[GH-ISSUE #1584] Bug: setup.sh continues even if creating ~/archivebox/data fails, causing chown of contents of dir the script is run from #3960

New issue

Closed

opened 2026-03-15 01:07:28 +03:00 by kerem · 7 comments

kerem commented 2026-03-15 01:07:28 +03:00

Owner

Copy link

Originally created by @1over137 on GitHub (Nov 3, 2024).
Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/1584

Originally assigned to: @pirate on GitHub.

Not a security vulnerability (at least in a way I can think of)
I assume I'm just very unlucky today and I triggered a somewhat dangerous bug in https://github.com/ArchiveBox/ArchiveBox/blob/dev/bin/setup.sh.

Preconditions

• No docker-compose binary (N.B. I don't think this binary is shipped anymore, so that detection will never pass, you might want to consider changing this)
• Having already previously manually ran a command like this, which initializes a archivebox data folder:

docker run -v ~/archivebox:/data -it -d -p 8000:8000 --name=archivebox archivebox/archivebox:latest init --setup

Notice that this chown's ~/archivebox, resulting in permission denied if you try to cd in it. This sets the stage for the bug.

Bug

Going through setup.sh, starting at line 52
github.com/ArchiveBox/ArchiveBox@1148cadd7a/bin/setup.sh (L53)
This fails, but the script continues.
github.com/ArchiveBox/ArchiveBox@1148cadd7a/bin/setup.sh (L54)
This fails, but the script keeps running. We are still in the user's home!
github.com/ArchiveBox/ArchiveBox@1148cadd7a/bin/setup.sh (L58)
This fails, but the script keeps running. We are still in the user's home!
github.com/ArchiveBox/ArchiveBox@1148cadd7a/bin/setup.sh (L59)
This fails because it will refuse to init if folder is non-empty. We are still in the user's home!
github.com/ArchiveBox/ArchiveBox@1148cadd7a/bin/setup.sh (L62)
This runs in the user's home. Many files get chown'd to the user ID 911, including the user's home directory itself. This renders the user unable to access his own files, and requires root to recover.

Some general advice

In general, any commands that can possibly fail in a shell script, when it fails unexpectedly (like the first mkdir -p command) should terminate the entire script. You might want to include a die function and use mkdir -p ~/archivebox/data || die, then it would have killed the script instead of letting it keep going.

Reference: https://stackoverflow.com/questions/7868818/in-bash-is-there-an-equivalent-of-die-error-msg

Questions

What does the program do after that command runs besides chown'ing the files? I'm considering recovering from a backup in case it changed any files.

Originally created by @1over137 on GitHub (Nov 3, 2024). Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/1584 Originally assigned to: @pirate on GitHub. Not a security vulnerability (at least in a way I can think of) I assume I'm just very unlucky today and I triggered a somewhat dangerous bug in https://github.com/ArchiveBox/ArchiveBox/blob/dev/bin/setup.sh. ## Preconditions - No docker-compose binary (N.B. I don't think this binary is shipped anymore, so that detection will never pass, you might want to consider changing this) - Having already previously manually ran a command like this, which initializes a archivebox data folder: `docker run -v ~/archivebox:/data -it -d -p 8000:8000 --name=archivebox archivebox/archivebox:latest init --setup` Notice that this chown's ~/archivebox, resulting in permission denied if you try to cd in it. This sets the stage for the bug. ## Bug Going through setup.sh, starting at line 52 https://github.com/ArchiveBox/ArchiveBox/blob/1148cadd7aa6ea902668b1a527aa9cba3060c90e/bin/setup.sh#L53 This fails, but the script continues. https://github.com/ArchiveBox/ArchiveBox/blob/1148cadd7aa6ea902668b1a527aa9cba3060c90e/bin/setup.sh#L54 This fails, but the script keeps running. **We are still in the user's home!** https://github.com/ArchiveBox/ArchiveBox/blob/1148cadd7aa6ea902668b1a527aa9cba3060c90e/bin/setup.sh#L58 This fails, but the script keeps running. **We are still in the user's home!** https://github.com/ArchiveBox/ArchiveBox/blob/1148cadd7aa6ea902668b1a527aa9cba3060c90e/bin/setup.sh#L59 This fails because it will refuse to init if folder is non-empty. **We are still in the user's home!** https://github.com/ArchiveBox/ArchiveBox/blob/1148cadd7aa6ea902668b1a527aa9cba3060c90e/bin/setup.sh#L62 **This runs in the user's home.** Many files get chown'd to the user ID 911, including the user's home directory itself. This renders the user unable to access his own files, and requires root to recover. ## Some general advice In general, any commands that can possibly fail in a shell script, when it fails unexpectedly (like the first mkdir -p command) **should terminate the entire script**. You might want to include a `die` function and use `mkdir -p ~/archivebox/data || die`, then it would have killed the script instead of letting it keep going. Reference: https://stackoverflow.com/questions/7868818/in-bash-is-there-an-equivalent-of-die-error-msg ## Questions What does the program do after that command runs besides chown'ing the files? I'm considering recovering from a backup in case it changed any files.

kerem 2026-03-15 01:07:28 +03:00

• closed this issue
• added the
  status: done
  why: security
  size: easy
  labels

kerem commented 2026-03-15 01:07:45 +03:00

Author

Owner

Copy link

@pirate commented on GitHub (Nov 4, 2024):

setup.sh is completely deprecated as of v0.8.6rc0. I'm about to remove it entirely as an install option because I really dont like curl | sh as an install method and have been wanting to remove it for years.

With the new versions you can just do:

pip install archivebox==0.8.5rc50

archivebox install

archivebox install starts with an init, so it should die properly before attempting to chown anything.

Also note the new docker container versions for v0.8.5 and above will autodetect the existing ownership of any passed data dir, so it shouldn't force 911 anymore if you pass it a dir that you've already created.

<!-- gh-comment-id:2453634575 --> @pirate commented on GitHub (Nov 4, 2024): `setup.sh` is completely deprecated as of `v0.8.6rc0`. I'm about to remove it entirely as an install option because [I really dont like `curl | sh` as an install method](https://docs.sweeting.me/s/against-curl-sh) and have been wanting to remove it for years. With the new versions you can just do: ```bash pip install archivebox==0.8.5rc50 archivebox install ``` `archivebox install` starts with an `init`, so it should die properly before attempting to chown anything. Also note the new docker container versions for v0.8.5 and above will autodetect the existing ownership of any passed data dir, so it shouldn't force 911 anymore if you pass it a dir that you've already created.

kerem commented 2026-03-15 01:07:50 +03:00

Author

Owner

Copy link

@pirate commented on GitHub (Nov 4, 2024):

I've updated setup.sh in the meantime: github.com/ArchiveBox/ArchiveBox@fd89de5b91

To see what else the Docker container does on startup to the data dir you can read this script:
https://github.com/ArchiveBox/ArchiveBox/blob/dev/bin/docker_entrypoint.sh

And the init source code here:
github.com/ArchiveBox/ArchiveBox@c1fd2cfa42/archivebox/main.py (L308)

It creates a chowns a few subdirectories, but nothing dangerous that should warrant having to restore your entire ~ from a backup. There are no deletions or edits of files other than ArchiveBox.conf, only creation and chowning.

<!-- gh-comment-id:2453637238 --> @pirate commented on GitHub (Nov 4, 2024): I've updated `setup.sh` in the meantime: https://github.com/ArchiveBox/ArchiveBox/commit/fd89de5b912e2d5c845e6e406e0c364c754fa1f7 To see what else the Docker container does on startup to the data dir you can read this script: https://github.com/ArchiveBox/ArchiveBox/blob/dev/bin/docker_entrypoint.sh And the `init` source code here: https://github.com/ArchiveBox/ArchiveBox/blob/c1fd2cfa42f3c81d4c5a2a3c95733f4804fda938/archivebox/main.py#L308 It creates a chowns a few subdirectories, but nothing dangerous that should warrant having to restore your entire `~` from a backup. There are no deletions or edits of files other than `ArchiveBox.conf`, only creation and `chown`ing.

kerem commented 2026-03-15 01:07:55 +03:00

Author

Owner

Copy link

@1over137 commented on GitHub (Nov 4, 2024):

That's what I figured. The only observable effect seems to be the creation of a logs directory under ~. The chown'ing quickly killed my compositor and the shell which the command runs on, so it probably didn't get to the rest of script.

<!-- gh-comment-id:2453643766 --> @1over137 commented on GitHub (Nov 4, 2024): That's what I figured. The only observable effect seems to be the creation of a logs directory under ~. The chown'ing quickly killed my compositor and the shell which the command runs on, so it probably didn't get to the rest of script.

kerem commented 2026-03-15 01:08:00 +03:00

Author

Owner

Copy link

@pirate commented on GitHub (Nov 4, 2024):

There just a couple others to check for depending on how far it got:

• ./logs
• ./crontabs
• ./archive

<!-- gh-comment-id:2453645686 --> @pirate commented on GitHub (Nov 4, 2024): There just a couple others to check for depending on how far it got: - `./logs` - `./crontabs` - `./archive`

kerem commented 2026-03-15 01:08:05 +03:00

Author

Owner

Copy link

@1over137 commented on GitHub (Nov 4, 2024):

Only logs was created. Also not everything was chown'd, so most likely it got killed in the middle of that find command

<!-- gh-comment-id:2453648627 --> @1over137 commented on GitHub (Nov 4, 2024): Only logs was created. Also not everything was chown'd, so most likely it got killed in the middle of that `find` command

kerem commented 2026-03-15 01:08:10 +03:00

Author

Owner

Copy link

@pirate commented on GitHub (Nov 4, 2024):

I've added an extra step that prevents this at the docker level even if a user doesn't use setup.sh: github.com/ArchiveBox/ArchiveBox@99ed97836f

<!-- gh-comment-id:2453654256 --> @pirate commented on GitHub (Nov 4, 2024): I've added an extra step that prevents this at the docker level even if a user doesn't use `setup.sh`: https://github.com/ArchiveBox/ArchiveBox/commit/99ed97836ff42565a30dcb7ecbf3432778d19d15

kerem commented 2026-03-15 01:08:15 +03:00

Author

Owner

Copy link

@1over137 commented on GitHub (Nov 4, 2024):

I would check for something like .bashrc/.zshrc. Many servers do not have Documents and some do not have a .config

<!-- gh-comment-id:2453659624 --> @1over137 commented on GitHub (Nov 4, 2024): I would check for something like .bashrc/.zshrc. Many servers do not have Documents and some do not have a .config

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

dev

main

abx-dl-refactor

claude/issue-1688-20251229-2233

claude/s3-support-migration-JZQcf

claude/review-snapshot-archive-RJOkr

claude/review-code-quality-macdO

claude/reduce-chrome-duplication-JgWVr

fix/chrome-args-comma-parsing

claude/issue-668-20251229-2145

claude/issue-1664-20251229-2236

v086

claude/improve-test-suite-xm6Bh

claude/typescript-archivebox-rewrite-011CUmPyEmECnkXwyHRT9RPF

claude/archivebox-schema-orm-comparison-011CUn26GurEpLiBUq4zjVLJ

stable

logfire

plugins-browsertrix

v072

link-removal2

v0.8.6rc1

v0.7.3

v0.8.6rc0

v0.8.5rc53

v0.8.5rc51

v0.8.5rc50

v0.8.5rc49

v0.8.5rc48

v0.8.5rc47

v0.8.5rc46

v0.8.5rc45

v0.8.5rc44

v0.8.5rc43

v0.8.5rc42

v0.8.5rc41

v0.8.5rc40

v0.8.5rc39

v0.8.5rc38

v0.8.5rc37

v0.8.5rc36

v0.8.5rc35

v0.8.5rc34

v0.8.5rc33

v0.8.5rc32

v0.8.5rc31

v0.8.5rc30

v0.8.5rc29

v0.8.5rc28

v0.8.5rc27

v0.8.5rc26

v0.8.5rc25

v0.8.5rc24

v0.8.5rc23

v0.8.5rc22

v0.8.5rc13

v0.8.5rc12

v0.8.5rc11

v0.8.5rc10

v0.8.5rc9

v0.8.5rc8

v0.8.5rc6

v0.8.5rc5

v0.8.5rc4

v0.8.5rc3

v0.8.5rc2

v0.8.5-rc

v0.8.4-rc

v0.8.3-rc

v0.8.2-rc

v0.8.0-rc

v0.7.2

v0.7.1

v0.7.0

v0.6.2

v0.6.0

v0.5.6

v0.5.4

v0.5.3

v0.4.24

v0.4.21

v0.4.20

v0.4.19

v0.4.18

v0.4.17

v0.4.16

v0.4.15

v0.4.14

v0.4.13

v0.4.12

v0.4.11

v0.4.9

v0.2.4

v0.2.3

v0.2.2

v0.2.1

v0.2.0

v0.1.0

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

expected: maybe someday

  

expected: next release

  

expected: release after next

  

expected: unlikely unless contributed

  

good first ticket

  

help wanted

  

pull-request

Mirrored from GitHub Pull Request

  

scope: all users

  

scope: windows users

  

size: easy

  

size: hard

  

size: medium

  

size: medium

  

status: backlog

  

status: blocked

  

status: done

  

status: idea-phase

  

status: needs followup

  

status: wip

  

status: wontfix

  

touches: API/CLI/Spec

  

touches: configuration

  

touches: data/schema/architecture

  

touches: dependencies/packaging

  

touches: docs

  

touches: js

  

touches: views/replayers/html/css

  

why: correctness

  

why: functionality

  

why: performance

  

why: security

No labels

expected: maybe someday

expected: next release

expected: release after next

expected: unlikely unless contributed

good first ticket

help wanted

pull-request

scope: all users

scope: windows users

size: easy

size: hard

size: medium

size: medium

status: backlog

status: blocked

status: done

status: idea-phase

status: needs followup

status: wip

status: wontfix

touches: API/CLI/Spec

touches: configuration

touches: data/schema/architecture

touches: dependencies/packaging

touches: docs

touches: js

touches: views/replayers/html/css

why: correctness

why: functionality

why: performance

why: security

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ArchiveBox#3960

No description provided.