From e5bab108248b9131655a52c06dcc5f97571d93a5 Mon Sep 17 00:00:00 2001
From: shaohuzhang1 <80892890+shaohuzhang1@users.noreply.github.com>
Date: Wed, 21 May 2025 16:43:46 +0800
Subject: [PATCH] build: Sensitive directory permissions (#3126)

---
 installer/Dockerfile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/installer/Dockerfile b/installer/Dockerfile
index 986f0d5ee..c3e76fbe4 100644
--- a/installer/Dockerfile
+++ b/installer/Dockerfile
@@ -66,12 +66,12 @@ RUN chmod 755 /opt/maxkb/app/installer/run-maxkb.sh && \
     curl -L --connect-timeout 120 -m 1800 https://resource.fit2cloud.com/maxkb/ffmpeg/get-ffmpeg-linux | sh && \
     mkdir -p /opt/maxkb/app/sandbox/python-packages &&  \
     find /opt/maxkb/app -mindepth 1 -not -name 'sandbox' -exec chmod 700 {} + && \
-    chmod 755 /tmp && chmod 750 /etc &&\
-    groupadd sandbox &&\
-    useradd --no-create-home --home /opt/maxkb/app/sandbox sandbox -g sandbox && \
-    chown -R sandbox:sandbox /opt/maxkb/app/sandbox && \
+    chmod 755 /tmp && \
+    useradd --no-create-home --home /opt/maxkb/app/sandbox sandbox -g root && \
+    chown -R sandbox:root /opt/maxkb/app/sandbox && \
     chmod g-x /usr/local/bin/* /usr/bin/* /bin/* /usr/sbin/* /sbin/* /usr/lib/postgresql/15/bin/* && \
-    chmod g+x /usr/local/bin/python*
+    chmod g+x /usr/local/bin/python* && \
+    chmod g-r /etc
 
 EXPOSE 8080