From 7cfbc5abb89165582a5297a8d49b175eb8ec0ddc Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Wed, 26 Jun 2024 14:25:56 -0700
Subject: [PATCH] Ensure correct permissions

---
 setup.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/setup.sh b/setup.sh
index c74c860..7b401d7 100644
--- a/setup.sh
+++ b/setup.sh
@@ -38,16 +38,18 @@ sudo firewall-cmd --reload
 # This fixes a long standing bug where network-online.target is reached before IPv6 is obtained, which breaks IPv6 pinning.
 # Also, if you are using floating IPs for NGINX stream like I do, you need it anyways
 unpriv curl https://raw.githubusercontent.com/TommyTran732/NGINX-Configs/main/etc/sysctl.d/99-nonlocal-bind.conf | sudo tee /etc/sysctl.d/99-nonlocal-bind.conf
+sudo chmod 644 /etc/sysctl.d/99-nonlocal-bind.conf
 
 # Setup webroot for NGINX
 ## Explicitly using /var/srv here because SELinux does not follow symlinks
 sudo semanage fcontext -a -t httpd_sys_content_t "/var/srv/nginx(/.*)?"
-sudo mkdir -p /srv/nginx
 sudo mkdir -p /srv/nginx/.well-known/acme-challenge
+sudo chmod -R 755 /srv/nginx/.well-known/acme-challenge
 
 # NGINX hardening
 sudo mkdir -p /etc/systemd/system/nginx.service.d
 unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/systemd/system/nginx.service.d/local.conf | sudo tee /etc/systemd/system/nginx.service.d/override.conf
+chmod 644 /etc/systemd/system/nginx.service.d/override.conf
 sudo systemctl daemon-reload
 
 # Setup certbot-ocsp-fetcher
@@ -58,6 +60,7 @@ sudo restorecon -Rv /var/usrlocal/bin/certbot-ocsp-fetcher
 sudo chmod u+x /var/usrlocal/bin/certbot-ocsp-fetcher
 sudo semanage fcontext -a -t httpd_config_t "/var/cache/certbot-ocsp-fetcher(/.*)?"
 sudo mkdir -p /var/cache/certbot-ocsp-fetcher/
+sudo chmod 755 /var/cache/certbot-ocsp-fetcher/
 
 # Setup nginx-create-session-ticket-keys
 unpriv curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/nginx-create-session-ticket-keys | sudo tee /usr/local/bin/nginx-create-session-ticket-keys