From f75191dbd4ee9538349f4bcaa78ebe1ea779444a Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Wed, 1 May 2024 16:26:39 +0000
Subject: [PATCH] Tighten permissions on Etherpad settings file

The file in which our Etherpad settings reside is templated with
sensitive data like an API key and DB password. Remove the world
readable bit from it, and also drop user/group write perms while
we're at it. Also switch the service's effective GID to match its
UID and make sure the config's ownership is set accordingly.

Change-Id: I65b70237b4bc8f4e63aa0b717702c124e01ed777
---
 playbooks/roles/etherpad/tasks/main.yaml | 3 +++
 zuul.d/docker-images/etherpad.yaml       | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/playbooks/roles/etherpad/tasks/main.yaml b/playbooks/roles/etherpad/tasks/main.yaml
index 7b118328f9..289872891a 100644
--- a/playbooks/roles/etherpad/tasks/main.yaml
+++ b/playbooks/roles/etherpad/tasks/main.yaml
@@ -89,6 +89,9 @@
   template:
     src: settings.json.j2
     dest: /etc/etherpad/settings.json
+    owner: 5001
+    group: 5001
+    mode: '0440'
 
 - name: Clean up from old ep_headings hack
   file:
diff --git a/zuul.d/docker-images/etherpad.yaml b/zuul.d/docker-images/etherpad.yaml
index 2a87898e1d..f74d18f5fa 100644
--- a/zuul.d/docker-images/etherpad.yaml
+++ b/zuul.d/docker-images/etherpad.yaml
@@ -9,6 +9,8 @@
         - context: docker/etherpad
           target: production
           repository: opendevorg/etherpad
+          build_args:
+            - EP_GID=5001
     files: &etherpad_files
       - docker/etherpad/