From 95538fe956a627a0f81f314c3591b293ad2ea34c Mon Sep 17 00:00:00 2001
From: Michael Eischer <michael.eischer@fau.de>
Date: Mon, 14 Apr 2025 22:25:59 +0200
Subject: [PATCH] restrict umask of htpasswd file

---
 changelog/unreleased/issue-318 | 13 +++++++++++++
 docker/entrypoint.sh           |  2 +-
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 changelog/unreleased/issue-318

diff --git a/changelog/unreleased/issue-318 b/changelog/unreleased/issue-318
new file mode 100644
index 0000000..b19845e
--- /dev/null
+++ b/changelog/unreleased/issue-318
@@ -0,0 +1,13 @@
+Security: Fix world-readable permissions on new `.htpasswd` files
+
+On startup the rest-server Docker container creates an empty `.htpasswd` file
+if none exists yet. This file was world-readable by default, which can be
+a security risk, even though the file only contains hashed passwords.
+
+This has been fixed such that new `.htpasswd` files are no longer world-readabble.
+
+The permissions of existing `.htpasswd` files must be manually changed
+if relevant in your setup.
+
+https://github.com/restic/rest-server/issues/318
+https://github.com/restic/rest-server/pull/340
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index b7dcef3..3a42f45 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -6,7 +6,7 @@ if [ -n "$DISABLE_AUTHENTICATION" ]; then
     OPTIONS="--no-auth $OPTIONS"
 else
     if [ ! -f "$PASSWORD_FILE" ]; then
-        touch "$PASSWORD_FILE"
+        ( umask 027 && touch "$PASSWORD_FILE" )
     fi
 
     if [ ! -s "$PASSWORD_FILE" ]; then