From ba887da1d2c9ab8ab58f2ec33196bbfe03373267 Mon Sep 17 00:00:00 2001
From: Honza Horak <hhorak@redhat.com>
Date: Thu, 31 Mar 2022 11:00:53 +0200
Subject: [PATCH 1/4] Do not allow any user to read the generated SSL key/crt

We need to maintain the feature of being able to run the container as
any user ID, so we cannot just leave the user to have read permissions
for the generated key and certificate.

However, there seems to be no use case for having the permissions
for reading for other users. While being a different user inside a container
might be not relevant anyway in the container case, let's rather be
super cautious and remove the read permissions that are not needed.
---
 2.4/root/usr/share/container-scripts/httpd/common.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/2.4/root/usr/share/container-scripts/httpd/common.sh b/2.4/root/usr/share/container-scripts/httpd/common.sh
index 236e6596..2f71ec81 100644
--- a/2.4/root/usr/share/container-scripts/httpd/common.sh
+++ b/2.4/root/usr/share/container-scripts/httpd/common.sh
@@ -57,8 +57,8 @@ root@${fqdn}
 EOF
    fi
 
-   chmod 644 ${sslcert}
-   chmod 644 ${sslkey}
+   chmod 640 ${sslcert}
+   chmod 640 ${sslkey}
 }
 
 config_general() {

From b9cede96d4be632a95c540d2d79f8fcf6b028e21 Mon Sep 17 00:00:00 2001
From: Honza Horak <hhorak@redhat.com>
Date: Thu, 31 Mar 2022 11:03:40 +0200
Subject: [PATCH 2/4] Add quotes

---
 2.4/root/usr/share/container-scripts/httpd/common.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/2.4/root/usr/share/container-scripts/httpd/common.sh b/2.4/root/usr/share/container-scripts/httpd/common.sh
index 2f71ec81..e660fa5e 100644
--- a/2.4/root/usr/share/container-scripts/httpd/common.sh
+++ b/2.4/root/usr/share/container-scripts/httpd/common.sh
@@ -57,8 +57,8 @@ root@${fqdn}
 EOF
    fi
 
-   chmod 640 ${sslcert}
-   chmod 640 ${sslkey}
+   chmod 640 "${sslcert}"
+   chmod 640 "${sslkey}"
 }
 
 config_general() {

From c876a9592a763a5276e2a8843aa48fc7f5321335 Mon Sep 17 00:00:00 2001
From: "Petr \"Stone\" Hracek" <phracek@redhat.com>
Date: Wed, 25 Sep 2024 09:02:39 +0200
Subject: [PATCH 3/4] Update permissions also for micro images

Signed-off-by: Petr "Stone" Hracek <phracek@redhat.com>
---
 2.4-micro/root/usr/share/container-scripts/httpd/common.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/2.4-micro/root/usr/share/container-scripts/httpd/common.sh b/2.4-micro/root/usr/share/container-scripts/httpd/common.sh
index db7dc5f5..d31f3a96 100644
--- a/2.4-micro/root/usr/share/container-scripts/httpd/common.sh
+++ b/2.4-micro/root/usr/share/container-scripts/httpd/common.sh
@@ -53,8 +53,8 @@ root@${fqdn}
 EOF
    fi
 
-   chmod 644 ${sslcert}
-   chmod 644 ${sslkey}
+   chmod 640 ${sslcert}
+   chmod 640 ${sslkey}
 }
 
 config_general() {

From 5a4b35d55548b368eaaa92316b8407ce8cb29bcd Mon Sep 17 00:00:00 2001
From: "Petr \"Stone\" Hracek" <phracek@redhat.com>
Date: Wed, 25 Sep 2024 09:03:15 +0200
Subject: [PATCH 4/4] Update container-common-scripts

Signed-off-by: Petr "Stone" Hracek <phracek@redhat.com>
---
 common | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common b/common
index c5d8cea9..1e271d8d 160000
--- a/common
+++ b/common
@@ -1 +1 @@
-Subproject commit c5d8cea9e87098e4966d101cb7033aa5ae8a318e
+Subproject commit 1e271d8d077833ceed1bc0fcb1eb9629ea5ea410