Fixed security issue with config file

Dockerfile

@@ -31,4 +31,4 @@ RUN \
 ADD init.sh /init.sh
 ADD domain.sh /domain.sh
 RUN chmod 755 /init.sh /domain.sh
-CMD /init.sh
+CMD [ "/init.sh" ]

README.md

@@ -12,6 +12,7 @@ A well documented, tried and tested Samba Active Directory Domain Controller tha
 * `INSECURELDAP` defaults to `false`. When set to true, it removes the secure LDAP requirement. While this is not recommended for production it is required for some LDAP tools. You can remove it later from the smb.conf file stored in the config directory.
 * `MULTISITE` defaults to `false` and tells the container to connect to an OpenVPN site via an ovpn file with no password. For instance, if you have two locations where you run your domain controllers, they need to be able to interact. The VPN allows them to do that.
 * `NOCOMPLEXITY` defaults to `false`. When set to `true` it removes password complexity requirements including `complexity, history-length, min-pwd-age, max-pwd-age`
+* `LOGLEVEL` can be set to a numeric value (1-10) to override the log level configuration in smb.conf.
 
 ## Volumes for quick start
 * `/etc/localtime:/etc/localtime:ro` - Sets the timezone to match the host

arm.Dockerfile

@@ -28,4 +28,4 @@ RUN \
 ADD init.sh /init.sh
 ADD domain.sh /domain.sh
 RUN chmod 755 /init.sh /domain.sh
-CMD /init.sh setup
+CMD [ "/init.sh" ]

init.sh

@@ -2,6 +2,8 @@
 
 set -e
 
+SUP_CONF="/etc/supervisor/supervisord.conf"
+
 appSetup () {
 
 	# Set variables
@@ -14,7 +16,8 @@ appSetup () {
 	INSECURELDAP=${INSECURELDAP:-false}
 	DNSFORWARDER=${DNSFORWARDER:-NONE}
 	HOSTIP=${HOSTIP:-NONE}
-	DOMAIN_DC=${DOMAIN_DC:-${DOMAIN_DC}}
+	DOMAIN_DC=${DOMAIN_DC:-"dc=${DOMAIN//./,dc=}"}
+	LOGLEVEL=${LOGLEVEL:-DEFAULT}
 
 	LDOMAIN=${DOMAIN,,}
 	UDOMAIN=${DOMAIN^^}
@@ -35,6 +38,13 @@ appSetup () {
 		HOSTIP_OPTION=""
 	fi
 
+	# Set log level override option
+	if [[ "$LOGLEVEL" != "DEFAULT" && $LOGLEVEL =~ ^[0-9]+$ ]]; then
+		LOGLEVEL="--debuglevel=${LOGLEVEL}"
+	else
+		LOGLEVEL=""
+	fi
+
 	# Set up samba
 	mv /etc/krb5.conf /etc/krb5.conf.orig
 	echo "[libdefaults]" > /etc/krb5.conf
@@ -86,22 +96,30 @@ appSetup () {
 	else
 		cp -f /etc/samba/external/smb.conf /etc/samba/smb.conf
 	fi
-        
+
 	# Set up supervisor
-	echo "[supervisord]" > /etc/supervisor/conf.d/supervisord.conf
-	echo "nodaemon=true" >> /etc/supervisor/conf.d/supervisord.conf
-	echo "" >> /etc/supervisor/conf.d/supervisord.conf
-	echo "[program:ntpd]" >> /etc/supervisor/conf.d/supervisord.conf
-	echo "command=/usr/sbin/ntpd -c /etc/ntpd.conf -n" >> /etc/supervisor/conf.d/supervisord.conf
-	echo "[program:samba]" >> /etc/supervisor/conf.d/supervisord.conf
-	echo "command=/usr/sbin/samba -i" >> /etc/supervisor/conf.d/supervisord.conf
+	addSupProg() {
+		echo "" >> ${SUP_CONF}
+		echo "[program:$1]" >> ${SUP_CONF}
+		echo "command = $2" >> ${SUP_CONF}
+		echo "redirect_stderr = true" >> ${SUP_CONF}
+		echo "stdout_logfile = /dev/stdout" >> ${SUP_CONF}
+		echo "stdout_logfile_maxbytes = 0" >> ${SUP_CONF}
+	}
+	echo "[supervisord]" > ${SUP_CONF}
+	echo "nodaemon = true" >> ${SUP_CONF}
+	echo "user = root" >> ${SUP_CONF}
+	echo "pidfile = /var/run/supervisord.pid" >> ${SUP_CONF}
+	echo "logfile = /dev/stdout" >> ${SUP_CONF}
+	echo "logfile_maxbytes = 0" >> ${SUP_CONF}
+	echo "loglevel = info" >> ${SUP_CONF}
+	addSupProg "ntpd" "/usr/sbin/ntpd -c /etc/ntpd.conf -n"
+	addSupProg "samba" "/usr/sbin/samba --interactive --debug-stdout ${LOGLEVEL}"
 	if [[ ${MULTISITE,,} == "true" ]]; then
 		if [[ -n $VPNPID ]]; then
 			kill $VPNPID
 		fi
-		echo "" >> /etc/supervisor/conf.d/supervisord.conf
-		echo "[program:openvpn]" >> /etc/supervisor/conf.d/supervisord.conf
-		echo "command=/usr/sbin/openvpn --config /docker.ovpn" >> /etc/supervisor/conf.d/supervisord.conf
+		addSupProg "openvpn" "/usr/sbin/openvpn --config /docker.ovpn"
 	fi
 
 	echo "server 127.127.1.0" > /etc/ntpd.conf
@@ -168,22 +186,30 @@ schemaIDGUID:: +8nFQ43rpkWTOgbCCcSkqA==" > /tmp/Sshpubkey.class.ldif
 	ldbadd -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/sam.ldb /tmp/Sshpubkey.class.ldif --option="dsdb:schema update allowed"=true
 }
 
+appPostSetup () {
+	echo "Checking on Domain Users of gid 3000000 and setting up sshPublicKey"
+	fixDomainUsersGroup
+	setupSSH
+}
+
 appStart () {
-	/usr/bin/supervisord > /var/log/supervisor/supervisor.log 2>&1 &
-	if [ "${1}" = "true" ]; then
-		echo "Sleeping 10 before checking on Domain Users of gid 3000000 and setting up sshPublicKey"
-		sleep 10
-		fixDomainUsersGroup
-		setupSSH
+	if [[ "${1}" == "true" ]]; then
+		( sleep 15 ; appPostSetup ) &
 	fi
-	while [ ! -f /var/log/supervisor/supervisor.log ]; do
-		echo "Waiting for log files..."
-		sleep 1
-	done
-	sleep 3
-	tail -F /var/log/supervisor/*.log
+	exec /usr/bin/supervisord -c ${SUP_CONF}
 }
 
-appSetup
+appStop () {
+	PIDS=$(jobs -p)
+	echo "" ; echo "Stopping ($PIDS)..." ; echo ""
+	[[ -n ${PIDS} ]] && kill ${PIDS}
+}
+
+# Listen for stop signals
+trap appStop TERM INT
+
+# Setup & start
+appSetup &
 
-exit 0
+# Waiting on procs
+wait