From 91c0b55348bb055c10ff76aa0da12c4ae5387027 Mon Sep 17 00:00:00 2001
From: OlivierGouellain <ogouellain@laposte.net>
Date: Mon, 7 Jun 2021 23:28:49 +0200
Subject: [PATCH] apply the principle of least privilege for main script

---
 image/build.sh                                | 2 +-
 image/service-available/:ssl-tools/startup.sh | 1 -
 image/tool/run                                | 9 ---------
 3 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/image/build.sh b/image/build.sh
index 342444e6..076c5c44 100755
--- a/image/build.sh
+++ b/image/build.sh
@@ -5,7 +5,7 @@ ln -s /container/tool/* /sbin/
 
 mkdir -p /container/service
 mkdir -p /container/environment /container/environment/startup
-chmod 700 /container/environment/ /container/environment/startup
+chmod g+rwX /container/environment/ /container/environment/startup
 
 groupadd -g 8377 docker_env
 
diff --git a/image/service-available/:ssl-tools/startup.sh b/image/service-available/:ssl-tools/startup.sh
index 01890998..1f4564d7 100755
--- a/image/service-available/:ssl-tools/startup.sh
+++ b/image/service-available/:ssl-tools/startup.sh
@@ -1,5 +1,4 @@
 #!/bin/sh -e
 log-helper level eq trace && set -x
 
-chmod 700 "${CONTAINER_SERVICE_DIR}"/:ssl-tools/assets/tool/*
 ln -sf "${CONTAINER_SERVICE_DIR}"/:ssl-tools/assets/tool/* /usr/sbin
diff --git a/image/tool/run b/image/tool/run
index 1f04a553..294526f7 100755
--- a/image/tool/run
+++ b/image/tool/run
@@ -249,7 +249,6 @@ def clear_run_envvars():
 	try:
 		shutil.rmtree(RUN_ENVIRONMENT_DIR)
 		os.makedirs(RUN_ENVIRONMENT_DIR)
-		os.chmod(RUN_ENVIRONMENT_DIR, 700)
 	except:
 		warning("clear_run_envvars: failed at some point...")
 
@@ -366,16 +365,8 @@ def setup_run_directories(args):
 		if not os.path.exists(directory):
 			os.makedirs(directory)
 
-			if directory == RUN_ENVIRONMENT_DIR:
-				os.chmod(directory, 700)
-
 	if not os.path.exists(RUN_ENVIRONMENT_FILE_EXPORT):
 		open(RUN_ENVIRONMENT_FILE_EXPORT, 'a').close()
-		os.chmod(RUN_ENVIRONMENT_FILE_EXPORT, 640)
-		uid = pwd.getpwnam("root").pw_uid
-		gid = grp.getgrnam("docker_env").gr_gid
-		os.chown(RUN_ENVIRONMENT_FILE_EXPORT, uid, gid)
-
 	if state_is_first_start():
 
 		if args.copy_service: