From 7490ba92a472c126ce5af3ba02f6f3f64656b530 Mon Sep 17 00:00:00 2001
From: simonmicro <simon@simonmicro.de>
Date: Sat, 11 Apr 2026 16:26:55 +0200
Subject: [PATCH] Fixed hardening to allow already dropped users to access the
 app-dir, fixes #139

Signed-off-by: simonmicro <simon@simonmicro.de>
---
 docker/docker-py3-kms-minimal/Dockerfile | 9 ++++-----
 docker/docker-py3-kms/Dockerfile         | 9 ++++-----
 2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/docker/docker-py3-kms-minimal/Dockerfile b/docker/docker-py3-kms-minimal/Dockerfile
index 4fb1f36..64204e5 100644
--- a/docker/docker-py3-kms-minimal/Dockerfile
+++ b/docker/docker-py3-kms-minimal/Dockerfile
@@ -36,11 +36,10 @@ COPY docker/start.py /usr/bin/start.py
 RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py
 
 # Additional permission hardening: All files read-only for the executing user
-RUN chown root: -R /home/py-kms && \
-    chmod 444 -R /home/py-kms && \
-    chown py-kms: /home/py-kms && \
-    chmod 700 /home/py-kms && \
-    find /home/py-kms -type d -print -exec chmod +x {} ';'
+RUN find /home/py-kms -type f -print -exec chmod 444 {} ';' && \
+    find /home/py-kms -type d -print -exec chmod 555 {} ';' && \
+    chown root: -R /home/py-kms && \
+    chown py-kms: /home/py-kms
 
 WORKDIR /home/py-kms
 
diff --git a/docker/docker-py3-kms/Dockerfile b/docker/docker-py3-kms/Dockerfile
index 3c9846d..4b5e387 100644
--- a/docker/docker-py3-kms/Dockerfile
+++ b/docker/docker-py3-kms/Dockerfile
@@ -42,11 +42,10 @@ COPY docker/start.py /usr/bin/start.py
 RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py
 
 # Additional permission hardening: All files read-only for the executing user
-RUN chown root: -R /home/py-kms && \
-    chmod 444 -R /home/py-kms && \
-    chown py-kms: /home/py-kms && \
-    chmod 700 /home/py-kms && \
-    find /home/py-kms -type d -print -exec chmod +x {} ';'
+RUN find /home/py-kms -type f -print -exec chmod 444 {} ';' && \
+    find /home/py-kms -type d -print -exec chmod 555 {} ';' && \
+    chown root: -R /home/py-kms && \
+    chown py-kms: /home/py-kms
 
 # Web-interface specifics
 COPY LICENSE /LICENSE