From b8ae9618c7a8155a91aae8c6d2ca398fca8032f9 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Mon, 2 May 2022 08:52:26 +0200 Subject: [PATCH 1/2] reduce docker image volume permissions and update alpine --- .../unreleased/change-ocis-docker-volume-permissions.md | 9 +++++++++ ocis/docker/Dockerfile.linux.amd64 | 6 +++--- ocis/docker/Dockerfile.linux.arm | 6 +++--- ocis/docker/Dockerfile.linux.arm64 | 6 +++--- 4 files changed, 18 insertions(+), 9 deletions(-) create mode 100644 changelog/unreleased/change-ocis-docker-volume-permissions.md diff --git a/changelog/unreleased/change-ocis-docker-volume-permissions.md b/changelog/unreleased/change-ocis-docker-volume-permissions.md new file mode 100644 index 00000000000..582bd5e4564 --- /dev/null +++ b/changelog/unreleased/change-ocis-docker-volume-permissions.md @@ -0,0 +1,9 @@ +Change: Reduce permissions on docker image predeclared volumes + +We've lowered the permissions on the predeclared volumes of the oCIS +docker image from 777 to 700. + +This change doesn't affect you, unless you use the docker image with +the non default uid/guid to start oCIS (default is 1000:1000). + +https://github.com/owncloud/ocis/pull/3641 diff --git a/ocis/docker/Dockerfile.linux.amd64 b/ocis/docker/Dockerfile.linux.amd64 index 8d339141362..be3416b9262 100644 --- a/ocis/docker/Dockerfile.linux.amd64 +++ b/ocis/docker/Dockerfile.linux.amd64 @@ -1,4 +1,4 @@ -FROM amd64/alpine:3.14 +FROM amd64/alpine:3.15 ARG VERSION="" ARG REVISION="" @@ -26,10 +26,10 @@ RUN addgroup -g 1000 -S ocis-group && \ RUN mkdir -p /var/lib/ocis && \ chown -R ocis-user:ocis-group /var/lib/ocis && \ - chmod -R 777 /var/lib/ocis && \ + chmod -R 700 /var/lib/ocis && \ mkdir -p /etc/ocis && \ chown -R ocis-user:ocis-group /etc/ocis && \ - chmod -R 777 /etc/ocis + chmod -R 700 /etc/ocis VOLUME [ "/var/lib/ocis", "/etc/ocis" ] WORKDIR /var/lib/ocis diff --git a/ocis/docker/Dockerfile.linux.arm b/ocis/docker/Dockerfile.linux.arm index cb6f757b85f..34e18bdf9f0 100644 --- a/ocis/docker/Dockerfile.linux.arm +++ b/ocis/docker/Dockerfile.linux.arm @@ -1,4 +1,4 @@ -FROM arm32v6/alpine:3.14 +FROM arm32v6/alpine:3.15 ARG VERSION="" ARG REVISION="" @@ -26,10 +26,10 @@ RUN addgroup -g 1000 -S ocis-group && \ RUN mkdir -p /var/lib/ocis && \ chown -R ocis-user:ocis-group /var/lib/ocis && \ - chmod -R 777 /var/lib/ocis && \ + chmod -R 700 /var/lib/ocis && \ mkdir -p /etc/ocis && \ chown -R ocis-user:ocis-group /etc/ocis && \ - chmod -R 777 /etc/ocis + chmod -R 700 /etc/ocis VOLUME [ "/var/lib/ocis", "/etc/ocis" ] WORKDIR /var/lib/ocis diff --git a/ocis/docker/Dockerfile.linux.arm64 b/ocis/docker/Dockerfile.linux.arm64 index 7601ed39e74..324696eb4a3 100644 --- a/ocis/docker/Dockerfile.linux.arm64 +++ b/ocis/docker/Dockerfile.linux.arm64 @@ -1,4 +1,4 @@ -FROM arm64v8/alpine:3.14 +FROM arm64v8/alpine:3.15 ARG VERSION="" ARG REVISION="" @@ -26,10 +26,10 @@ RUN addgroup -g 1000 -S ocis-group && \ RUN mkdir -p /var/lib/ocis && \ chown -R ocis-user:ocis-group /var/lib/ocis && \ - chmod -R 777 /var/lib/ocis && \ + chmod -R 700 /var/lib/ocis && \ mkdir -p /etc/ocis && \ chown -R ocis-user:ocis-group /etc/ocis && \ - chmod -R 777 /etc/ocis + chmod -R 700 /etc/ocis VOLUME [ "/var/lib/ocis", "/etc/ocis" ] WORKDIR /var/lib/ocis From 1e6b2fef38acb33707bea0e157ee1703521ee721 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Mon, 2 May 2022 15:53:03 +0200 Subject: [PATCH 2/2] change permission to 750 --- changelog/unreleased/change-ocis-docker-volume-permissions.md | 2 +- ocis/docker/Dockerfile.linux.amd64 | 4 ++-- ocis/docker/Dockerfile.linux.arm | 4 ++-- ocis/docker/Dockerfile.linux.arm64 | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/changelog/unreleased/change-ocis-docker-volume-permissions.md b/changelog/unreleased/change-ocis-docker-volume-permissions.md index 582bd5e4564..7069b14ae1b 100644 --- a/changelog/unreleased/change-ocis-docker-volume-permissions.md +++ b/changelog/unreleased/change-ocis-docker-volume-permissions.md @@ -1,7 +1,7 @@ Change: Reduce permissions on docker image predeclared volumes We've lowered the permissions on the predeclared volumes of the oCIS -docker image from 777 to 700. +docker image from 777 to 750. This change doesn't affect you, unless you use the docker image with the non default uid/guid to start oCIS (default is 1000:1000). diff --git a/ocis/docker/Dockerfile.linux.amd64 b/ocis/docker/Dockerfile.linux.amd64 index be3416b9262..f2ac0931e28 100644 --- a/ocis/docker/Dockerfile.linux.amd64 +++ b/ocis/docker/Dockerfile.linux.amd64 @@ -26,10 +26,10 @@ RUN addgroup -g 1000 -S ocis-group && \ RUN mkdir -p /var/lib/ocis && \ chown -R ocis-user:ocis-group /var/lib/ocis && \ - chmod -R 700 /var/lib/ocis && \ + chmod -R 750 /var/lib/ocis && \ mkdir -p /etc/ocis && \ chown -R ocis-user:ocis-group /etc/ocis && \ - chmod -R 700 /etc/ocis + chmod -R 750 /etc/ocis VOLUME [ "/var/lib/ocis", "/etc/ocis" ] WORKDIR /var/lib/ocis diff --git a/ocis/docker/Dockerfile.linux.arm b/ocis/docker/Dockerfile.linux.arm index 34e18bdf9f0..b9b2d67862e 100644 --- a/ocis/docker/Dockerfile.linux.arm +++ b/ocis/docker/Dockerfile.linux.arm @@ -26,10 +26,10 @@ RUN addgroup -g 1000 -S ocis-group && \ RUN mkdir -p /var/lib/ocis && \ chown -R ocis-user:ocis-group /var/lib/ocis && \ - chmod -R 700 /var/lib/ocis && \ + chmod -R 750 /var/lib/ocis && \ mkdir -p /etc/ocis && \ chown -R ocis-user:ocis-group /etc/ocis && \ - chmod -R 700 /etc/ocis + chmod -R 750 /etc/ocis VOLUME [ "/var/lib/ocis", "/etc/ocis" ] WORKDIR /var/lib/ocis diff --git a/ocis/docker/Dockerfile.linux.arm64 b/ocis/docker/Dockerfile.linux.arm64 index 324696eb4a3..6c8b1595467 100644 --- a/ocis/docker/Dockerfile.linux.arm64 +++ b/ocis/docker/Dockerfile.linux.arm64 @@ -26,10 +26,10 @@ RUN addgroup -g 1000 -S ocis-group && \ RUN mkdir -p /var/lib/ocis && \ chown -R ocis-user:ocis-group /var/lib/ocis && \ - chmod -R 700 /var/lib/ocis && \ + chmod -R 750 /var/lib/ocis && \ mkdir -p /etc/ocis && \ chown -R ocis-user:ocis-group /etc/ocis && \ - chmod -R 700 /etc/ocis + chmod -R 750 /etc/ocis VOLUME [ "/var/lib/ocis", "/etc/ocis" ] WORKDIR /var/lib/ocis