From 938e4671b4326775c5784c4448068682d15a676c Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Mon, 31 Mar 2025 15:40:03 -0300
Subject: [PATCH 1/2] fix: set umask closes #6

---
 abra.sh            | 2 +-
 entrypoint.sh.tmpl | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/abra.sh b/abra.sh
index be1f878..b7f4df6 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,4 +1,4 @@
-export APP_ENTRYPOINT_VERSION=v3
+export APP_ENTRYPOINT_VERSION=v4
 APP_DIR="app:/data"
 
 insert_vaultwarden_admin_token() {
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 2be7858..ef116c1 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 set -e
+umask 027
 
 # set DATABASE_URL with db_password
 set_db_url() {
-- 
2.49.0


From cab11b0e2aa9e3b2b95eaa13bc0b6e2b5af38c6f Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Thu, 3 Apr 2025 17:06:53 -0300
Subject: [PATCH 2/2] fix: remove world access to existing data

---
 entrypoint.sh.tmpl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index ef116c1..a8335d2 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -49,6 +49,9 @@ fi
 file_env "ADMIN_TOKEN"
 file_env "SMTP_PASSWORD"
 
+# remove world permissions on data
+chmod -R o= /data
+
 # upstream startup command
 # https://github.com/dani-garcia/vaultwarden/blob/60ed5ff99d15dec0b82c85987f9a3e244b8bde91/docker/Dockerfile.j2#L254
 /start.sh
-- 
2.49.0