From 43adf55a4b5bbc2b88b30d9917d451ce609c1de3 Mon Sep 17 00:00:00 2001 From: hotyue <52734432+hotyue@users.noreply.github.com> Date: Tue, 28 Apr 2026 00:58:27 +0000 Subject: [PATCH] =?UTF-8?q?fix(master):=20=E5=AF=B9=E9=BD=90=E5=85=A8?= =?UTF-8?q?=E7=BD=91=E9=98=B2=E5=BE=A1=E6=9E=B6=E6=9E=84=EF=BC=8C=E4=B8=BA?= =?UTF-8?q?=E5=8F=B8=E4=BB=A4=E9=83=A8=E5=AE=89=E8=A3=85/=E5=8D=B8?= =?UTF-8?q?=E8=BD=BD=E5=99=A8=E5=BC=95=E5=85=A5=20mktemp=20=E5=8A=A8?= =?UTF-8?q?=E6=80=81=E6=B2=99=E7=9B=92=E4=B8=8E=E6=97=A0=E8=90=BD=E5=9C=B0?= =?UTF-8?q?=E5=86=85=E5=AD=98=E6=B5=81=EF=BC=8C=E5=BD=BB=E5=BA=95=E9=98=BB?= =?UTF-8?q?=E6=96=AD=20TOCTOU=20=E6=8F=90=E6=9D=83=E5=8A=AB=E6=8C=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- master/install_master.sh | 25 +++++++++++++------------ master/uninstall_master.sh | 5 ++--- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/master/install_master.sh b/master/install_master.sh index 1011544..ca6b55a 100755 --- a/master/install_master.sh +++ b/master/install_master.sh @@ -14,6 +14,10 @@ if [ "$EUID" -ne 0 ]; then exit 1 fi +# 🟢 [防劫持沙盒] 引入司令部专属随机安全工作区 +SECURE_TMP=$(mktemp -d /tmp/ips_master_install.XXXXXX) +trap 'rm -rf "$SECURE_TMP"' EXIT HUP INT QUIT TERM + # 你的 GitHub 仓库 Raw 数据直链前缀 REPO_RAW_URL="https://raw.githubusercontent.com/hotyue/IP-Sentinel/main" # 临时改为开发地址用于测试 @@ -68,9 +72,9 @@ else if [ "$ACTION_CHOICE" == "2" ]; then echo -e "\n⏳ 正在拉取卸载程序..." - curl -sL "${REPO_RAW_URL}/master/uninstall_master.sh" -o "/tmp/uninstall_master.sh" - chmod +x "/tmp/uninstall_master.sh" - bash "/tmp/uninstall_master.sh" + curl -sL "${REPO_RAW_URL}/master/uninstall_master.sh" -o "${SECURE_TMP}/uninstall_master.sh" + chmod +x "${SECURE_TMP}/uninstall_master.sh" + bash "${SECURE_TMP}/uninstall_master.sh" rm -f "/tmp/uninstall_master.sh" exit 0 fi @@ -283,7 +287,7 @@ chmod 600 "$DB_FILE" # 4. 拉取核心调度代码并执行原子化交接 echo -e "\n[4/4] 正在拉取新版司令部核心引擎..." -TMP_MASTER="/tmp/ip_sentinel_master_core_$$" +TMP_MASTER="${SECURE_TMP}/tg_master.sh" curl -sL "${REPO_RAW_URL}/master/tg_master.sh" -o "$TMP_MASTER" # 🛡️ 防砖终极校验 @@ -335,16 +339,13 @@ EOF systemctl enable --now ip-sentinel-master.service systemctl restart ip-sentinel-master.service - # 清理可能残留的历史 Cron - crontab -l 2>/dev/null | grep -v "tg_master.sh" > /tmp/cron_master || true - [ -f /tmp/cron_master ] && crontab /tmp/cron_master 2>/dev/null - rm -f /tmp/cron_master + # 清理可能残留的历史 Cron (无落地内存流防劫持) + crontab -l 2>/dev/null | grep -v "tg_master.sh" | crontab - >/dev/null 2>&1 || true else echo "💡 未检测到 Systemd,回退到 Cron 看门狗调度模式..." - crontab -l 2>/dev/null | grep -v "tg_master.sh" > /tmp/cron_master || true - echo "* * * * * pgrep -f tg_master.sh >/dev/null || nohup bash ${MASTER_DIR}/tg_master.sh >/dev/null 2>&1 &" >> /tmp/cron_master - [ -f /tmp/cron_master ] && crontab /tmp/cron_master 2>/dev/null - rm -f /tmp/cron_master + crontab -l 2>/dev/null | grep -v "tg_master.sh" > "${SECURE_TMP}/cron_master" || true + echo "* * * * * pgrep -f tg_master.sh >/dev/null || nohup bash ${MASTER_DIR}/tg_master.sh >/dev/null 2>&1 &" >> "${SECURE_TMP}/cron_master" + [ -f "${SECURE_TMP}/cron_master" ] && crontab "${SECURE_TMP}/cron_master" 2>/dev/null pgrep -f tg_master.sh >/dev/null || { nohup bash "${MASTER_DIR}/tg_master.sh" >/dev/null 2>&1 & disown 2>/dev/null; } fi diff --git a/master/uninstall_master.sh b/master/uninstall_master.sh index 78cc327..1d5d1b0 100644 --- a/master/uninstall_master.sh +++ b/master/uninstall_master.sh @@ -54,9 +54,8 @@ pkill -9 -f "tg_master.sh" >/dev/null 2>&1 || true # 3. 清除看门狗定时任务 (Cron) echo "[3/4] 正在清理系统定时任务 (Cron)..." -crontab -l 2>/dev/null | grep -v "tg_master.sh" > /tmp/cron_backup -crontab /tmp/cron_backup -rm -f /tmp/cron_backup +# [终极防御] 内存管道流过滤,绝不写硬盘 +crontab -l 2>/dev/null | grep -v "tg_master.sh" | crontab - >/dev/null 2>&1 || true # 4. 删除所有文件、配置与数据库 echo "[4/4] 正在抹除核心程序、配置文件与 SQLite 数据库..."