Permissions of `./fs_overlay/**`

[MarcelWaldvogel]

While looking at log rotation for #262, I noticed the following message in /var/log/nginx/logrotate.log:

Potentially dangerous mode on /etc/logrotate.d/nginx: 0664
error: Ignoring /etc/logrotate.d/nginx because it is writable by group or others.

In my image, /etc/logrotate.d/nginx had mode 0664; after changing to 0644, the error message was gone. (It still did not do a rotation, because it only recently had rotated).

Your official image has the right permissions.

However, images generated by someone with umask 002 or having done a chmod to this (and maybe) other files in ./fs_overlay might result in an image with subtle bugs, such as not rotating logs.

So, before or after the COPY ./fs_overlay /, permissions should be normalized:

• Before has the advantage that the docker image will be smaller; however, this would mean modifying the user's files.
• After requires some more space and layers, but does not touch user files and can be done from within the Dockerfile (see the RUN chmod a+x /bin/* just after).

I think we also need a RUN chmod -R u=rwX,go=rX /etc (and maybe others) or similar. What do you think?

[SteveLTN]

COPY command supports --chown argument. But --chmod is only release very recently.

For time time being, I think we should do it in Dockerfile.

Being slightly larger in image size isn't really a concern to me. But I don't want it to depend on user's filesystem (what if they use Windows🤷‍♂️)

[SteveLTN]

I put a chmod in dockerfile now.