From 544fff9595e3e89ba7b0534363cc6b4ddfd2d62e Mon Sep 17 00:00:00 2001
From: Juhyung Park <qkrwngud825@gmail.com>
Date: Wed, 12 Jun 2024 14:38:32 +0900
Subject: [PATCH] Apply umask 077 to improve security

Group and others permissions will be unset.

Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
---
 immich-machine-learning.service | 1 +
 immich-microservices.service    | 1 +
 immich.service                  | 1 +
 install.sh                      | 2 ++
 4 files changed, 5 insertions(+)

diff --git a/immich-machine-learning.service b/immich-machine-learning.service
index 07f3e73..062431b 100644
--- a/immich-machine-learning.service
+++ b/immich-machine-learning.service
@@ -7,6 +7,7 @@ User=immich
 Group=immich
 Type=simple
 Restart=on-failure
+UMask=0077
 
 WorkingDirectory=/var/lib/immich/app
 EnvironmentFile=/var/lib/immich/env
diff --git a/immich-microservices.service b/immich-microservices.service
index 686f7dd..71a06cb 100644
--- a/immich-microservices.service
+++ b/immich-microservices.service
@@ -9,6 +9,7 @@ User=immich
 Group=immich
 Type=simple
 Restart=on-failure
+UMask=0077
 
 WorkingDirectory=/var/lib/immich/app
 EnvironmentFile=/var/lib/immich/env
diff --git a/immich.service b/immich.service
index a15e1ff..7eb1a3b 100644
--- a/immich.service
+++ b/immich.service
@@ -11,6 +11,7 @@ User=immich
 Group=immich
 Type=simple
 Restart=on-failure
+UMask=0077
 
 WorkingDirectory=/var/lib/immich/app
 EnvironmentFile=/var/lib/immich/env
diff --git a/install.sh b/install.sh
index 4cc4f0d..f9c1dce 100755
--- a/install.sh
+++ b/install.sh
@@ -29,6 +29,7 @@ if [[ "$USER" != "immich" ]]; then
 fi
 
 BASEDIR=$(dirname "$0")
+umask 077
 
 rm -rf $APP
 mkdir -p $APP
@@ -37,6 +38,7 @@ mkdir -p $APP
 # This expects immich user's home directory to be on $IMMICH_PATH/home
 rm -rf $IMMICH_PATH/home
 mkdir -p $IMMICH_PATH/home
+echo 'umask 077' > $IMMICH_PATH/home/.bashrc
 
 TMP=/tmp/immich-$(uuidgen)
 git clone https://github.com/immich-app/immich $TMP