From e757dae4f6183c42f65ebd702bed42789c5a9b88 Mon Sep 17 00:00:00 2001
From: Callum Dickinson <callum.dickinson.nz@gmail.com>
Date: Sat, 2 Mar 2024 22:02:14 +1300
Subject: [PATCH 1/4] Minimise user write access to container service files

This PR reduces the number of files that the container user is given write access to before the user jail is started.

This reduces the risk of files being modified by potential attackers if they managed to break into the container environment (through, for example, a vulnerability in Palworld.)

The following files/directories have had their ownership changed to `root:root`:

* `/entrypoint.sh`
* `/PalWorldSettings.ini.template`
* `/scripts`
* `/includes`

The container user still has full read access to these files. `PalWorldSettings.ini.template` is still copied by the user to the Palworld config dir (with correct ownership), and `server.sh` can set configuration values in it without issues. The only thing that has changed is that the container user can no longer *modify* these files.

`PalWorldSettings.ini.template` and `rcon.yaml` have also had execute permissions removed, as they do not need to be executable.
---
 Dockerfile         | 4 ++--
 entrypoint.sh      | 6 +-----
 includes/config.sh | 2 +-
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 012237a..bac71f5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -187,8 +187,8 @@ RUN apt-get update \
 COPY --chmod=755 entrypoint.sh /
 COPY --chmod=755 scripts/ /scripts
 COPY --chmod=755 includes/ /includes
-COPY --chmod=755 configs/rcon.yaml /home/steam/steamcmd/rcon.yaml
-COPY --chmod=755 configs/PalWorldSettings.ini.template /
+COPY --chmod=644 configs/rcon.yaml /home/steam/steamcmd/rcon.yaml
+COPY --chmod=644 configs/PalWorldSettings.ini.template /
 COPY --chmod=755 gosu-amd64 /usr/local/bin/gosu
 
 RUN mkdir -p "$BACKUP_PATH" \
diff --git a/entrypoint.sh b/entrypoint.sh
index af6b1ac..4545d6b 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -16,17 +16,13 @@ elif [[ "$(id -u steam)" -ne "${PUID}" ]] || [[ "$(id -g steam)" -ne "${PGID}" ]
     ew "> Current $APP_USER user PUID is '$(id -u steam)' and PGID is '$(id -g steam)'"
     ew "> Setting new $APP_USER user PUID to '${PUID}' and PGID to '${PGID}'"
     groupmod -g "${PGID}" "$APP_GROUP" && usermod -u "${PUID}" -g "${PGID}" "$APP_USER"
-else 
+else
     ew "> Current $APP_USER user PUID is '$(id -u steam)' and PGID is '$(id -g steam)'"
     ew "> PUID and PGID matching what is requested for user $APP_USER"
 fi
 
 chown -R "$APP_USER":"$APP_GROUP" "$APP_HOME"
 chown -R "$APP_USER":"$APP_GROUP" "$GAME_ROOT"
-chown "$APP_USER":"$APP_GROUP" /entrypoint.sh
-chown "$APP_USER":"$APP_GROUP" /PalWorldSettings.ini.template
-chown -R "$APP_USER":"$APP_GROUP" /scripts
-chown -R "$APP_USER":"$APP_GROUP" /includes
 
 ew_nn "> id steam: " ; e "$(id steam)"
 
diff --git a/includes/config.sh b/includes/config.sh
index e4239f9..cd244e8 100644
--- a/includes/config.sh
+++ b/includes/config.sh
@@ -40,7 +40,7 @@ function setup_palworld_settings_ini() {
     fi
     # Copy default-config, which comes with SteamCMD to gameserver save location
     ew "> Copying PalWorldSettings.ini.template to ${GAME_SETTINGS_FILE}"
-    cp "${PALWORLD_TEMPLATE_FILE}" "${GAME_SETTINGS_FILE}"
+    cp --no-preserve=ownership "${PALWORLD_TEMPLATE_FILE}" "${GAME_SETTINGS_FILE}"
 
     if [[ -n ${DIFFICULTY+x} ]]; then
         e "> Setting Difficulty to '$DIFFICULTY'"

From 706bc7f85422d2b1f25ef9efa382bc687f345ed4 Mon Sep 17 00:00:00 2001
From: StaleLoafOfBread <45444205+StaleLoafOfBread@users.noreply.github.com>
Date: Tue, 5 Mar 2024 21:39:01 -0500
Subject: [PATCH 2/4] feat(error): throw when not running as root

---
 entrypoint.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 897ec82..6760f25 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -9,6 +9,11 @@ APP_HOME=/home/$APP_USER
 
 source /includes/colors.sh
 
+if [[ "${EUID}" -ne 0 ]]; then
+    ee ">>> Docker user must be root! Please adjust how you started the container."
+    exit 1
+fi
+
 if [[ "${PUID}" -eq 0 ]] || [[ "${PGID}" -eq 0 ]]; then
     ee ">>> Running Palworld as root is not supported, please fix your PUID and PGID!"
     exit 1
@@ -16,7 +21,7 @@ elif [[ "$(id -u steam)" -ne "${PUID}" ]] || [[ "$(id -g steam)" -ne "${PGID}" ]
     ew "> Current $APP_USER user PUID is '$(id -u steam)' and PGID is '$(id -g steam)'"
     ew "> Setting new $APP_USER user PUID to '${PUID}' and PGID to '${PGID}'"
     groupmod -g "${PGID}" "$APP_GROUP" && usermod -u "${PUID}" -g "${PGID}" "$APP_USER"
-else 
+else
     ew "> Current $APP_USER user PUID is '$(id -u steam)' and PGID is '$(id -g steam)'"
     ew "> PUID and PGID matching what is requested for user $APP_USER"
 fi
@@ -28,6 +33,7 @@ chown "$APP_USER":"$APP_GROUP" /PalWorldSettings.ini.template
 chown -R "$APP_USER":"$APP_GROUP" /scripts
 chown -R "$APP_USER":"$APP_GROUP" /includes
 
-ew_nn "> id steam: " ; e "$(id steam)"
+ew_nn "> id steam: "
+e "$(id steam)"
 
 exec gosu $APP_USER:$APP_GROUP "$@"

From c6bbf7ea0ecb53f87bc1fbff4da2cb1577602d56 Mon Sep 17 00:00:00 2001
From: Sebastian Schmidt <2270806+jammsen@users.noreply.github.com>
Date: Sat, 27 Apr 2024 10:01:15 +0200
Subject: [PATCH 3/4] finalising the pr

---
 entrypoint.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 6760f25..7561e49 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,5 +1,6 @@
 #!/bin/bash
 # shellcheck disable=SC1091
+# https://stackoverflow.com/questions/27669950/difference-between-euid-and-uid
 
 set -e
 
@@ -10,7 +11,7 @@ APP_HOME=/home/$APP_USER
 source /includes/colors.sh
 
 if [[ "${EUID}" -ne 0 ]]; then
-    ee ">>> Docker user must be root! Please adjust how you started the container."
+    ee ">>> This Docker-Container must be run as root! Please adjust how you started the container, to fix this error."
     exit 1
 fi
 
@@ -33,7 +34,6 @@ chown "$APP_USER":"$APP_GROUP" /PalWorldSettings.ini.template
 chown -R "$APP_USER":"$APP_GROUP" /scripts
 chown -R "$APP_USER":"$APP_GROUP" /includes
 
-ew_nn "> id steam: "
-e "$(id steam)"
+ew_nn "> id steam: " ; e "$(id steam)"
 
 exec gosu $APP_USER:$APP_GROUP "$@"

From f0cd09709a2ded0ad5b4c76a96b51bff3ce3da23 Mon Sep 17 00:00:00 2001
From: Sebastian Schmidt <2270806+jammsen@users.noreply.github.com>
Date: Sun, 28 Apr 2024 11:08:03 +0200
Subject: [PATCH 4/4] added changelog, try to remove merge-conflict

---
 CHANGELOG.md       | 6 ++++++
 docker-compose.yml | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cf18172..9fb9668 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,12 @@
 
 [Back to main](README.md#changelog)
 
+## 2024-04-28
+
+- Log-Rotation by @Gornoka (#261)
+- Throw error when not run as root by @StaleLoafOfBread (#246)
+- Minimise user write access to container service file @Callum027 (#241)
+
 ## 2024-04-09
 
 - Exclude save backup directory in backup @Dashboy1998  (#259)
diff --git a/docker-compose.yml b/docker-compose.yml
index 1c555c3..9e8713e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -4,6 +4,11 @@ services:
     container_name: palworld-dedicated-server
     image: jammsen/palworld-dedicated-server:latest
     restart: unless-stopped
+    logging:
+      driver: "local"
+      options:
+        max-size: "10m"
+        max-file: "3"
     ports:
       - target: 8211 # Gamerserver port inside of the container
         published: 8211 # Gamerserver port on your host