\\"|" "$PROFILE_FILE"
@@ -4076,8 +4081,8 @@ EOF
  if [ "$var_os" == "alpine" ]; then
    sleep 3
    pct exec "$CTID" -- /bin/sh -c 'cat <<EOF >/etc/apk/repositories
-http://dl-cdn.alpinelinux.org/alpine/latest-stable/main
-http://dl-cdn.alpinelinux.org/alpine/latest-stable/community
+https://dl-cdn.alpinelinux.org/alpine/latest-stable/main
+https://dl-cdn.alpinelinux.org/alpine/latest-stable/community
 EOF'
    pct exec "$CTID" -- ash -c "apk add bash newt curl openssh nano mc ncurses jq" >>"$BUILD_LOG" 2>&1 || {
      msg_error "Failed to install base packages in Alpine container"
@@ -4086,7 +4091,9 @@ EOF'
  else
    sleep 3
    LANG=${LANG:-en_US.UTF-8}
-    pct exec "$CTID" -- bash -c "sed -i \"/$LANG/ s/^# //\" /etc/locale.gen"
+    local LANG_ESC="${LANG//./\\.}"
+    LANG_ESC="${LANG_ESC//|/\\|}"
+    pct exec "$CTID" -- bash -c "sed -i \"/$LANG_ESC/ s/^# //\" /etc/locale.gen"
    pct exec "$CTID" -- bash -c "locale_line=\$(grep -v '^#' /etc/locale.gen | grep -E '^[a-zA-Z]' | awk '{print \$1}' | head -n 1) && \
    echo LANG=\$locale_line >/etc/default/locale && \
    locale-gen >/dev/null && \
@@ -4759,6 +4766,10 @@ fix_gpu_gids() {
  pct stop "$CTID" >/dev/null 2>&1
  sleep 1

+  # Validate GIDs are numeric before sed
+  [[ "$render_gid" =~ ^[0-9]+$ ]] || render_gid="104"
+  [[ "$video_gid" =~ ^[0-9]+$ ]] || video_gid="44"
+
  # Update dev entries with correct GIDs
  sed -i.bak -E "s|(dev[0-9]+: /dev/dri/renderD[0-9]+),gid=[0-9]+|\1,gid=${render_gid}|g" "$LXC_CONFIG"
  sed -i -E "s|(dev[0-9]+: /dev/dri/card[0-9]+),gid=[0-9]+|\1,gid=${video_gid}|g" "$LXC_CONFIG"
--- a/misc/install.func
+++ b/misc/install.func
@@ -309,14 +309,14 @@ customize() {
  if [[ "$PASSWORD" == "" ]]; then
    msg_info "Customizing Container"
    GETTY_OVERRIDE="/etc/systemd/system/container-getty@1.service.d/override.conf"
-    mkdir -p $(dirname $GETTY_OVERRIDE)
-    cat <<EOF >$GETTY_OVERRIDE
+    mkdir -p "$(dirname "$GETTY_OVERRIDE")"
+    cat <<EOF >"$GETTY_OVERRIDE"
  [Service]
  ExecStart=
  ExecStart=-/sbin/agetty --autologin root --noclear --keep-baud tty%I 115200,38400,9600 \$TERM
 EOF
    systemctl daemon-reload
-    systemctl restart $(basename $(dirname $GETTY_OVERRIDE) | sed 's/\.d//')
+    systemctl restart "$(basename "$(dirname "$GETTY_OVERRIDE")" | sed 's/\.d//')"
    msg_ok "Customized Container"
  fi
  echo "bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/${app}.sh)\"" >/usr/bin/update
--- a/misc/tools.func
+++ b/misc/tools.func
@@ -242,7 +242,7 @@ download_gpg_key() {

    # Process based on mode
    if [[ "$mode" == "dearmor" ]]; then
-      if gpg --dearmor --yes -o "$output" <"$temp_key" 2>/dev/null; then
+      if gpg --dearmor --yes -o "$output" <"$temp_key" 2>/dev/null && [[ -s "$output" ]]; then
        rm -f "$temp_key"
        debug_log "GPG key installed (dearmored): $output"
        return 0
@@ -5192,7 +5192,7 @@ _setup_gpu_permissions() {
    for nvidia_dev in /dev/nvidia*; do
      [[ -e "$nvidia_dev" ]] && {
        chgrp video "$nvidia_dev" 2>/dev/null || true
-        chmod 666 "$nvidia_dev" 2>/dev/null || true
+        chmod 660 "$nvidia_dev" 2>/dev/null || true
      }
    done
    if [[ -d /dev/nvidia-caps ]]; then
@@ -5200,7 +5200,7 @@ _setup_gpu_permissions() {
      for caps_dev in /dev/nvidia-caps/*; do
        [[ -e "$caps_dev" ]] && {
          chgrp video "$caps_dev" 2>/dev/null || true
-          chmod 666 "$caps_dev" 2>/dev/null || true
+          chmod 660 "$caps_dev" 2>/dev/null || true
        }
      done
    fi
@@ -5217,7 +5217,8 @@ _setup_gpu_permissions() {

  # /dev/kfd permissions (AMD ROCm)
  if [[ -e /dev/kfd ]]; then
-    chmod 666 /dev/kfd 2>/dev/null || true
+    chgrp render /dev/kfd 2>/dev/null || true
+    chmod 660 /dev/kfd 2>/dev/null || true
    msg_info "AMD ROCm compute device configured"
  fi

--- a/tools/addon/homebrew.sh
+++ b/tools/addon/homebrew.sh
@@ -0,0 +1,173 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MorganCSIT | MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://brew.sh | Github: https://github.com/Homebrew/brew
+
+if ! command -v curl &>/dev/null; then
+  printf "\r\e[2K%b" '\033[93m Setup Source \033[m' >&2
+  apt-get update >/dev/null 2>&1
+  apt-get install -y curl >/dev/null 2>&1
+fi
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/core.func)
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/tools.func)
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/error_handler.func)
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/api.func) 2>/dev/null || true
+
+# Enable error handling
+set -Eeuo pipefail
+trap 'error_handler' ERR
+load_functions
+init_tool_telemetry "" "addon"
+
+# ==============================================================================
+# CONFIGURATION
+# ==============================================================================
+VERBOSE=${var_verbose:-no}
+APP="homebrew"
+APP_TYPE="tools"
+INSTALL_PATH="/home/linuxbrew/.linuxbrew"
+
+# ==============================================================================
+# OS DETECTION
+# ==============================================================================
+if [[ -f "/etc/alpine-release" ]]; then
+  echo -e "${CROSS} Alpine is not supported by Homebrew. Exiting."
+  exit 1
+elif grep -qE 'ID=debian|ID=ubuntu' /etc/os-release; then
+  OS="Debian"
+else
+  echo -e "${CROSS} Unsupported OS detected. Exiting."
+  exit 1
+fi
+
+# ==============================================================================
+# UNINSTALL
+# ==============================================================================
+function uninstall() {
+  msg_info "Uninstalling Homebrew"
+
+  BREW_USER=$(awk -F: '$3 >= 1000 && $3 < 65534 { print $1; exit }' /etc/passwd)
+  if [[ -n "$BREW_USER" ]]; then
+    BREW_USER_HOME=$(getent passwd "$BREW_USER" | cut -d: -f6)
+    for rc_file in "$BREW_USER_HOME/.bashrc" "$BREW_USER_HOME/.profile"; do
+      if [[ -f "$rc_file" ]]; then
+        sed -i '/# Homebrew (Linuxbrew)/,/^fi$/d' "$rc_file"
+      fi
+    done
+  fi
+
+  rm -rf /home/linuxbrew
+  rm -f /etc/profile.d/homebrew.sh
+  groupdel linuxbrew &>/dev/null || true
+
+  msg_ok "Homebrew has been uninstalled"
+}
+
+# ==============================================================================
+# INSTALL
+# ==============================================================================
+function install() {
+  msg_info "Detecting Non-Root User"
+  BREW_USER=$(awk -F: '$3 >= 1000 && $3 < 65534 { print $1; exit }' /etc/passwd)
+  if [[ -z "$BREW_USER" ]]; then
+    msg_warn "No non-root user found (uid >= 1000). Homebrew cannot run as root."
+    read -r -p "${TAB}Create a 'brew' user automatically? (y/N): " create_user_prompt
+    if [[ "${create_user_prompt,,}" =~ ^(y|yes)$ ]]; then
+      msg_info "Creating user 'brew'"
+      useradd -m -s /bin/bash brew
+      BREW_USER="brew"
+      msg_ok "Created user 'brew'"
+    else
+      msg_error "Cannot install Homebrew without a non-root user. Exiting."
+      exit 1
+    fi
+  fi
+  msg_ok "Detected User: $BREW_USER"
+
+  msg_info "Installing Dependencies"
+  $STD apt update
+  $STD apt install -y build-essential git file procps
+  msg_ok "Installed Dependencies"
+
+  msg_info "Setting Up Homebrew Prefix"
+  export PATH="/usr/sbin:$PATH"
+  groupadd -f linuxbrew
+  mkdir -p /home/linuxbrew/.linuxbrew
+  chown -R "$BREW_USER":linuxbrew /home/linuxbrew
+  chmod 2775 /home/linuxbrew
+  chmod 2775 /home/linuxbrew/.linuxbrew
+  usermod -aG linuxbrew "$BREW_USER"
+  msg_ok "Set Up Homebrew Prefix"
+
+  msg_info "Installing Homebrew"
+  $STD su - "$BREW_USER" -c 'NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"'
+  msg_ok "Installed Homebrew"
+
+  msg_info "Configuring Shell Integration"
+  cat <<'EOF' >/etc/profile.d/homebrew.sh
+#!/bin/bash
+if [ -d "/home/linuxbrew/.linuxbrew" ]; then
+    eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+fi
+EOF
+  chmod +x /etc/profile.d/homebrew.sh
+
+  BREW_USER_HOME=$(getent passwd "$BREW_USER" | cut -d: -f6)
+  BREW_SHELL_BLOCK='\n# Homebrew (Linuxbrew)\nif [ -d "/home/linuxbrew/.linuxbrew" ]; then\n    eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"\nfi'
+  for rc_file in "$BREW_USER_HOME/.bashrc" "$BREW_USER_HOME/.profile"; do
+    if ! grep -q 'linuxbrew' "$rc_file" 2>/dev/null; then
+      echo -e "$BREW_SHELL_BLOCK" >>"$rc_file"
+    fi
+  done
+  msg_ok "Configured Shell Integration"
+
+  msg_info "Verifying Installation"
+  $STD su - "$BREW_USER" -c 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" && brew --version'
+  msg_ok "Homebrew Verified"
+
+  echo ""
+  msg_ok "Homebrew installed successfully"
+  msg_ok "Ready for user: ${BL}${BREW_USER}${CL}"
+  echo ""
+  echo -e "${TAB}${INFO} Usage: Switch to the brew user with a login shell:"
+  echo -e "${TAB}  ${BL}su - ${BREW_USER}${CL}"
+  echo -e "${TAB}  Then run: ${BL}brew install <package>${CL}"
+  echo -e "${TAB}  Update with: ${BL}brew update${CL}"
+}
+
+# ==============================================================================
+# MAIN
+# ==============================================================================
+header_info
+
+if [[ -d "$INSTALL_PATH" ]]; then
+  msg_warn "Homebrew is already installed."
+  echo ""
+
+  read -r -p "${TAB}Uninstall Homebrew? (y/N): " uninstall_prompt
+  if [[ "${uninstall_prompt,,}" =~ ^(y|yes)$ ]]; then
+    uninstall
+    exit 0
+  fi
+
+  msg_warn "No action selected. Exiting."
+  exit 0
+fi
+
+# Fresh installation
+msg_warn "Homebrew is not installed."
+echo ""
+echo -e "${TAB}${INFO} This will install:"
+echo -e "${TAB}  - Homebrew (Linuxbrew) package manager"
+echo -e "${TAB}  - Shell integration for the detected non-root user"
+echo ""
+
+read -r -p "${TAB}Install Homebrew? (y/N): " install_prompt
+if [[ "${install_prompt,,}" =~ ^(y|yes)$ ]]; then
+  install
+else
+  msg_warn "Installation cancelled. Exiting."
+  exit 0
+fi
--- a/tools/addon/runtipi.sh
+++ b/tools/addon/runtipi.sh
@@ -150,7 +150,7 @@ function install() {
  curl -fsSL "https://raw.githubusercontent.com/runtipi/runtipi/master/scripts/install.sh" -o "install.sh"
  chmod +x install.sh
  $STD ./install.sh
-  chmod 666 /opt/runtipi/state/settings.json 2>/dev/null || true
+  chmod 660 /opt/runtipi/state/settings.json 2>/dev/null || true
  rm -f /opt/install.sh
  msg_ok "Installed ${APP}"
Author	SHA1	Message	Date
CanbiZ (MickLesk)	f4acb2ee38	Update author information in homebrew.sh	2026-03-24 09:48:28 +01:00
push-app-to-main[bot]	97f08629ae	Add homebrew (addon)	2026-03-24 08:47:17 +00:00
community-scripts-pr-app[bot]	9aa0390553	Update CHANGELOG.md (#13245 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-03-23 21:22:47 +00:00
CanbiZ (MickLesk)	c8606e9fcc	core: harden shell scripts against injection and insecure permissions (#13239 )	2026-03-23 22:22:23 +01:00