fix(docker): improve world-writable permission check robustness

Replace brittle stat/regex check with find -perm -0002 which correctly handles directories with sticky/setgid bits (e.g., mode 1777). Use chmod o-w instead of chmod 755 to preserve special bits when fixing permissions, only removing the world-writable bit. Fixes review feedback from Copilot on PR #550.
2026-01-25 16:07:10 +00:00
parent ba900e20c5
commit 07d35dcc89
1 changed files with 7 additions and 5 deletions
--- a/.docker/docker-entrypoint.sh
+++ b/.docker/docker-entrypoint.sh
@@ -51,14 +51,16 @@ mkdir -p /app/data/geoip 2>/dev/null || true
 PLUGINS_DIR="${CHARON_PLUGINS_DIR:-/app/plugins}"
 if [ -d "$PLUGINS_DIR" ]; then
    # Check if directory is world-writable (security risk)
-    if [ "$(stat -c '%a' "$PLUGINS_DIR" 2>/dev/null | grep -c '.[0-9][2367]$')" -gt 0 ]; then
+    # Using find -perm -0002 is more robust than stat regex - handles sticky/setgid bits correctly
+    if find "$PLUGINS_DIR" -maxdepth 0 -perm -0002 -print -quit 2>/dev/null | grep -q .; then
        echo "⚠️  WARNING: Plugin directory $PLUGINS_DIR is world-writable!"
        echo "   This is a security risk - plugins could be injected by any user."
-        echo "   Attempting to fix permissions..."
-        if chmod 755 "$PLUGINS_DIR" 2>/dev/null; then
-            echo "   ✓ Fixed: Plugin directory permissions set to 755"
+        echo "   Attempting to fix permissions (removing world-writable bit)..."
+        # Use chmod o-w to only remove world-writable, preserving sticky/setgid bits
+        if chmod o-w "$PLUGINS_DIR" 2>/dev/null; then
+            echo "   ✓ Fixed: Plugin directory world-writable permission removed"
        else
-            echo "   ✗ ERROR: Cannot fix permissions. Please run: chmod 755 $PLUGINS_DIR"
+            echo "   ✗ ERROR: Cannot fix permissions. Please run: chmod o-w $PLUGINS_DIR"
            echo "   Plugin loading may fail due to insecure permissions."
        fi
    else