Fixes #2: Restrict file/directory permissions (#10)

Co-authored-by: Jay Rogers <[email protected]>

Author: cowwoc

src/Dockerfile

@@ -6,6 +6,6 @@ ENV CERTBOT_DOMAIN="" \
     CLOUDFLARE_API_TOKEN="" \
     RENEWAL_INTERVAL=43200
 
-COPY --chmod=755 entrypoint.sh /entrypoint.sh
+COPY --chmod=700 entrypoint.sh /entrypoint.sh
 
 ENTRYPOINT ["/entrypoint.sh"]

src/entrypoint.sh

@@ -1,5 +1,11 @@
 #!/bin/sh
 
+# Permissions must be created after volumes have been mounted; otherwise, windows file system permissions will override
+# the permissions set within the container.
+mkdir -p /etc/letsencrypt/accounts /var/log/letsencrypt /var/lib/letsencrypt
+chmod 755 /etc/letsencrypt /var/lib/letsencrypt
+chmod 700 /etc/letsencrypt/accounts /var/log/letsencrypt
+
 cat << "EOF"
  ____________________
 < Certbot, activate! >
@@ -43,7 +49,8 @@ run_certbot() {
         --key-type "$CERTBOT_KEY_TYPE" \
         --email "$CERTBOT_EMAIL" \
         --agree-tos \
-        --non-interactive
+        --non-interactive \
+        --strict-permissions
     exit_code=$?
     if [ $exit_code -ne 0 ]; then
         echo "Error: certbot command failed with exit code $exit_code"