Skip to content

fix: drop privileges for bgl_oneshot entrypoint#2

Open
tolga-tom-nook wants to merge 1 commit into
BitgesellOfficial:mainfrom
tolga-tom-nook:fix/entrypoint-bgl-oneshot-privdrop
Open

fix: drop privileges for bgl_oneshot entrypoint#2
tolga-tom-nook wants to merge 1 commit into
BitgesellOfficial:mainfrom
tolga-tom-nook:fix/entrypoint-bgl-oneshot-privdrop

Conversation

@tolga-tom-nook

Copy link
Copy Markdown

Summary

  • Fixes the root-entrypoint privilege drop guard to match this image's actual bgl_oneshot command instead of the stale btc_oneshot name.
  • Adds a shell regression test that stubs id, chown, gosu, and bgl_oneshot to prove option-style startup is rewritten and re-execed through gosu BGL when running as root.

Validation

  • RED: upstream docker-entrypoint.sh failed the new regression with entrypoint executed bgl_oneshot directly instead of dropping privileges.
  • GREEN: sh -n docker-entrypoint.sh
  • GREEN: sh -n test/entrypoint.sh
  • GREEN: sh test/entrypoint.sh
  • GREEN: git diff --check

Bounty context: submitted for Bitgesell improvement/PR bounty consideration under BitgesellOfficial/bitgesell#81 and #39.

@MyTH-zyxeon

Copy link
Copy Markdown

Maintainer review note for the #81/#39 bounty queue:

I checked head e2a410c: this is a focused Bitgesell-specific entrypoint fix. The important behavior is changing the root privilege-drop branch from the stale btc_oneshot command name to bgl_oneshot, with a shell-level regression test that stubs id, chown, gosu, and bgl_oneshot.

Acceptance checks:

  • Validate the container's actual oneshot command is bgl_oneshot in the maintained image, so the renamed branch matches runtime behavior.
  • Run sh test/entrypoint.sh in a clean checkout; it should prove root execution goes through gosu BGL ./docker-entrypoint.sh bgl_oneshot ... instead of directly executing bgl_oneshot.
  • Check the test portability assumptions: /bin/sh, mktemp -d, diff -u, and the mocked command lookup through PATH should work in the maintainer CI/base image.
  • Preserve the no-newline finding in test/entrypoint.sh only if intentional; otherwise add a trailing newline before merge to keep future diffs clean.

No wallet/key/node/live-chain scope; this is entrypoint privilege-dropping hygiene only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants