From 605e17df31b8a7ef59e5c45d574e506a3958843f Mon Sep 17 00:00:00 2001
From: Joel Scheuner <joel.scheuner.dev@gmail.com>
Date: Mon, 16 Oct 2023 15:43:10 +0200
Subject: [PATCH] Fix filesystem permission parity (#22)

---
 cmd/localstack/file_utils.go | 22 ++++++++++++++++++++++
 cmd/localstack/main.go       | 19 ++++++++++++++++---
 cmd/localstack/user.go       |  4 ++--
 3 files changed, 40 insertions(+), 5 deletions(-)
 create mode 100644 cmd/localstack/file_utils.go

diff --git a/cmd/localstack/file_utils.go b/cmd/localstack/file_utils.go
new file mode 100644
index 0000000..69e93de
--- /dev/null
+++ b/cmd/localstack/file_utils.go
@@ -0,0 +1,22 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+)
+
+// Inspired by https://stackoverflow.com/questions/73864379/golang-change-permission-os-chmod-and-os-chowm-recursively
+// but using the more efficient WalkDir API
+func ChmodRecursively(root string, mode os.FileMode) error {
+	return filepath.WalkDir(root,
+		func(path string, d os.DirEntry, err error) error {
+			if err != nil {
+				return err
+			}
+			err = os.Chmod(path, mode)
+			if err != nil {
+				return err
+			}
+			return nil
+		})
+}
diff --git a/cmd/localstack/main.go b/cmd/localstack/main.go
index e4e096a..917b330 100644
--- a/cmd/localstack/main.go
+++ b/cmd/localstack/main.go
@@ -132,6 +132,15 @@ func main() {
 		log.Fatal("Failed to download code archives: " + err.Error())
 	}
 
+	// fix permissions of the layers directory for better AWS parity
+	if err := ChmodRecursively("/opt", 0755); err != nil {
+		log.Warnln("Could not change file mode recursively of directory /opt:", err)
+	}
+	// fix permissions of the tmp directory for better AWS parity
+	if err := ChmodRecursively("/tmp", 0700); err != nil {
+		log.Warnln("Could not change file mode recursively of directory /tmp:", err)
+	}
+
 	// parse CLI args
 	bootstrap, handler := getBootstrap(os.Args)
 
@@ -141,11 +150,15 @@ func main() {
 		gid := 990
 		AddUser(lsOpts.User, uid, gid)
 		if err := os.Chown("/tmp", uid, gid); err != nil {
-			log.Warnln("Could not change owner of /tmp:", err)
+			log.Warnln("Could not change owner of directory /tmp:", err)
 		}
 		UserLogger().Debugln("Process running as root user.")
-		DropPrivileges(lsOpts.User)
-		UserLogger().Debugln("Process running as non-root user.")
+		err := DropPrivileges(lsOpts.User)
+		if err != nil {
+			log.Warnln("Could not drop root privileges.", err)
+		} else {
+			UserLogger().Debugln("Process running as non-root user.")
+		}
 	}
 
 	logCollector := NewLogCollector()
diff --git a/cmd/localstack/user.go b/cmd/localstack/user.go
index 13c5f5d..3e6da42 100644
--- a/cmd/localstack/user.go
+++ b/cmd/localstack/user.go
@@ -70,12 +70,12 @@ func UserLogger() *log.Entry {
 	}
 	uid := os.Getuid()
 	uidString := strconv.Itoa(uid)
-	user, err := user.LookupId(uidString)
+	userObject, err := user.LookupId(uidString)
 	if err != nil {
 		log.Warnln("Could not look up user by uid:", uid, err)
 	}
 	return log.WithFields(log.Fields{
-		"username": user.Username,
+		"username": userObject.Username,
 		"uid":      uid,
 		"euid":     os.Geteuid(),
 		"gid":      os.Getgid(),