Merge pull request #1175 from gliderlabs/file-perms

Ensure all file permissions are set to specified unprivileged user
gliderlabs · Mar 28, 2024 · 9b62f6d · 9b62f6d
2 parents ae1acae + fa8df04
commit 9b62f6d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 3 deletions.
diff --git a/include/buildpack.bash b/include/buildpack.bash
@@ -162,6 +162,9 @@ buildpack-setup() {
   # shellcheck disable=SC2154
   usermod --home "$HOME" "$unprivileged_user" >/dev/null 2>&1
 
+  # shellcheck disable=SC2154
+  chown "$unprivileged_user:$unprivileged_group" "$HOME"
+
   # Prepare permissions quicker for slower filesystems
   # vars defined in outer scope
   # shellcheck disable=SC2154
@@ -191,16 +194,18 @@ buildpack-execute() {
   cd "$build_path" || return 1
   unprivileged "$selected_path/bin/compile" "$build_path" "$cache_path" "$env_path"
   if [[ -f "$selected_path/bin/release" ]]; then
-    unprivileged "$selected_path/bin/release" "$build_path" "$cache_path" >"$build_path/.release"
+    unprivileged "$selected_path/bin/release" "$build_path" "$cache_path" | unprivileged tee "$build_path/.release" >/dev/null
   fi
   if [[ -f "$build_path/.release" ]]; then
     config_vars="$(cat "$build_path/.release" | yaml-get config_vars)"
+    unprivileged touch "$build_path/.profile.d/00_config_vars.sh"
     if [[ "$config_vars" ]]; then
       mkdir -p "$build_path/.profile.d"
+      chown "$unprivileged_user:$unprivileged_group" "$build_path/.profile.d"
       OIFS=$IFS
       IFS=$'\n'
       for var in $config_vars; do
-        echo "export $(echo "$var" | sed -e 's/=/="/' -e 's/$/"/')" >>"$build_path/.profile.d/00_config_vars.sh"
+        echo "export $(echo "$var" | sed -e 's/=/="/' -e 's/$/"/')" | unprivileged tee -a "$build_path/.profile.d/00_config_vars.sh" >/dev/null
       done
       IFS=$OIFS
     fi

diff --git a/include/procfile.bash b/include/procfile.bash
@@ -75,7 +75,8 @@ procfile-types() {
     # shellcheck disable=SC2154
     [[ "$default_types" ]] && echo "Default types for $selected_name -> ${default_types// /, }"
     for type in $default_types; do
-      echo "$type: $(cat "$app_path/.release" | yaml-get default_process_types "$type")" >>"$app_path/Procfile"
+      unprivileged touch "$app_path/Procfile"
+      echo "$type: $(cat "$app_path/.release" | yaml-get default_process_types "$type")" | unprivileged tee -a "$app_path/Procfile" >/dev/null
     done
     return
   fi
@@ -102,6 +103,8 @@ procfile-load-profile() {
     source "$file"
   done
   mkdir -p "$app_path/.profile.d"
+  # shellcheck disable=SC2154
+  chown "$unprivileged_user:$unprivileged_group" "$app_path/.profile.d"
   for file in "$app_path/.profile.d"/*.sh; do
     # shellcheck disable=SC1090
     source "$file"
@@ -116,7 +119,10 @@ procfile-load-profile() {
 
 procfile-setup-home() {
   export HOME="$app_path"
+  # shellcheck disable=SC2154
   usermod --home "$app_path" "$unprivileged_user" >/dev/null 2>&1
+  # shellcheck disable=SC2154
+  chown "$unprivileged_user:$unprivileged_group" "$app_path"
   if [[ "$HEROKUISH_DISABLE_CHOWN" == "true" ]]; then
     # unprivileged_user & unprivileged_group are defined in outer scope
     # shellcheck disable=SC2154