From 9fb18604251551aa60310122060a7ac029bc5fb0 Mon Sep 17 00:00:00 2001
From: Ying Xie <yxieca@users.noreply.github.com>
Date: Tue, 22 Oct 2019 19:02:08 -0700
Subject: [PATCH] [file permission] explicitly set file permission on passwd,
 group, shadow (#3652)

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
---
 build_debian.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/build_debian.sh b/build_debian.sh
index c1a13d1ae7..d1e5273b1c 100755
--- a/build_debian.sh
+++ b/build_debian.sh
@@ -282,6 +282,13 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
     mcelog
 fi
 
+## Set /etc/shadow permissions to -rw-------.
+sudo LANG=c chroot $FILESYSTEM_ROOT chmod 600 /etc/shadow
+
+## Set /etc/passwd, /etc/group permissions to -rw-r--r--.
+sudo LANG=c chroot $FILESYSTEM_ROOT chmod 644 /etc/passwd
+sudo LANG=c chroot $FILESYSTEM_ROOT chmod 644 /etc/group
+
 #Adds a locale to a debian system in non-interactive mode
 sudo sed -i '/^#.* en_US.* /s/^#//' $FILESYSTEM_ROOT/etc/locale.gen && \
     sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT locale-gen "en_US.UTF-8"