From b19b867e98abe6156a68654eedac4f9bf44b1bee Mon Sep 17 00:00:00 2001
From: Niall Byrne <9848926+niall-byrne@users.noreply.github.com>
Date: Sun, 3 Mar 2024 19:11:00 +0000
Subject: [PATCH] feat(PACKAGING): secure virtualenv permissions

---
 .vale/Vocab/pi_portal/accept.txt        |  1 +
 markdown/INSTALLATION.md                |  1 +
 packaging/debian/assets/debian/postinst | 11 +++++++----
 packaging/debian/assets/debian/rules    |  2 ++
 4 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/.vale/Vocab/pi_portal/accept.txt b/.vale/Vocab/pi_portal/accept.txt
index e7db8bb4..ee8be455 100644
--- a/.vale/Vocab/pi_portal/accept.txt
+++ b/.vale/Vocab/pi_portal/accept.txt
@@ -54,6 +54,7 @@ uid
 umask
 url
 uuid
+virtualenv
 wip
 workflows
 xmlrpc
diff --git a/markdown/INSTALLATION.md b/markdown/INSTALLATION.md
index 40c13556..8c93a59b 100644
--- a/markdown/INSTALLATION.md
+++ b/markdown/INSTALLATION.md
@@ -145,6 +145,7 @@ Steps:
     source /opt/venvs/pi_portal/bin/activate
     pip install ./pi_portal-x.x.x-py3-none-any.whl
     chown -R pi_portal:pi_portal /opt/venvs/pi_portal
+    chmod -R o=- /opt/venvs/pi_portal
     ```
 
     - You can customize the location by setting an [environment variable](../pi_portal/config.py).
diff --git a/packaging/debian/assets/debian/postinst b/packaging/debian/assets/debian/postinst
index 6bada1e2..52b6daee 100755
--- a/packaging/debian/assets/debian/postinst
+++ b/packaging/debian/assets/debian/postinst
@@ -11,10 +11,13 @@ gpio_access() {
 }
 
 permissions() {
-  chown -R "${PACKAGE_USER}":"${PACKAGE_USER}"                         \
-    /opt/venvs/pi_portal                                               \
-    /usr/bin/portal                                                    \
-    /var/lib/motion
+  local FILEPATH
+
+  FILEPATH_LIST=("/opt/venvs/pi_portal" "/usr/bin/portal" "/var/lib/motion")
+
+  for FILEPATH in "${FILEPATH_LIST[@]}"; do
+    chown -R "${PACKAGE_USER}":"${PACKAGE_USER}" "${FILEPATH}"
+  done
 }
 
 users() {
diff --git a/packaging/debian/assets/debian/rules b/packaging/debian/assets/debian/rules
index 1d335f30..9e71403d 100755
--- a/packaging/debian/assets/debian/rules
+++ b/packaging/debian/assets/debian/rules
@@ -43,6 +43,8 @@ override_dh_fixperms:
 	find debian/$(PACKAGE)${PI_PORTAL_INSTALL_LOCATION}                                     \
 	    -type d                                                                             \
 	    -exec chmod 750 {} \;
+	chmod -R o=-                                                                            \
+		debian/$(PACKAGE)${PI_PORTAL_INSTALL_LOCATION}
 	chmod 750                                                                               \
 	    debian/$(PACKAGE)/usr/bin/filebeat                                                  \
 	    debian/$(PACKAGE)/usr/bin/portal