docker: chmod o-rwx the output directory

3 files changed, 35 insertions, 1 deletions

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 08b7ad4..6bc6847 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -14,13 +14,14 @@ LABEL maintainer="Egor Tensin <Egor.Tensin@gmail.com>"
 RUN apk add --no-cache bash git openssh-client python3 tini
 
 COPY --from=build ["/deps", "/deps/"]
-ENV PYTHONPATH="/deps"
+ENV PYTHONPATH="/deps:/usr/src"
 
 ARG ssh_sock_dir=/
 ARG ssh_sock_path="$ssh_sock_dir/ssh-agent.sock"
 ENV SSH_AUTH_SOCK "$ssh_sock_path"
 
 COPY ["docker/entrypoint.sh", "/"]
+COPY ["docker/get_output_dir.py", "/"]
 COPY ["cgitize/", "/usr/src/cgitize/"]
 WORKDIR /usr/src
 
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 5674e36..61ecd1e 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -8,6 +8,13 @@
 set -o errexit -o nounset -o pipefail
 
 readonly base_dir=/usr/src
+readonly cfg_path=/etc/cgitize/cgitize.toml
+
+secure_repo_dir() {
+    local dir
+    dir="$( /get_output_dir.py -- "$cfg_path" )"
+    chmod -- o-rwx "$dir"
+}
 
 schedule_to_cron() {
     local schedule
@@ -55,6 +62,7 @@ setup_cron_task() {
 }
 
 main() {
+    secure_repo_dir
     setup_cron_task "$@"
 }
 
diff --git a/docker/get_output_dir.py b/docker/get_output_dir.py
new file mode 100755
index 0000000..9c21a72
--- /dev/null
+++ b/docker/get_output_dir.py
@@ -0,0 +1,25 @@
+#!/usr/bin/env python
+
+from argparse import ArgumentParser
+import sys
+
+from cgitize.config import Config
+
+
+def parse_args(argv=None):
+    if argv is None:
+        argv = sys.argv[1:]
+    parser = ArgumentParser()
+    parser.add_argument('config', metavar='PATH',
+                        help='config file path')
+    return parser.parse_args(argv)
+
+
+def main(argv=None):
+    args = parse_args(argv)
+    cfg = Config.read(args.config)
+    print(cfg.main.output_dir)
+
+
+if __name__ == '__main__':
+    main()