From 4e01e6ac26da0f3def11a3dc7adb7b6bd41d9b77 Mon Sep 17 00:00:00 2001 From: JustSem Date: Wed, 9 Feb 2022 16:11:49 +0100 Subject: [PATCH 1/9] Fix for docker(-compose) to allow the app to be run as a regular user. --- extra/entrypoint.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh index 23c4f01774..93895da520 100644 --- a/extra/entrypoint.sh +++ b/extra/entrypoint.sh @@ -2,8 +2,10 @@ # set -e Exit the script if an error happens set -e -PUID=${PUID=0} -PGID=${PGID=0} + +#Setting the PUID and PGID variable to the ID's we've actually launched as, instead of some passed environment variable. +PUID=$(id -u) +PGID=$(id -g) files_ownership () { # -h Changes the ownership of an encountered symbolic link and not that of the file or directory pointed to by the symbolic link. @@ -18,4 +20,11 @@ files_ownership echo "==> Starting application with user $PUID group $PGID" # --clear-groups Clear supplementary groups. -exec setpriv --reuid "$PUID" --regid "$PGID" --clear-groups "$@" +if [ $(id -u) -eq 0 ]; +then + #We're running as root, so we can use setpriv without problems. + exec setpriv --reuid "$PUID" --regid "$PGID" --clear-groups "$@" +else + #We're running as a regular user, so we'll launch the app as one. + exec "$@" +fi From b6b5f2c2b07e95d3295667599f32345ba5e3f819 Mon Sep 17 00:00:00 2001 From: JustSem Date: Sun, 13 Feb 2022 21:35:03 +0100 Subject: [PATCH 2/9] Updated entrypoint to properly asses and fix permissions. --- extra/entrypoint.sh | 49 ++++++++++++++++++++++++++++++++++----------- 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh index 93895da520..634d6812af 100644 --- a/extra/entrypoint.sh +++ b/extra/entrypoint.sh @@ -3,28 +3,53 @@ # set -e Exit the script if an error happens set -e -#Setting the PUID and PGID variable to the ID's we've actually launched as, instead of some passed environment variable. -PUID=$(id -u) -PGID=$(id -g) files_ownership () { - # -h Changes the ownership of an encountered symbolic link and not that of the file or directory pointed to by the symbolic link. - # -R Recursively descends the specified directories - # -c Like verbose but report only when a change is made - chown -hRc "$PUID":"$PGID" /app/data + # Check if the /app/data folder is owned by the user invoking the container + if [ $(stat -c%u /app/data) != $(id -u) ]; then + echo "File ownership incorrect, attempting to fix." + chown -hRc "$(id -u)":"$(id -g)" /app/data || echo "ERROR: Failed to set file ownership. Please run 'sudo chown -R $(id -u):$(id -g) /path/to/container/volume' to resolve."; exit 1 + fi + + # Checks for R/W permissions + if [ $(stat -c%a /app/data) -ne 770 ]; then + echo "Directory permissions incorrect, attempting to fix." + find /app/data -type d -exec chmod 770 {} \; + + #Re-run the check + if [ $(stat -c%a /app/data) -ne 770 ]; then + echo "ERROR: Failed to set file permissions. Please run 'sudo find /path/to/container/volume -type d chmod 770 {} \;' to resolve." + exit 1 + fi + echo "Directory permission fix succesful! Continuing." + fi + + #Check the R/W permissions on the files + if [ $(stat -c%a /app/data/* | head -n 1) != 640 ]; then + echo "File permissions incorrect. Attempting to fix." + find /app/data -type f -exec chmod 640 {} \; + + #Re-run the check + if [ $(stat -c%a /app/data/* | head -n 1) != 640 ]; then + echo "ERROR: Failed to set file permissions. Please run 'sudo find /path/to/container/volume -type f chmod 640 {} \;' to resolve." + exit 1 + fi + echo "File permission fix succesful! Continuing." + fi } echo "==> Performing startup jobs and maintenance tasks" +echo "==> Checking file permissions" files_ownership -echo "==> Starting application with user $PUID group $PGID" +echo "==> Starting application as user: $(id -u) ($USER) and group $(id -g)" # --clear-groups Clear supplementary groups. if [ $(id -u) -eq 0 ]; then - #We're running as root, so we can use setpriv without problems. - exec setpriv --reuid "$PUID" --regid "$PGID" --clear-groups "$@" + #We're running as root, so we can use setpriv without problems. + exec setpriv --reuid "$PUID" --regid "$PGID" --clear-groups "$@" else - #We're running as a regular user, so we'll launch the app as one. - exec "$@" + #We're running as a regular user, so we'll launch the app as one. + exec "$@" fi From af613e023a6c1a8ac1765f437bb882f9e1cf03fd Mon Sep 17 00:00:00 2001 From: Sem <86064734+justSem@users.noreply.github.com> Date: Sat, 2 Apr 2022 21:39:35 +0200 Subject: [PATCH 3/9] Update extra/entrypoint.sh Co-authored-by: Adam Stachowicz --- extra/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh index 634d6812af..64cd3863f1 100644 --- a/extra/entrypoint.sh +++ b/extra/entrypoint.sh @@ -16,7 +16,7 @@ files_ownership () { echo "Directory permissions incorrect, attempting to fix." find /app/data -type d -exec chmod 770 {} \; - #Re-run the check + # Re-run the check if [ $(stat -c%a /app/data) -ne 770 ]; then echo "ERROR: Failed to set file permissions. Please run 'sudo find /path/to/container/volume -type d chmod 770 {} \;' to resolve." exit 1 From 936b73dfa24984b17bc89830bd58f739c9721fda Mon Sep 17 00:00:00 2001 From: Sem <86064734+justSem@users.noreply.github.com> Date: Sat, 2 Apr 2022 21:39:42 +0200 Subject: [PATCH 4/9] Update extra/entrypoint.sh Co-authored-by: Adam Stachowicz --- extra/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh index 64cd3863f1..29c8668725 100644 --- a/extra/entrypoint.sh +++ b/extra/entrypoint.sh @@ -24,7 +24,7 @@ files_ownership () { echo "Directory permission fix succesful! Continuing." fi - #Check the R/W permissions on the files + # Check the R/W permissions on the files if [ $(stat -c%a /app/data/* | head -n 1) != 640 ]; then echo "File permissions incorrect. Attempting to fix." find /app/data -type f -exec chmod 640 {} \; From c8b4887f6e5d785c80077c1b4e8e2aec60a1fd61 Mon Sep 17 00:00:00 2001 From: Sem <86064734+justSem@users.noreply.github.com> Date: Sat, 2 Apr 2022 21:39:48 +0200 Subject: [PATCH 5/9] Update extra/entrypoint.sh Co-authored-by: Adam Stachowicz --- extra/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh index 29c8668725..54dbfb7f5b 100644 --- a/extra/entrypoint.sh +++ b/extra/entrypoint.sh @@ -29,7 +29,7 @@ files_ownership () { echo "File permissions incorrect. Attempting to fix." find /app/data -type f -exec chmod 640 {} \; - #Re-run the check + # Re-run the check if [ $(stat -c%a /app/data/* | head -n 1) != 640 ]; then echo "ERROR: Failed to set file permissions. Please run 'sudo find /path/to/container/volume -type f chmod 640 {} \;' to resolve." exit 1 From 524abb6a30baf9d8e70ee7beec7e5d3f958a626a Mon Sep 17 00:00:00 2001 From: Sem <86064734+justSem@users.noreply.github.com> Date: Sat, 2 Apr 2022 21:39:53 +0200 Subject: [PATCH 6/9] Update extra/entrypoint.sh Co-authored-by: Adam Stachowicz --- extra/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh index 54dbfb7f5b..e3c7bc0c43 100644 --- a/extra/entrypoint.sh +++ b/extra/entrypoint.sh @@ -47,7 +47,7 @@ echo "==> Starting application as user: $(id -u) ($USER) and group $(id -g)" # --clear-groups Clear supplementary groups. if [ $(id -u) -eq 0 ]; then - #We're running as root, so we can use setpriv without problems. + # We're running as root, so we can use setpriv without problems. exec setpriv --reuid "$PUID" --regid "$PGID" --clear-groups "$@" else #We're running as a regular user, so we'll launch the app as one. From 3ef783eca12cc373c0c785c205df50a511bab940 Mon Sep 17 00:00:00 2001 From: Sem <86064734+justSem@users.noreply.github.com> Date: Sat, 2 Apr 2022 21:39:57 +0200 Subject: [PATCH 7/9] Update extra/entrypoint.sh Co-authored-by: Adam Stachowicz --- extra/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh index e3c7bc0c43..b624cd2baf 100644 --- a/extra/entrypoint.sh +++ b/extra/entrypoint.sh @@ -50,6 +50,6 @@ then # We're running as root, so we can use setpriv without problems. exec setpriv --reuid "$PUID" --regid "$PGID" --clear-groups "$@" else - #We're running as a regular user, so we'll launch the app as one. + # We're running as a regular user, so we'll launch the app as one. exec "$@" fi From 87f2860cafc105549cdb7af851fda28aac063478 Mon Sep 17 00:00:00 2001 From: Sem <86064734+justSem@users.noreply.github.com> Date: Sat, 2 Apr 2022 21:40:02 +0200 Subject: [PATCH 8/9] Update extra/entrypoint.sh Co-authored-by: Adam Stachowicz --- extra/entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh index b624cd2baf..f81eb1a483 100644 --- a/extra/entrypoint.sh +++ b/extra/entrypoint.sh @@ -9,6 +9,7 @@ files_ownership () { if [ $(stat -c%u /app/data) != $(id -u) ]; then echo "File ownership incorrect, attempting to fix." chown -hRc "$(id -u)":"$(id -g)" /app/data || echo "ERROR: Failed to set file ownership. Please run 'sudo chown -R $(id -u):$(id -g) /path/to/container/volume' to resolve."; exit 1 + echo "File ownership fix succesful! Continuing." fi # Checks for R/W permissions From 0c10fe9e4e79f78d7726aa68533c6f3f94952b82 Mon Sep 17 00:00:00 2001 From: JustSem Date: Sat, 2 Apr 2022 21:47:47 +0200 Subject: [PATCH 9/9] Implemented suggested changes --- extra/entrypoint.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/extra/entrypoint.sh b/extra/entrypoint.sh index f81eb1a483..fd27ef80e1 100644 --- a/extra/entrypoint.sh +++ b/extra/entrypoint.sh @@ -2,23 +2,23 @@ # set -e Exit the script if an error happens set -e - +DATADIR=/app/data files_ownership () { - # Check if the /app/data folder is owned by the user invoking the container - if [ $(stat -c%u /app/data) != $(id -u) ]; then + # Check if the $DATADIR folder is owned by the user invoking the container + if [ $(stat -c%u "$DATADIR") != $(id -u) ]; then echo "File ownership incorrect, attempting to fix." - chown -hRc "$(id -u)":"$(id -g)" /app/data || echo "ERROR: Failed to set file ownership. Please run 'sudo chown -R $(id -u):$(id -g) /path/to/container/volume' to resolve."; exit 1 + chown -hRc "$(id -u)":"$(id -g)" $DATADIR || echo "ERROR: Failed to set file ownership. Please run 'sudo chown -R $(id -u):$(id -g) /path/to/container/volume' to resolve."; exit 1 echo "File ownership fix succesful! Continuing." fi # Checks for R/W permissions - if [ $(stat -c%a /app/data) -ne 770 ]; then + if [ $(stat -c%a "$DATADIR") -ne 770 ]; then echo "Directory permissions incorrect, attempting to fix." - find /app/data -type d -exec chmod 770 {} \; + find $DATADIR -type d -exec chmod 770 {} \; # Re-run the check - if [ $(stat -c%a /app/data) -ne 770 ]; then + if [ $(stat -c%a "$DATADIR") -ne 770 ]; then echo "ERROR: Failed to set file permissions. Please run 'sudo find /path/to/container/volume -type d chmod 770 {} \;' to resolve." exit 1 fi @@ -26,12 +26,12 @@ files_ownership () { fi # Check the R/W permissions on the files - if [ $(stat -c%a /app/data/* | head -n 1) != 640 ]; then + if [ $(stat -c%a "$DATADIR"/* | head -n 1) != 640 ]; then echo "File permissions incorrect. Attempting to fix." - find /app/data -type f -exec chmod 640 {} \; + find $DATADIR -type f -exec chmod 640 {} \; # Re-run the check - if [ $(stat -c%a /app/data/* | head -n 1) != 640 ]; then + if [ $(stat -c%a "$DATADIR"/* | head -n 1) != 640 ]; then echo "ERROR: Failed to set file permissions. Please run 'sudo find /path/to/container/volume -type f chmod 640 {} \;' to resolve." exit 1 fi