Change uid of www-data user before starting apache

[Vampouille]

This PR is a proposal to fix #14 with use of usermod command.

This PR replace entrypoint with 3 commands :

• usermod on www-data to change uid with value of RUN_AS_UID env variable
• chown on directory previously owned by www-data
• finally run standard apache entrypoint : apache2-foreground

[Vampouille]

I don't known if there is a way to split long entrypoint line with json format.

[ihor-sviziev]

@Vampouille I think we should create separate sh file for entrypoint.
Also would be great to check if uid already the same - no need to do chmod for that directories. It would be little bit faster start for containers

[Vampouille]

@ihor-sviziev I just updated my PR with a dedicated shell script. I also check if UID need to be changed.

[ihor-sviziev]

I think apache2-foreground should be moved to CMD in Dockerfile. In general it looks very good for me!
Thank you!

[Vampouille]

I move apache2-foreground to CMD

[Vampouille]

Can I run update.sh and commit result ?

[Vampouille]

@yosifkit can you take a look at this reviewed PR ? I think it should fix #14.

[Vampouille]

@tianon Do you think this PR have a chance to be merged ?

[tianon]

I'm not comfortable with the PHP image doing chmod or chown at runtime -- it's meant to be used as a generic base, and modifying permissions at runtime is an inherently dangerous thing to be doing, especially with no prior knowledge of what the application whose permissions we're modifying is expecting.

With #282 (and #291), changing the runtime user should be possible with -e APACHE_RUN_USER=nobody, for example:

$ docker run -dit --name apache-nobody -e APACHE_RUN_USER=nobody php:7.0-apache
763df5c2d7012678a270d7ef021919323c12e87b4471ed52755164b7e833440e
$ docker logs apache-nobody
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.3. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.3. Set the 'ServerName' directive globally to suppress this message
[Fri Sep 02 16:45:34.496215 2016] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/7.0.10 configured -- resuming normal operations
[Fri Sep 02 16:45:34.496233 2016] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
$ docker top apache-nobody
UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
root                29375               29361               0                   09:45               pts/9               00:00:00            apache2 -DFOREGROUND
nobody              29406               29375               0                   09:45               pts/9               00:00:00            apache2 -DFOREGROUND
nobody              29407               29375               0                   09:45               pts/9               00:00:00            apache2 -DFOREGROUND
nobody              29408               29375               0                   09:45               pts/9               00:00:00            apache2 -DFOREGROUND
nobody              29409               29375               0                   09:45               pts/9               00:00:00            apache2 -DFOREGROUND
nobody              29410               29375               0                   09:45               pts/9               00:00:00            apache2 -DFOREGROUND

[Vampouille]

Thanks for your answer, the purpose of this PR is to be able to run apache with numeric uid 999. It seems that 999 as uid is common across docker images. You can look at postgres official images :

https://github.com/docker-library/postgres/blob/fc36c25f8ac352f1fea6d0e7cf8d9bd92a4e720f/9.5/Dockerfile#L5

In docker env, when you share some named volumes, textual username is not used. Docker does not make translation or mapping between user of containers. So files owners are only identify by numeric value.

If I try to launch apache with uid 999, it complains about not finding user with uid 999 :

[Mon Sep 05 09:56:42.645149 2016] [unixd:alert] [pid 11] AH02155: getpwuid: couldn't determine user name from uid 999, you probably need to modify the User directive

I'm not comfortable with the PHP image doing chmod or chown at runtime

In my PR, chmod and chown are limited to some apache system directories.

[Vampouille]

https://github.com/docker-library/php/pull/286/files#diff-8874cb4a06e835f8683c251ffad0fb3fR11

I think that chown only affects directories that should not be used by the end user, do you agree ?
Additionally, there should not be too many files in these directories.

[timstallmann]

I tried using this same code in a different docker image to change the www-data UID and needed to tweak this line to if [ "$CURRENT_UID" -ne "$WANTED_UID" ]; then, and the above to WANTED_UID=${RUN_AS_UID}

[Vampouille]

CURRENT_UID and WANTED_UID should not be empty because :

• id command always return numeric identifier
• ${RUN_AS_UID:-33} use 33 as default value if RUN_AS_UID is not set

Can you explain steps to reproduce your issue, maybe your www-data default uid was not set to 33.

[timstallmann]

@Vampouille that makes sense.. I'm not clear why the ID was not set by default on my instance, but based on what you're saying it doesn't seem like this change needs to be made. Thanks for taking the time to respond!

[tianon]

Beyond the solution of APACHE_RUN_USER, there's also the solution I just put on #190 (comment) (which was removing the root running entirely:

I think this one is already about as decent as we can be without breaking backwards compatibility -- with some minor configuration changes, -u www-data should work as-is (since Apache will just warn if it can't change to the user requested in the configuration, at most):

FROM php:7-apache
RUN sed -i 's/80/8080/g' /etc/apache2/sites-available/000-default.conf /etc/apache2/ports.conf
USER www-data

$ docker build .
Sending build context to Docker daemon 2.048 kB
Step 1/3 : FROM php:7-apache
 ---> bc943f239a7f
Step 2/3 : RUN sed -i 's/80/8080/g' /etc/apache2/sites-available/000-default.conf /etc/apache2/ports.conf
 ---> Running in 84c37c1db043
 ---> 94d6861d578a
Removing intermediate container 84c37c1db043
Step 3/3 : USER www-data
 ---> Running in 2ce018e8363d
 ---> 87926a4f33dc
Removing intermediate container 2ce018e8363d
Successfully built 87926a4f33dc
$ docker run -it --rm 87926a4f33dc
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.17. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.17. Set the 'ServerName' directive globally to suppress this message
[Wed Apr 05 19:33:14.218299 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/7.1.0 configured -- resuming normal operations
[Wed Apr 05 19:33:14.218348 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

This is adaptable to use users other than www-data, but requires additional permissions changes (as can be seen below), so IMO APACHE_RUN_USER is still a superior solution:

$ docker run -it --rm -u 999 87926a4f33dc
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.16. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.16. Set the 'ServerName' directive globally to suppress this message
[Wed Apr 05 21:09:22.110035 2017] [core:error] [pid 1] (13)Permission denied: AH00099: could not create /var/run/apache2/apache2.pid
[Wed Apr 05 21:09:22.110068 2017] [core:error] [pid 1] AH00100: apache2: could not log pid to file /var/run/apache2/apache2.pid

Thanks for the contribution and discussion! ❤️