Skip to content

Commit 25b3034

Browse files
tianontianon
committed
Update permissions from 777 to 1777
This still supports the "arbitrary user" use case but with slightly tighter permissions on the end result. This one is a little bit more "special" other images (due to the existing runtime/entrypoint modification of the directory modes) so I've tried to pick reasonable values for both halves.
1 parent 156d065 commit 25b3034

17 files changed

+34
-34
lines changed

11/alpine/Dockerfile

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

11/alpine/docker-entrypoint.sh

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

11/bullseye/docker-entrypoint.sh

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

12/alpine/Dockerfile

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

12/alpine/docker-entrypoint.sh

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

12/bullseye/docker-entrypoint.sh

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

13/alpine/Dockerfile

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

13/alpine/docker-entrypoint.sh

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

13/bullseye/docker-entrypoint.sh

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

14/alpine/Dockerfile

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

14/alpine/docker-entrypoint.sh

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

14/bullseye/docker-entrypoint.sh

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

15/alpine/Dockerfile

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

15/alpine/docker-entrypoint.sh

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

15/bullseye/docker-entrypoint.sh

+2-2
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

Dockerfile-alpine.template

+2-2
Original file line numberDiff line numberDiff line change
@@ -161,11 +161,11 @@ RUN set -eux; \
161161
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
162162
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
163163

164-
RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
164+
RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
165165

166166
ENV PGDATA /var/lib/postgresql/data
167167
# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
168-
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
168+
RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
169169
VOLUME /var/lib/postgresql/data
170170

171171
COPY docker-entrypoint.sh /usr/local/bin/

docker-entrypoint.sh

+2-2
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,11 @@ docker_create_db_directories() {
3838

3939
mkdir -p "$PGDATA"
4040
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
41-
chmod 700 "$PGDATA" || :
41+
chmod 00700 "$PGDATA" || :
4242

4343
# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
4444
mkdir -p /var/run/postgresql || :
45-
chmod 775 /var/run/postgresql || :
45+
chmod 03775 /var/run/postgresql || :
4646

4747
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
4848
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then

0 commit comments

Comments
 (0)