`/config` could be readonly

tomsquest / docker-radicale

Docker image for Radicale calendar and contact server :calendar: + security :closed_lock_with_key: + addons :rocket:

GNU General Public License v3.0

591 stars 82 forks source link

`/config` could be readonly #33

Closed tomsquest closed 6 years ago

tomsquest commented 6 years ago

Currently, /config is writeable (chmod 700 /config). As radicale should only be able to write in /data, this could be a good idea.

@robertbeal what do you think of it? Good idea?

robertbeal commented 6 years ago

Definitely. 400 (r) or 500 (rx) rights? I guess 400 would be preferable, hope that's enough for Radicale.

When mounting the config the user can specify :ro but I think it's good practice to set it correctly in the container especially if someone runs off the default config.

tomsquest commented 6 years ago

Currently, /config is owned by radicale but the /config/config is owned by root (even with the is chmod 700 because the COPY config... is done after the chmod. The resulting rights are for /config/config: 554 root:root.

I am working on it.