Potential security weakness: .htpasswd is global readable on docker image

[lfse-slafleur]

Output of rest-server --version

rest-server version rest-server 0.13.0 compiled with go1.22.5 on linux/amd64

How did you run rest-server exactly?

Using docker & docker-compose

services:
  restic-rest-server_prod:
    image: restic/rest-server
    ports:
      - "127.0.0.1:8000:8000"
    volumes:
      - "/backup-prod:/data"
    environment:
      data_directory: /data/

What backend/server/service did you use to store the repository?

VPS

Expected behavior

.htpasswd should have the following permissions which prevents anyone but the creating user from reading the file:
-rw-r----- 1 root root 73 Dec 23 22:58 .htpasswd

Actual behavior

.htpasswd is created with global read permissions
-rw-r--r-- 1 root root 73 Dec 23 22:58 .htpasswd

Steps to reproduce the behavior

• Start docker
• Add a user with docker exec <container_name> create_user <user_name> <password

Do you have any idea what may have caused this?

Default file premissions are not changed by the server.

Do you have an idea how to solve the issue?

The file is created here:

rest-server/docker/entrypoint.sh

Line 9 in 2513a69

touch "$PASSWORD_FILE"

We should add a chmod 640 "$PASSWORD_FILE"

Did rest-server help you today? Did it make you happy in any way?

Very much. Much easier to maintain and use than AWS in a WORM setup and allows for selfhosting. Much appreciated!

P.S. more than happy to create a PR if you think the fix is okay.

[MichaelEischer]

I'd prefer to restrict the umask before creating the file. So something like the following. Haven't tested it though.

( umask 027 && touch "$PASSWORD_FILE" )

(Subshell to limit the effect of the umask command).