Run composer as www-data. (#138)

* Run composer as www-data.

php-nginx/Dockerfile

@@ -55,7 +55,8 @@ ENV NGINX_DIR=/opt/nginx \
     NGINX_VERSION=1.10.1 \
     PHP56_VERSION=5.6.24 \
     PHP70_VERSION=7.0.9 \
-    PATH=/opt/php/bin:$PATH
+    PATH=/opt/php/bin:$PATH \
+    WWW_HOME=/var/www
 
 # gpgkeys for verifying the tarballs
 COPY gpgkeys /gpgkeys
@@ -73,10 +74,10 @@ EXPOSE 8080
 
 # Lock down the web directories
 RUN mkdir -p $APP_DIR $LOG_DIR $UPLOAD_DIR $SESSION_SAVE_PATH \
-        $NGINX_USER_CONF_DIR \
+        $NGINX_USER_CONF_DIR $WWW_HOME\
     && chown -R www-data.www-data \
         $APP_DIR $UPLOAD_DIR $SESSION_SAVE_PATH $LOG_DIR \
-        $NGINX_USER_CONF_DIR \
+        $NGINX_USER_CONF_DIR $WWW_HOME \
     && chmod 755 $UPLOAD_DIR $SESSION_SAVE_PATH
 
 # Put config files into place.
@@ -91,28 +92,29 @@ COPY logrotate.app_engine /etc/logrotate.d/app_engine
 
 COPY entrypoint.sh composer.sh whitelist_functions.php /
 
-RUN chmod +x /entrypoint.sh /composer.sh
+RUN chgrp www-data composer.sh && chmod +x /entrypoint.sh /composer.sh \
+    # Temporary enable the shell for www-data
+    # We will disable it in entrypoint.sh
+    && chsh -s /bin/bash www-data
 
 # A script for extracting PHP version from composer.json.
 COPY detect_php_version.php /tmp/detect_php_version.php
-RUN cd /tmp && ${PHP_DIR}/bin/php \
+RUN chgrp www-data /tmp/detect_php_version.php && cd /tmp \
+    && su www-data -c "${PHP_DIR}/bin/php \
         -d suhosin.executor.include.whitelist=phar \
         -d suhosin.executor.func.blacklist=none \
         -d memory_limit=-1 \
         -d max_input_time=-1 \
         /usr/local/bin/composer \
-        require composer/semver
+        require composer/semver"
 
+# Copy the app and change the owner
 ONBUILD COPY . $APP_DIR
-ONBUILD RUN chmod -R 550 $APP_DIR
-ONBUILD RUN chown -R root.www-data $APP_DIR
+ONBUILD RUN chown -R www-data.www-data $APP_DIR
 
 WORKDIR $APP_DIR
 
 ONBUILD RUN /composer.sh
-# Now suhosin.log might be owned by root.
-ONBUILD RUN touch $LOG_DIR/suhosin.log
-ONBUILD RUN chown www-data.www-data $LOG_DIR/suhosin.log
 
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["/usr/bin/supervisord"]

php-nginx/composer.sh

@@ -23,10 +23,11 @@ DEFAULT_PHP_VERSION="5.6"
 if [ -f ${APP_DIR}/composer.json ]; then
     # Extract php version from the composer.json.
     CMD="${PHP_DIR}/bin/php /tmp/detect_php_version.php ${APP_DIR}/composer.json"
-    PHP_VERSION=`${CMD}`
+    PHP_VERSION=`su www-data -c "${CMD}"`
 
-    # Remove the vendor directory for the temporary script above.
-    rm -rf /tmp/vendor
+    # Remove files and directories for detecting PHP version.
+    # These files are created in Dockerfile.
+    rm -rf /tmp/vendor /tmp/detect_php_version.php /tmp/composer.*
 
     if [ "${PHP_VERSION}" != "7.0" ] && [ "${PHP_VERSION}" != "5.6" ]; then
         cat<<EOF
@@ -53,11 +54,12 @@ EOF
     COMPOSER_GITHUB_OAUTH_TOKEN=${COMPOSER_GITHUB_OAUTH_TOKEN:-}
     if [[ -n "$COMPOSER_GITHUB_OAUTH_TOKEN" ]]; then
         if curl --fail --silent -H "Authorization: token $COMPOSER_GITHUB_OAUTH_TOKEN" https://api.github.com/rate_limit > /dev/null; then
-            ${PHP_DIR}/bin/php \
+            su www-data -c "${PHP_DIR}/bin/php \
               -d suhosin.executor.include.whitelist=phar \
               -d suhosin.executor.func.blacklist=none \
               -d disable_functions= \
-              /usr/local/bin/composer config -g github-oauth.github.com "$COMPOSER_GITHUB_OAUTH_TOKEN" &> /dev/null # redirect outdated version warnings (Composer sends those to STDOUT instead of STDERR)
+              /usr/local/bin/composer config -g github-oauth.github.com ${COMPOSER_GITHUB_OAUTH_TOKEN} &> /dev/null"
+            # redirect outdated version warnings (Composer sends those to STDOUT instead of STDERR)
             echo 'Using $COMPOSER_GITHUB_OAUTH_TOKEN for GitHub OAuth.'
         else
             echo 'Invalid $COMPOSER_GITHUB_OAUTH_TOKEN for GitHub OAuth!'
@@ -66,9 +68,13 @@ EOF
     # no need for the token to stay around in the env
     unset COMPOSER_GITHUB_OAUTH_TOKEN
 
+    # Workaround for https://github.com/docker/docker/issues/6047
+    # We want to remove when Container Builder starts to use newer Docker.
+    rm -rf ${APP_DIR}/vendor
+
     # Run Composer.
     cd ${APP_DIR} && \
-        ${PHP_DIR}/bin/php \
+        su www-data -c "${PHP_DIR}/bin/php \
         -d suhosin.executor.include.whitelist=phar \
         -d suhosin.executor.func.blacklist=none \
         -d disable_functions= \
@@ -82,5 +88,5 @@ EOF
         --optimize-autoloader \
         --no-interaction \
         --no-ansi \
-        --no-progress
+        --no-progress"
 fi

php-nginx/entrypoint.sh

@@ -114,17 +114,28 @@ sed -i "s|%%DOC_ROOT%%|${DOCUMENT_ROOT}|g" "${PHP_DIR}/lib/php.ini"
 # look up the environment variable.
 ${PHP_DIR}/bin/php /whitelist_functions.php
 
-# run the composer scripts for post-deploy
-COMPOSER_CMD="${PHP_DIR}/bin/php \
+if [ -f "${APP_DIR}/composer.json" ]; then
+    # run the composer scripts for post-deploy
+    COMPOSER_CMD="${PHP_DIR}/bin/php \
     -d suhosin.executor.include.whitelist=phar \
     -d suhosin.executor.func.blacklist=none \
     -d disable_functions= \
     -d memory_limit=-1 \
     -d max_input_time=-1 \
     /usr/local/bin/composer \
     --no-ansi"
-if $COMPOSER_CMD run-script -l | grep -q "post-deploy-cmd"; then
-    $COMPOSER_CMD run-script --no-interaction post-deploy-cmd
+    if su www-data -c "${COMPOSER_CMD} run-script -l" \
+        | grep -q "post-deploy-cmd"; then
+        su www-data -c \
+            "$COMPOSER_CMD run-script --no-interaction post-deploy-cmd"
+    fi
 fi
 
+# Lock down the DOCUMENT_ROOT
+chown -R root.www-data ${DOCUMENT_ROOT}
+chmod -R 550 ${DOCUMENT_ROOT}
+
+# Change the www-data's shell back to /usr/sbin/nologin
+chsh -s /usr/sbin/nologin www-data
+
 exec "$@"