ini files in dns-conf should default to permissions of 600 to limit what users can read these files containing API keys, registrar/DNS account credentials, etc.
Current Behavior
Default permissions when building the container are 644:
user@server:/opt/docker/nginx_reverseproxy/dns-conf$ ll
total 80
drwxr-xr-x 2 docker_runner docker_runner 4096 Feb 1 15:49 ./
drwxr-xr-x 12 docker_runner docker_runner 4096 Feb 24 09:28 ../
-rw-r--r-- 1 docker_runner docker_runner 264 Oct 10 15:54 cloudflare.ini
-rw-r--r-- 1 docker_runner docker_runner 247 Oct 10 15:54 cloudxns.ini
-rw-r--r-- 1 docker_runner docker_runner 331 Feb 1 15:49 cpanel.ini
-rw-r--r-- 1 docker_runner docker_runner 245 Oct 10 15:54 digitalocean.ini
-rw-r--r-- 1 docker_runner docker_runner 201 Oct 10 15:54 dnsimple.ini
-rw-r--r-- 1 docker_runner docker_runner 283 Oct 10 15:54 dnsmadeeasy.ini
-rw-r--r-- 1 docker_runner docker_runner 292 Jan 16 14:13 domeneshop.ini
-rw-r--r-- 1 docker_runner docker_runner 135 Jan 11 09:29 gandi.ini
-rw-r--r-- 1 docker_runner docker_runner 178 Oct 10 15:54 google.ini
-rw-r--r-- 1 docker_runner docker_runner 208 Dec 12 14:57 google.json
-rw-r--r-- 1 docker_runner docker_runner 344 Oct 10 15:54 inwx.ini
-rw-r--r-- 1 docker_runner docker_runner 226 Dec 3 11:17 linode.ini
-rw-r--r-- 1 docker_runner docker_runner 232 Oct 10 15:54 luadns.ini
-rw-r--r-- 1 docker_runner docker_runner 182 Oct 10 15:54 nsone.ini
-rw-r--r-- 1 docker_runner docker_runner 341 Oct 10 15:54 ovh.ini
-rw-r--r-- 1 docker_runner docker_runner 429 Oct 10 15:54 rfc2136.ini
-rw-r--r-- 1 docker_runner docker_runner 258 Oct 10 15:54 route53.ini
-rw-r--r-- 1 docker_runner docker_runner 402 Dec 3 11:17 transip.ini
OS: Ubuntu 18.04.4 LTS CPU architecture: x86_64 How docker service was installed: sudo apt install docker docker-compose
Command used to create docker container (run/create/compose/screenshot)
sudo docker-compose up -d letsencrypt
Docker logs
-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/
Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------
User uid: 999
User gid: 999
-------------------------------------
[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=999
PGID=999
TZ=US/Central
URL=domain.com
SUBDOMAINS=item1,item2
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=4096
VALIDATION=
DNSPLUGIN=
EMAIL=user@domain.com
STAGING=
VALIDATION parameter not set; setting it to http
4096 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d item1.domain.com -d item2.domain.com
E-mail address entered: user@domain.com
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready
to add to this, the folder is 755 and should either be 750 or 700 depending on whether the group needs access. this also implies that if the group needs access the files should be 640 rather than 600.
Expected Behavior
ini files in dns-conf should default to permissions of 600 to limit what users can read these files containing API keys, registrar/DNS account credentials, etc.
Current Behavior
Default permissions when building the container are 644:
Steps to Reproduce
sudo docker-compose up -d letsencrypt
Environment
OS: Ubuntu 18.04.4 LTS
CPU architecture: x86_64
How docker service was installed:
sudo apt install docker docker-compose
Command used to create docker container (run/create/compose/screenshot)
sudo docker-compose up -d letsencrypt
Docker logs