Index: scripts/lockdown.sh
===================================================================
diff -u -r395d640eaa8535f7079c8776f1d0c4ad370e5a98 -r5d26baccf9eaf26dc95f281634aedba68544aa0f
--- scripts/lockdown.sh	(.../lockdown.sh)	(revision 395d640eaa8535f7079c8776f1d0c4ad370e5a98)
+++ scripts/lockdown.sh	(.../lockdown.sh)	(revision 5d26baccf9eaf26dc95f281634aedba68544aa0f)
@@ -222,7 +222,11 @@
   # ***** cloud
   # Give read-only access to denali by making the group owner.
   chown -R cloud.denali /var/configurations/CloudSync
-  chmod -R g-w,g+r,o-rwx /var/configurations/CloudSync
+  # Give only listing permission to the denali user (e.g Denali can only ls, not cat or open files)
+  # Set the cloud sync directories to have read-only permissions
+  find /var/configurations/CloudSync -type d -exec chmod g-w,g+r,o-rwx {} \;
+  # Set the files to not have read/write permissions
+  find /var/configurations/CloudSync -type f -exec chmod g-rwx,o-rwx {} \;
 
   # Give read-only access to denali by making the group owner.
   mkdir -p /media/sd-card/cloudsync
@@ -237,6 +241,18 @@
   usermod -a -G video denali
   usermod -a -G input denali
   usermod -a -G tty   denali
+  
+  # copy the settings crc
+  local FIL_RMD=readme.md
+  local FIL_CRC=settings.crc
+  local SRC_CRC=/home/root/.config/
+  local DST_CRC=/var/configurations/
+  cp    "$SRC_CRC$FIL_RMD"  "$DST_CRC$FIL_RMD" #TODO remove from the shasum
+  cp    "$SRC_CRC$FIL_CRC"  "$DST_CRC$FIL_CRC"
+  chown denali.denali       "$DST_CRC$FIL_CRC"
+  chmod u=r                 "$DST_CRC$FIL_CRC"
+  chmod g-rwx               "$DST_CRC$FIL_CRC"
+  chmod o-rwx               "$DST_CRC$FIL_CRC"
 }
 
 function cleanup() {