From c4dfb66d8476d85124242d5d4d7c799567258278 Mon Sep 17 00:00:00 2001
From: Beat Reichenbach <44111292+beatreichenbach@users.noreply.github.com>
Date: Thu, 22 Feb 2024 00:47:43 -0800
Subject: [PATCH] docker: Add support for setting umask (#9429)

Add support for setting umask value in the Docker `entrypoint.sh`
script. This is useful when
not syncing permissions and working with groups, and needing umask
values like `002` instead of `022`.
---
 README-Docker.md            | 3 +++
 script/docker-entrypoint.sh | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/README-Docker.md b/README-Docker.md
index 27acf53aa..02b0dc5d7 100644
--- a/README-Docker.md
+++ b/README-Docker.md
@@ -15,6 +15,9 @@ To grant Syncthing additional capabilities without running as root, use the
 `PCAP` environment variable with the same syntax as that for `setcap(8)`.
 For example, `PCAP=cap_chown,cap_fowner+ep`.
 
+To set a different umask value, use the `UMASK` environment variable. For
+example `UMASK=002`.
+
 ## Example Usage
 
 **Docker cli**
diff --git a/script/docker-entrypoint.sh b/script/docker-entrypoint.sh
index af87ef80b..26a0c12c5 100755
--- a/script/docker-entrypoint.sh
+++ b/script/docker-entrypoint.sh
@@ -2,9 +2,11 @@
 
 set -eu
 
+[ -n "${UMASK:-}" ] && umask "$UMASK"
+
 if [ "$(id -u)" = '0' ]; then
   binary="$1"
-  if [ "${PCAP:-}" == "" ] ; then
+  if [ -z "${PCAP:-}" ]; then
     # If Syncthing should have no extra capabilities, make sure to remove them
     # from the binary. This will fail with an error if there are no
     # capabilities to remove, hence the || true etc.