feat: enforce correct permission in Dockerfile

Dockerfile

@@ -2,16 +2,12 @@ FROM focs.ji.sjtu.edu.cn:5000/gitea/runner-images:ubuntu-latest-slim
 
 ENV TZ="Asia/Shanghai"
 
+# install packages
 RUN sed -i s@/deb.debian.org/@/mirrors.tuna.tsinghua.edu.cn/@g /etc/apt/sources.list.d/debian.sources && \
     apt-get update && \
     apt-get install -y --no-install-recommends sudo python3-minimal python3-pip git git-lfs openssh-client rsync && \
     apt-get clean && \
-    rm -rf /var/lib/apt/lists/* && \
-    userdel -r node && \
-    useradd -u 1000 -ms /bin/bash tt && \
-    useradd -u 1001 -ms /bin/bash student && \
-    usermod -aG student tt && \
-    echo "student ALL=(tt) NOPASSWD:SETENV:/usr/local/bin/joj3,/usr/local/bin/joj3-forge-convert\ntt ALL=(student) NOPASSWD:SETENV:ALL" > /etc/sudoers.d/joj
+    rm -rf /var/lib/apt/lists/*
 
 # install joint-teapot && joj3-forge
 RUN pip install --no-cache-dir --break-system-packages \
@@ -21,6 +17,17 @@ RUN pip install --no-cache-dir --break-system-packages \
 
 # install joj3 & repo-health-checker & joj3-forge-convert
 COPY bin/joj3 bin/repo-health-checker bin/joj3-forge-convert /usr/local/bin/
+RUN chmod +x /usr/local/bin/joj3 /usr/local/bin/repo-health-checker /usr/local/bin/joj3-forge-convert
 
+# set permissions
+RUN userdel -r node && \
+    useradd -u 1000 -ms /bin/bash tt && \
+    useradd -u 1001 -ms /bin/bash student && \
+    usermod -aG student tt && \
+    chmod 700 /home/tt /home/student && \
+    echo "student ALL=(tt) NOPASSWD:SETENV:/usr/local/bin/joj3,/usr/local/bin/joj3-forge-convert\ntt ALL=(student) NOPASSWD:SETENV:ALL" > /etc/sudoers.d/joj && \
+    chmod 440 /etc/sudoers.d/joj
+
+# entry setup
 USER student
 WORKDIR /home/student