From 94419c1a2f6159677d9c6a91f38c58b70b97b0e5 Mon Sep 17 00:00:00 2001
From: simonmicro <simon@simonmicro.de>
Date: Sat, 8 Nov 2025 12:56:11 +0100
Subject: [PATCH] Added more permission hardening

Signed-off-by: simonmicro <simon@simonmicro.de>
---
 docker/docker-py3-kms-minimal/Dockerfile |  7 +++++++
 docker/docker-py3-kms/Dockerfile         |  7 +++++++
 docker/entrypoint.py                     | 20 +++++++++++++-------
 3 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/docker/docker-py3-kms-minimal/Dockerfile b/docker/docker-py3-kms-minimal/Dockerfile
index a2d0df9..765be55 100644
--- a/docker/docker-py3-kms-minimal/Dockerfile
+++ b/docker/docker-py3-kms-minimal/Dockerfile
@@ -35,6 +35,13 @@ COPY docker/healthcheck.py /usr/bin/healthcheck.py
 COPY docker/start.py /usr/bin/start.py
 RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py
 
+# Additional permission hardening: All files read-only for the executing user
+RUN chown root: -R /home/py-kms && \
+    chmod 444 -R /home/py-kms && \
+    chown py-kms: /home/py-kms && \
+    chmod 700 /home/py-kms && \
+    find /home/py-kms -type d -print -exec chmod +x {} ';'
+
 WORKDIR /home/py-kms
 
 EXPOSE ${PORT}/tcp
diff --git a/docker/docker-py3-kms/Dockerfile b/docker/docker-py3-kms/Dockerfile
index 16b3ab5..8ab1531 100644
--- a/docker/docker-py3-kms/Dockerfile
+++ b/docker/docker-py3-kms/Dockerfile
@@ -41,6 +41,13 @@ COPY docker/healthcheck.py /usr/bin/healthcheck.py
 COPY docker/start.py /usr/bin/start.py
 RUN chmod 555 /usr/bin/entrypoint.py /usr/bin/healthcheck.py /usr/bin/start.py
 
+# Additional permission hardening: All files read-only for the executing user
+RUN chown root: -R /home/py-kms && \
+    chmod 444 -R /home/py-kms && \
+    chown py-kms: /home/py-kms && \
+    chmod 700 /home/py-kms && \
+    find /home/py-kms -type d -print -exec chmod +x {} ';'
+
 # Web-interface specifics
 COPY LICENSE /LICENSE
 RUN echo "$BUILD_COMMIT" > /VERSION && echo "$BUILD_BRANCH" >> /VERSION
diff --git a/docker/entrypoint.py b/docker/entrypoint.py
index 8035cd0..80fb347 100755
--- a/docker/entrypoint.py
+++ b/docker/entrypoint.py
@@ -25,29 +25,35 @@ def change_uid_grp(logger):
   new_gid = int(os.getenv('GID', str(gid)))
   new_uid = int(os.getenv('UID', str(uid)))
   os.chown("/home/py-kms", new_uid, new_gid)
-  os.chown("/usr/bin/start.py", new_uid, new_gid)
+  os.chmod("/home/py-kms", 0o700)
+  os.chmod("/usr/bin/start.py", 0o555) # allow execution by non-root users
   if os.path.isdir(dbPath):
     # Corret permissions recursively, as to access the database file, also its parent folder must be accessible
-    logger.debug(f'Correcting owner permissions on {dbPath}.')
+    logger.debug(f'Correcting owner permissions on {dbPath}')
     os.chown(dbPath, new_uid, new_gid)
+    os.chmod(dbPath, 0o700) # executable bit on dirs to allow interaction
     for root, dirs, files in os.walk(dbPath):
       for dName in dirs:
         dPath = os.path.join(root, dName)
-        logger.debug(f'Correcting owner permissions on {dPath}.')
+        logger.debug(f'Correcting owner permissions on {dPath}')
         os.chown(dPath, new_uid, new_gid)
+        os.chmod(dPath, 0o700) # executable bit on dirs to allow interaction
       for fName in files:
         fPath = os.path.join(root, fName)
-        logger.debug(f'Correcting owner permissions on {fPath}.')
+        logger.debug(f'Correcting owner permissions on {fPath}')
         os.chown(fPath, new_uid, new_gid)
+        os.chmod(fPath, 0o600)
     logger.debug(subprocess.check_output(['ls', '-la', dbPath]).decode())
+  else:
+    logger.error(f'Database path {dbPath} is not a directory, will not correct owner permissions.')
   if 'LOGFILE' in os.environ and os.path.exists(os.environ['LOGFILE']):
     # Oh, the user also wants a custom log file -> make sure start.py can access it by setting the correct permissions (777)
     os.chmod(os.environ['LOGFILE'], 0o777)
     logger.error(str(subprocess.check_output(['ls', '-la', os.environ['LOGFILE']])))
-  logger.info("Setting gid to '%s'." % str(new_gid))
+  # Drop actual permissions
+  logger.info(f"Setting gid to {new_gid}")
   os.setgid(new_gid)
-
-  logger.info("Setting uid to '%s'." % str(new_uid))
+  logger.info(f"Setting uid to {new_uid}")
   os.setuid(new_uid)
 
 def change_tz(logger):