Drop custom user/group and document root, change permissions on runtime

phpmyadmin · Nov 20, 2018 · 662b82d · 662b82d
1 parent b1e2062
commit 662b82d
Show file tree

Hide file tree

Showing 6 changed files with 52 additions and 47 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -49,19 +49,15 @@ RUN set -ex; \
         || gpg --keyserver pgp.mit.edu --recv-keys "$GPGKEY" \
         || gpg --keyserver keyserver.pgp.com --recv-keys "$GPGKEY"; \
     gpg --batch --verify phpMyAdmin.tar.xz.asc phpMyAdmin.tar.xz; \
-    tar -xf phpMyAdmin.tar.xz; \
+    tar -xf phpMyAdmin.tar.xz -C /usr/src; \
     gpgconf --kill all; \
     rm -r "$GNUPGHOME" phpMyAdmin.tar.xz phpMyAdmin.tar.xz.asc; \
-    mv phpMyAdmin-$VERSION-all-languages /www; \
-    rm -rf /www/setup/ /www/examples/ /www/test/ /www/po/ /www/composer.json /www/RELEASE-DATE-$VERSION; \
-    sed -i "s@define('CONFIG_DIR'.*@define('CONFIG_DIR', '/etc/phpmyadmin/');@" /www/libraries/vendor_config.php; \
-    chown -R nobody:nogroup /www; \
-    find /www -type d -exec chmod 750 {} \; ; \
-    find /www -type f -exec chmod 640 {} \; ; \
+    mv /usr/src/phpMyAdmin-$VERSION-all-languages /usr/src/phpmyadmin; \
+    rm -rf /usr/src/phpmyadmin/setup/ /usr/src/phpmyadmin/examples/ /usr/src/phpmyadmin/test/ /usr/src/phpmyadmin/po/ /usr/src/phpmyadmin/composer.json /usr/src/phpmyadmin/RELEASE-DATE-$VERSION; \
+    sed -i "s@define('CONFIG_DIR'.*@define('CONFIG_DIR', '/etc/phpmyadmin/');@" /usr/src/phpmyadmin/libraries/vendor_config.php; \
 # Add directory for sessions to allow session persistence
     mkdir /sessions; \
-    mkdir -p /www/tmp; \
-    chmod -R 777 /www/tmp; \
+    mkdir -p /var/nginx/client_body_temp; \
     apk del .fetch-deps
 
 # Copy configuration
@@ -75,4 +71,4 @@ COPY run.sh /run.sh
 EXPOSE 80
 
 ENTRYPOINT [ "/run.sh" ]
-CMD ["supervisord", "-n"]
+CMD ["supervisord", "-n", "-j", "/supervisord.pid"]
diff --git a/etc/nginx.conf b/etc/nginx.conf
@@ -1,4 +1,3 @@
-user nobody nogroup;
 worker_processes 4;
 
 daemon off;
@@ -53,7 +52,7 @@ http {
         listen 80 default_server;
         server_name _;
 
-        root /www;
+        root /var/www/html;
 
         index index.php index.html index.htm;
 
@@ -73,7 +72,7 @@ http {
 
         location ~ \.php$ {
             fastcgi_intercept_errors on;
-            fastcgi_pass unix:/var/run/php/php-fpm.sock;
+            fastcgi_pass 127.0.0.1:9000;
 
             # regex to split $uri to $fastcgi_script_name and $fastcgi_path
             fastcgi_split_path_info ^(.+\.php)(/.+)$;

diff --git a/etc/php-fpm.conf b/etc/php-fpm.conf
diff --git a/etc/supervisor.d/php.ini b/etc/supervisor.d/php.ini
@@ -1,6 +1,5 @@
 [program:php-fpm]
-command=php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf
-user=nobody
+command=php-fpm --nodaemonize --fpm-config /usr/local/etc/php-fpm.conf
 autostart=true
 autorestart=true
 priority=1

diff --git a/php.ini b/php.ini
@@ -2,7 +2,7 @@
 allow_url_fopen = Off
 max_execution_time = 600
 memory_limit = 512M
-open_basedir = /www/:/tmp/:/etc/phpmyadmin/
+open_basedir = /var/www/html:/tmp/:/etc/phpmyadmin/
 post_max_size = 512M
 upload_max_filesize = 512M
 

diff --git a/run.sh b/run.sh
@@ -1,22 +1,50 @@
 #!/bin/sh
-if [ ! -f /etc/phpmyadmin/config.secret.inc.php ]; then
-    cat > /etc/phpmyadmin/config.secret.inc.php <<EOT
+if [[ "$1" == apache2* ]] || [ "$1" == php-fpm ] || [ "$1" == supervisord ] ; then
+    if [ "$(id -u)" = '0' ]; then
+        case "$1" in
+            apache2*)
+                user="${APACHE_RUN_USER:-www-data}"
+                group="${APACHE_RUN_GROUP:-www-data}"
+                ;;
+            *) # php-fpm
+                user='www-data'
+                group='www-data'
+                ;;
+        esac
+    else
+        user="$(id -u)"
+        group="$(id -g)"
+    fi
+
+    chown www-data:www-data /sessions /var/nginx/client_body_temp
+
+    if ! [ -e index.php -a -e db_designer.php ]; then
+        echo >&2 "phpMyAdmin not found in $PWD - copying now..."
+        if [ "$(ls -A)" ]; then
+            echo >&2 "WARNING: $PWD is not empty - press Ctrl+C now if this is an error!"
+            ( set -x; ls -A; sleep 10 )
+        fi
+        tar --create \
+            --file - \
+            --one-file-system \
+            --directory /usr/src/phpmyadmin \
+            --owner "$user" --group "$group" \
+            . | tar --extract --file -
+        echo >&2 "Complete! phpMyAdmin has been successfully copied to $PWD"
+        mkdir -p tmp; \
+        chmod -R 777 tmp; \
+    fi
+
+    if [ ! -f /etc/phpmyadmin/config.secret.inc.php ]; then
+        cat > /etc/phpmyadmin/config.secret.inc.php <<EOT
 <?php
 \$cfg['blowfish_secret'] = '$(tr -dc 'a-zA-Z0-9~!@#$%^&*_()+}{?></";.,[]=-' < /dev/urandom | fold -w 32 | head -n 1)';
 EOT
-fi
+    fi
 
-if [ ! -f /etc/phpmyadmin/config.user.inc.php ]; then
-    touch /etc/phpmyadmin/config.user.inc.php
+    if [ ! -f /etc/phpmyadmin/config.user.inc.php ]; then
+        touch /etc/phpmyadmin/config.user.inc.php
+    fi
 fi
 
-mkdir -p /var/nginx/client_body_temp
-chown nobody:nogroup /sessions /var/nginx/client_body_temp
-mkdir -p /var/run/php/
-chown nobody:nogroup /var/run/php/
-touch /var/log/php-fpm.log
-chown nobody:nogroup /var/log/php-fpm.log
-
-chmod 644 /etc/phpmyadmin/*
-
 exec "$@"