From 8f7748d1f3ee869355764bee519c910ad6ef5210 Mon Sep 17 00:00:00 2001
From: David Beniamine <david.beniamine@tetras-libre.fr>
Date: Tue, 4 Feb 2025 17:09:45 +0100
Subject: [PATCH] Enforce file permissions

---
 .env.sample          |  3 +++
 docker-compose.yml   |  8 +++++++-
 docker/Dockerfile    |  6 ++++++
 docker/entrypoint.sh | 15 +++++++++++++++
 4 files changed, 31 insertions(+), 1 deletion(-)
 create mode 100644 docker/Dockerfile
 create mode 100755 docker/entrypoint.sh

diff --git a/.env.sample b/.env.sample
index 6ca4cd9..3525891 100644
--- a/.env.sample
+++ b/.env.sample
@@ -3,9 +3,12 @@ COMPOSE_FILE=docker-compose.yml:dev.yml
 # For prod
 #COMPOSE_FILE=docker-compose.yml:traefik.yml
 NAME=filebrowser
+VERSION=v2
 # Hostname for prod `FQDN` ex HOSTS=`files.example.org`
 HOSTS=
 DEV_PORT=8080
 DATA_PATH=./data/files
 UID=1000
 GID=1000
+DEFAULT_PERMS_DIR=755
+DEFAULT_PERMS_FILE=644
diff --git a/docker-compose.yml b/docker-compose.yml
index 090b97f..36361c6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,8 +2,14 @@ version: "3"
 
 services:
   filebrowser:
-    image: filebrowser/filebrowser:v2
+    build:
+      context:  docker/
+      args:
+        VERSION:
     user: "${UID}:${GID}"
     volumes:
       - ./data/database.db:/database.db
       - ${DATA_PATH}:/srv
+    environment:
+      DEFAULT_PERMS_DIR:
+      DEFAULT_PERMS_FILE:
diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 0000000..2c384c4
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,6 @@
+ARG VERSION=v2
+FROM filebrowser/filebrowser:${VERSION}
+COPY entrypoint.sh /
+RUN apk add inotify-tools
+ENTRYPOINT '/entrypoint.sh'
+
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
new file mode 100755
index 0000000..38aabbf
--- /dev/null
+++ b/docker/entrypoint.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set_perms() {
+    inotifywait --monitor --recursive --quiet --event create /srv --format "%w%f" | \
+        while read f;do
+            if [ -d "$f" ]; then
+                chmod -R $DEFAULT_PERMS_DIR "$f"
+            else
+                chmod $DEFAULT_PERMS_FILE "$f"
+            fi
+        done
+}
+set_perms &
+exec /filebrowser
+
-- 
GitLab