From d8691b70766b635becab4494b7d581704c923914 Mon Sep 17 00:00:00 2001 From: Ventz Petkov Date: Tue, 12 May 2020 02:04:44 -0400 Subject: [PATCH] Locked down permissions for /etc/bind to absolutely needed ones, while still making sure mapped volumes have the needed permissions to start the container --- container/entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/container/entrypoint.sh b/container/entrypoint.sh index 04796a3..2460bc8 100755 --- a/container/entrypoint.sh +++ b/container/entrypoint.sh @@ -5,8 +5,8 @@ OPTIONS=$@ # The first time around, it will not be owned by named:named, and thus it won't be writable chown -R root:named /etc/bind /var/run/named chown -R named:named /var/cache/bind -chmod 770 /var/cache/bind /var/run/named -chmod -R 750 /etc/bind +chmod -R 770 /etc/bind /var/cache/bind /var/run/named +find /etc/bind /var/cache/bind -type f -exec chmod 640 -- {} + # By default - run in foreground and log to STDERR (console) # can be changed by running container with: -e "BIND_LOG=-f" exec /usr/sbin/named -c /etc/bind/named.conf $BIND_LOG -u named $OPTIONS