Minimise user write access to container service files

[Callum027]

This PR reduces the number of files that the container user is given write access to before the user jail is started.

This reduces the risk of files being modified by potential attackers if they managed to break into the container environment (through, for example, a vulnerability in Palworld.)

The following files/directories have had their ownership changed to root:root:

• /entrypoint.sh
• /PalWorldSettings.ini.template
• /scripts
• /includes

The container user still has full read access to these files. PalWorldSettings.ini.template is still copied by the user to the Palworld config dir (with correct ownership), and server.sh can set configuration values in it without issues. The only thing that has changed is that the container user can no longer modify these files.

PalWorldSettings.ini.template and rcon.yaml have also had execute permissions removed, as they do not need to be executable.

[Callum027]

Confirmed that Palworld Dedicated Server is working correctly:

root@palworld1:/opt/palworld-dedicated-server# docker compose down && docker compose up -d && docker logs -f palworld-dedicated-server 
[+] Running 3/3
 ✔ Container palworld-exporter                Removed                                                                                                                                                                                            10.4s 
 ✔ Container palworld-dedicated-server        Removed                                                                                                                                                                                             1.1s 
 ✔ Network palworld-dedicated-server_default  Removed                                                                                                                                                                                             0.3s 
[+] Running 2/3
 ⠹ Network palworld-dedicated-server_default  Created                                                                                                                                                                                             1.3s 
 ✔ Container palworld-dedicated-server        Started                                                                                                                                                                                             0.7s 
 ✔ Container palworld-exporter                Started                                                                                                                                                                                             1.1s 
> Current steam user PUID is '1000' and PGID is '1000'
> Setting new steam user PUID to '1002' and PGID to '1002'
> id steam: uid=1002(steam) gid=1002(steam) groups=1002(steam)
>>> Starting server manager
> Started at: 2024-03-02 22:05:21
> Checking for existence of default credentials
> No default passwords found
>>> Doing an update with validation of the gameserver files...
> Player detection thread started with pid 34
> Server main thread started with pid 33
tid(41) burning pthread_key_t == 0 so we never use it
Redirecting stderr to '/home/steam/Steam/logs/stderr.txt'
Logging directory: '/home/steam/Steam/logs'
[  0%] Checking for available updates...
[----] Verifying installation...
[  0%] Downloading update...
[  0%] Checking for available updates...
[----] Download complete.
[----] Extracting package...
[----] Extracting package...
[----] Extracting package...
[----] Extracting package...
[----] Installing update...
[----] Installing update...
[----] Installing update...
[----] Installing update...
[----] Installing update...
[----] Installing update...
[----] Installing update...
[----] Installing update...
[----] Cleaning up...
[----] Update complete, launching Steamcmd...
steamcmd.sh[35]: Restarting steamcmd by request...
UpdateUI: skip show logotid(54) burning pthread_key_t == 0 so we never use it
Redirecting stderr to '/home/steam/Steam/logs/stderr.txt'
Logging directory: '/home/steam/Steam/logs'
[  0%] Checking for available updates...
[----] Verifying installation...
UpdateUI: skip show logoSteam Console Client (c) Valve Corporation - version 1709170084
-- type 'quit' to exit --
Loading Steam API...OK

Connecting anonymously to Steam Public...OK
Waiting for client config...OK
Waiting for user info...OK
 Update state (0x3) reconfiguring, progress: 0.00 (0 / 0)
 Update state (0x3) reconfiguring, progress: 0.00 (0 / 0)
 Update state (0x3) reconfiguring, progress: 0.00 (0 / 0)
 Update state (0x5) verifying install, progress: 16.36 (369896560 / 2260984574)
 Update state (0x5) verifying install, progress: 43.26 (978030032 / 2260984574)
 Update state (0x5) verifying install, progress: 68.85 (1556739286 / 2260984574)
 Update state (0x5) verifying install, progress: 93.45 (2112813102 / 2260984574)
Success! App '2394010' fully installed.
>>> Done updating and validating the gameserver files
>>> Adding crons to Supercronic
> Added backup cron
>>> Supercronic started
>>> SERVER_SETTINGS_MODE is set to 'auto', using environment variables to configure the server
>>> Setting up Engine.ini ...
> Checking if config already exists...
> Found existing config!
> Found [/Script/OnlineSubsystemUtils.IpNetDriver] section
> Found NetServerMaxTickRate parameter, changing it to '60'
>>> Finished setting up Engine.ini!
>>> Setting up PalWorldSettings.ini ...
time="2024-03-02T22:05:50+13:00" level=info msg="read crontab: cronlist"
> Copying PalWorldSettings.ini.template to /palworld/Pal/Saved/Config/LinuxServer/PalWorldSettings.ini
> Setting Difficulty to 'None'
> Setting DayTimeSpeedRate to '1.000000'
> Setting NightTimeSpeedRate to '1.000000'
> Setting ExpRate to '1.300000'
> Setting PalCaptureRate to '2.000000'
> Setting PalSpawnNumRate to '1.000000'
> Setting PalDamageRateAttack to '1.000000'
> Setting PalDamageRateDefense to '1.000000'
> Setting PlayerDamageRateAttack to '1.500000'
> Setting PlayerDamageRateDefense to '0.700000'
> Setting PlayerStomachDecreaceRate to '1.000000'
> Setting PlayerStaminaDecreaceRate to '1.000000'
> Setting PlayerAutoHPRegeneRate to '1.000000'
> Setting PlayerAutoHpRegeneRateInSleep to '1.000000'
> Setting PalStomachDecreaceRate to '0.000000'
> Setting PalStaminaDecreaceRate to '1.000000'
> Setting PalAutoHPRegeneRate to '1.000000'
> Setting PalAutoHpRegeneRateInSleep to '1.000000'
> Setting BuildObjectDamageRate to '1.000000'
> Setting BuildObjectDeteriorationDamageRate to '1.000000'
> Setting CollectionDropRate to '2.000000'
> Setting CollectionObjectHpRate to '1.000000'
> Setting CollectionObjectRespawnSpeedRate to '1.000000'
> Setting EnemyDropItemRate to '2.000000'
> Setting DeathPenalty to 'None'
> Setting bEnablePlayerToPlayerDamage to 'false'
> Setting bEnableFriendlyFire to 'false'
> Setting bEnableInvaderEnemy to 'false'
> Setting bActiveUNKO to 'false'
> Setting bEnableAimAssistPad to 'true'
> Setting bEnableAimAssistKeyboard to 'false'
> Setting DropItemMaxNum to '3000'
> Setting DropItemMaxNum_UNKO to '100'
> Setting BaseCampMaxNum to '128'
> Setting BaseCampWorkerMaxNum to '15'
> Setting DropItemAliveMaxHours to '1.000000'
> Setting bAutoResetGuildNoOnlinePlayers to 'false'
> Setting AutoResetGuildTimeNoOnlinePlayers to '72.000000'
> Setting GuildPlayerMaxNum to '20'
> Setting PalEggDefaultHatchingTime to '2.000000'
> Setting WorkSpeedRate to '1.000000'
> Setting bIsMultiplay to 'false'
> Setting bIsPvP to false
> Setting bCanPickupOtherGuildDeathPenaltyDrop to 'false'
> Setting bEnableNonLoginPenalty to 'true'
> Setting bEnableFastTravel to 'true'
> Setting bIsStartLocationSelectByMap to 'true'
> Setting bExistPlayerAfterLogout to 'false'
> Setting bEnableDefenseOtherGuildPlayer to 'false'
> Setting CoopPlayerMaxNum to '4'
> Setting max-players to '32'
> Setting server name to '[REDACTED]'
> Setting server description to '[REDACTED]'
> Setting server admin password to [REDACTED]
> Setting server password to [REDACTED]
> Setting public port to '8211'
> Setting public ip to '[REDACTED]'
> Setting rcon-enabled to 'true'
> Setting RCONPort to '25575'
> Setting Region to ''
> Setting bUseAuth to 'true'
> Setting BanListURL to 'https://api.palworldgame.com/api/banlist.txt'
> Setting bShowPlayerList to 'false'
>>> Finished setting up PalWorldSettings.ini
>>> RCON is enabled - Setting up rcon.yaml ...
>>> Finished setting up 'rcon.yaml' config file
>>> Preparing to start the gameserver
> Setting Multi-Core-Enhancements to enabled
> Enabling RCON port
>>> Starting the gameserver
Shutdown handler: initalize.
- Existing per-process limit (soft=1048576, hard=1048576) is enough for us (need only 1048576)
Increasing per-process limit of core file size to infinity.
- Existing per-process limit (soft=18446744073709551615, hard=18446744073709551615) is enough for us (need only 18446744073709551615)
[S_API] SteamAPI_Init(): Loaded local 'steamclient.so' OK.
CAppInfoCacheReadFromDiskThread took 10 milliseconds to initialize
Setting breakpad minidump AppID = 2394010
[S_API FAIL] Tried to access Steam interface SteamUser021 before SteamAPI_Init succeeded.
[S_API FAIL] Tried to access Steam interface SteamFriends017 before SteamAPI_Init succeeded.
[S_API FAIL] Tried to access Steam interface STEAMAPPS_INTERFACE_VERSION008 before SteamAPI_Init succeeded.
[S_API FAIL] Tried to access Steam interface SteamNetworkingUtils004 before SteamAPI_Init succeeded.

Confirmed that all files have correct permissions within the container:

root@76e3063fdc3d:/home/steam/steamcmd# ls -ld /includes /scripts /entrypoint.sh /PalWorldSettings.ini.template 
-rwxr-xr-x 1 root root 1765 Mar  2 22:03 /PalWorldSettings.ini.template
-rwxr-xr-x 1 root root  959 Mar  2 22:03 /entrypoint.sh
drwxr-xr-x 2 root root 4096 Mar  2 22:03 /includes
drwxr-xr-x 2 root root 4096 Feb 27 19:11 /scripts
root@76e3063fdc3d:/home/steam/steamcmd# ls -l /palworld/Pal/Saved/Config/LinuxServer/PalWorldSettings.ini 
-rwxr-xr-x 1 steam steam 1919 Mar  2 22:05 /palworld/Pal/Saved/Config/LinuxServer/PalWorldSettings.ini

[jammsen]

LGTM, this will be merged when the other PRs will get more to the finishline too, that way i have less testing overhead.