Applying appropriate file permissions on Docker bind mounts

Some docker containers create files that have read access to the public. I want to change that. Here's how with access control limits (acls).

Removing public read access to folders

sudo find /opt/paperless/media -type d -exec chmod 750 {} \;

Securing files so that only user has read/write/execute while the group only has read access

sudo find /opt/paperless/media -type d -exec chmod 750 {} \;

To ensure all files are like this in the folder we can use acls

sudo apt install acl

sudo setfacl -R -m d:u::rwX,d:g::r-X,d:o::--- /mnt/md0/apps/paperless/media/documents

To see current file permissions

ls -l /opt/paperless/media/somefile.pdf

To see ACL rules applied

getfacl /opt/paperless/media/somefile.pdf

Breaking down that last command:

Command	Description
setfacl	Set File ACL — the command that modifies ACLs.
-R	Recursive — apply the ACL to the directory and all of its subdirectories.
-m	Modify — specify the ACL entries to add or change.
d:	Default — apply these as default ACLs (inherited by future files/folders).
u::rwX	User (owner) gets read/write (and execute on dirs).
g::r-X	Group gets read (and execute on dirs, so they can list contents).
o::---	Others (i.e., everyone else) get no access at all.

Comments