From d395c73ed6a2ddd5d35560999d81de1fce777a4e Mon Sep 17 00:00:00 2001
From: Joel Scheuner <joel.scheuner.dev@gmail.com>
Date: Wed, 4 Oct 2023 18:01:02 +0200
Subject: [PATCH 1/3] Change permissions of /opt layers directory

---
 cmd/localstack/file_utils.go | 22 ++++++++++++++++++++++
 cmd/localstack/main.go       |  7 ++++++-
 2 files changed, 28 insertions(+), 1 deletion(-)
 create mode 100644 cmd/localstack/file_utils.go

diff --git a/cmd/localstack/file_utils.go b/cmd/localstack/file_utils.go
new file mode 100644
index 0000000..69e93de
--- /dev/null
+++ b/cmd/localstack/file_utils.go
@@ -0,0 +1,22 @@
+package main
+
+import (
+	"os"
+	"path/filepath"
+)
+
+// Inspired by https://stackoverflow.com/questions/73864379/golang-change-permission-os-chmod-and-os-chowm-recursively
+// but using the more efficient WalkDir API
+func ChmodRecursively(root string, mode os.FileMode) error {
+	return filepath.WalkDir(root,
+		func(path string, d os.DirEntry, err error) error {
+			if err != nil {
+				return err
+			}
+			err = os.Chmod(path, mode)
+			if err != nil {
+				return err
+			}
+			return nil
+		})
+}
diff --git a/cmd/localstack/main.go b/cmd/localstack/main.go
index e4e096a..806948d 100644
--- a/cmd/localstack/main.go
+++ b/cmd/localstack/main.go
@@ -132,6 +132,11 @@ func main() {
 		log.Fatal("Failed to download code archives: " + err.Error())
 	}
 
+	// fix permissions of layers directory (if it exists) for better AWS parity
+	if err := ChmodRecursively("/opt", 0755); err != nil {
+		log.Warnln("Could not change file mode of directory /opt:", err)
+	}
+
 	// parse CLI args
 	bootstrap, handler := getBootstrap(os.Args)
 
@@ -141,7 +146,7 @@ func main() {
 		gid := 990
 		AddUser(lsOpts.User, uid, gid)
 		if err := os.Chown("/tmp", uid, gid); err != nil {
-			log.Warnln("Could not change owner of /tmp:", err)
+			log.Warnln("Could not change owner of directory /tmp:", err)
 		}
 		UserLogger().Debugln("Process running as root user.")
 		DropPrivileges(lsOpts.User)

From 35e1df228fded20d272043a90a33f6ac79c9b6e5 Mon Sep 17 00:00:00 2001
From: Joel Scheuner <joel.scheuner.dev@gmail.com>
Date: Wed, 4 Oct 2023 18:33:17 +0200
Subject: [PATCH 2/3] Fix permissions for tmp directory

---
 cmd/localstack/main.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/cmd/localstack/main.go b/cmd/localstack/main.go
index 806948d..c4e5b27 100644
--- a/cmd/localstack/main.go
+++ b/cmd/localstack/main.go
@@ -132,9 +132,13 @@ func main() {
 		log.Fatal("Failed to download code archives: " + err.Error())
 	}
 
-	// fix permissions of layers directory (if it exists) for better AWS parity
+	// fix permissions of the layers directory for better AWS parity
 	if err := ChmodRecursively("/opt", 0755); err != nil {
-		log.Warnln("Could not change file mode of directory /opt:", err)
+		log.Warnln("Could not change file mode recursively of directory /opt:", err)
+	}
+	// fix permissions of the tmp directory for better AWS parity
+	if err := ChmodRecursively("/tmp", 0700); err != nil {
+		log.Warnln("Could not change file mode recursively of directory /tmp:", err)
 	}
 
 	// parse CLI args

From 11d4975b4e1201ca00b7c191a79552bb79e73d20 Mon Sep 17 00:00:00 2001
From: Joel Scheuner <joel.scheuner.dev@gmail.com>
Date: Wed, 4 Oct 2023 18:40:24 +0200
Subject: [PATCH 3/3] Handle errors in drop priviledges

---
 cmd/localstack/main.go | 8 ++++++--
 cmd/localstack/user.go | 4 ++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/cmd/localstack/main.go b/cmd/localstack/main.go
index c4e5b27..917b330 100644
--- a/cmd/localstack/main.go
+++ b/cmd/localstack/main.go
@@ -153,8 +153,12 @@ func main() {
 			log.Warnln("Could not change owner of directory /tmp:", err)
 		}
 		UserLogger().Debugln("Process running as root user.")
-		DropPrivileges(lsOpts.User)
-		UserLogger().Debugln("Process running as non-root user.")
+		err := DropPrivileges(lsOpts.User)
+		if err != nil {
+			log.Warnln("Could not drop root privileges.", err)
+		} else {
+			UserLogger().Debugln("Process running as non-root user.")
+		}
 	}
 
 	logCollector := NewLogCollector()
diff --git a/cmd/localstack/user.go b/cmd/localstack/user.go
index 13c5f5d..3e6da42 100644
--- a/cmd/localstack/user.go
+++ b/cmd/localstack/user.go
@@ -70,12 +70,12 @@ func UserLogger() *log.Entry {
 	}
 	uid := os.Getuid()
 	uidString := strconv.Itoa(uid)
-	user, err := user.LookupId(uidString)
+	userObject, err := user.LookupId(uidString)
 	if err != nil {
 		log.Warnln("Could not look up user by uid:", uid, err)
 	}
 	return log.WithFields(log.Fields{
-		"username": user.Username,
+		"username": userObject.Username,
 		"uid":      uid,
 		"euid":     os.Geteuid(),
 		"gid":      os.Getgid(),