env files are only readable by owner

util/Setup/CertBuilder.cs

@@ -1,7 +1,5 @@
 using System;
-using System.Diagnostics;
 using System.IO;
-using System.Runtime.InteropServices;
 
 namespace Bit.Setup
 {
@@ -28,7 +26,7 @@ namespace Bit.Setup
                 Directory.CreateDirectory($"/bitwarden/ssl/self/{Domain}/");
                 Console.WriteLine("Generating self signed SSL certificate.");
                 Ssl = selfSignedSsl = true;
-                Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 " +
+                Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 365 " +
                     $"-keyout /bitwarden/ssl/self/{Domain}/private.key " +
                     $"-out /bitwarden/ssl/self/{Domain}/certificate.crt " +
                     $"-subj \"/C=US/ST=New York/L=New York/O=8bit Solutions LLC/OU=bitwarden/CN={Domain}\"");
@@ -37,48 +35,17 @@ namespace Bit.Setup
             if(LetsEncrypt)
             {
                 Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{Domain}/");
-                Exec($"openssl dhparam -out /bitwarden/letsencrypt/live/{Domain}/dhparam.pem 2048");
+                Helpers.Exec($"openssl dhparam -out /bitwarden/letsencrypt/live/{Domain}/dhparam.pem 2048");
             }
 
             Console.WriteLine("Generating key for IdentityServer.");
             Directory.CreateDirectory("/bitwarden/identity/");
-            Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
+            Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
                 "-out identity.crt -subj \"/CN=bitwarden IdentityServer\" -days 10950");
-            Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
+            Helpers.Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
                 $"-in identity.crt -certfile identity.crt -passout pass:{IdentityCertPassword}");
 
             return selfSignedSsl;
         }
-
-        private string Exec(string cmd)
-        {
-            var process = new Process
-            {
-                StartInfo = new ProcessStartInfo
-                {
-                    RedirectStandardOutput = true,
-                    UseShellExecute = false,
-                    CreateNoWindow = true,
-                    WindowStyle = ProcessWindowStyle.Hidden
-                }
-            };
-
-            if(!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
-            {
-                var escapedArgs = cmd.Replace("\"", "\\\"");
-                process.StartInfo.FileName = "/bin/bash";
-                process.StartInfo.Arguments = $"-c \"{escapedArgs}\"";
-            }
-            else
-            {
-                process.StartInfo.FileName = "powershell";
-                process.StartInfo.Arguments = cmd;
-            }
-
-            process.Start();
-            var result = process.StandardOutput.ReadToEnd();
-            process.WaitForExit();
-            return result;
-        }
     }
 }

util/Setup/EnvironmentFileBuilder.cs

@@ -131,6 +131,8 @@ globalSettings__installation__identityUri=https://identity.bitwarden.com
 ");
             }
 
+            Helpers.Exec("chmod 600 /bitwarden/docker/global.env");
+
             using(var sw = File.CreateText("/bitwarden/docker/mssql.env"))
             {
                 sw.Write($@"ACCEPT_EULA=Y
@@ -139,6 +141,8 @@ SA_PASSWORD=SECRET
 ");
             }
 
+            Helpers.Exec("chmod 600 /bitwarden/docker/mssql.env");
+
             Console.WriteLine("Building docker environment override files.");
             Directory.CreateDirectory(" /bitwarden/env/");
             using(var sw = File.CreateText("/bitwarden/env/global.override.env"))
@@ -149,6 +153,8 @@ SA_PASSWORD=SECRET
                 }
             }
 
+            Helpers.Exec("chmod 600 /bitwarden/env/global.override.env");
+
             using(var sw = File.CreateText("/bitwarden/env/mssql.override.env"))
             {
                 foreach(var item in _mssqlValues)
@@ -156,6 +162,8 @@ SA_PASSWORD=SECRET
                     sw.WriteLine($"{item.Key}={item.Value}");
                 }
             }
+
+            Helpers.Exec("chmod 600 /bitwarden/env/mssql.override.env");
         }
     }
 }

util/Setup/Helpers.cs

@@ -1,6 +1,8 @@
 using System;
 using System.Data.SqlClient;
+using System.Diagnostics;
 using System.IO;
+using System.Runtime.InteropServices;
 using System.Security.Cryptography;
 using System.Text;
 
@@ -125,5 +127,36 @@ namespace Bit.Setup
 
             return null;
         }
+
+        public static string Exec(string cmd, bool returnStdout = false)
+        {
+            var process = new Process
+            {
+                StartInfo = new ProcessStartInfo
+                {
+                    RedirectStandardOutput = true,
+                    UseShellExecute = false,
+                    CreateNoWindow = true,
+                    WindowStyle = ProcessWindowStyle.Hidden
+                }
+            };
+
+            if(!RuntimeInformation.IsOSPlatform(OSPlatform.Windows))
+            {
+                var escapedArgs = cmd.Replace("\"", "\\\"");
+                process.StartInfo.FileName = "/bin/bash";
+                process.StartInfo.Arguments = $"-c \"{escapedArgs}\"";
+            }
+            else
+            {
+                process.StartInfo.FileName = "powershell";
+                process.StartInfo.Arguments = cmd;
+            }
+
+            process.Start();
+            var result = returnStdout ? process.StandardOutput.ReadToEnd() : null;
+            process.WaitForExit();
+            return result;
+        }
     }
 }