From 89f5f2e68179fea2aa4241b0ef5cf8b164444bc7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Stephan=20M=C3=BCller?= <mail@stephanmueller.eu>
Date: Fri, 4 Sep 2020 17:47:29 +0200
Subject: [PATCH] Introduce unprivileged images for apache and fpm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Stephan Müller <mail@stephanmueller.eu>
---
 Dockerfile-alpine.template |  2 +-
 Dockerfile-debian.template |  2 +-
 README.md                  |  6 +++---
 stack.yml                  |  6 +++---
 update.sh                  | 36 ++++++++++++++++++++++++++++++++----
 5 files changed, 40 insertions(+), 12 deletions(-)

diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
index 1beeae26..fc44f255 100644
--- a/Dockerfile-alpine.template
+++ b/Dockerfile-alpine.template
@@ -121,6 +121,6 @@ RUN set -ex; \
 
 COPY *.sh upgrade.exclude /
 COPY config/* /usr/src/nextcloud/config/
-
+%%USER%%
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["%%CMD%%"]
diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template
index b3326df0..9f3665ae 100644
--- a/Dockerfile-debian.template
+++ b/Dockerfile-debian.template
@@ -138,6 +138,6 @@ RUN set -ex; \
 
 COPY *.sh upgrade.exclude /
 COPY config/* /usr/src/nextcloud/config/
-
+%%USER%%
 ENTRYPOINT ["/entrypoint.sh"]
 CMD ["%%CMD%%"]
diff --git a/README.md b/README.md
index b288a983..6fa8a20c 100644
--- a/README.md
+++ b/README.md
@@ -221,7 +221,7 @@ services:
       - MYSQL_USER=nextcloud
 
   app:
-    image: nextcloud
+    image: nextcloud:unprivileged
     ports:
       - 8080:80
     links:
@@ -262,7 +262,7 @@ services:
       - MYSQL_USER=nextcloud
 
   app:
-    image: nextcloud:fpm
+    image: nextcloud:fpm-unprivileged
     links:
       - db
     volumes:
@@ -270,7 +270,7 @@ services:
     restart: always
 
   web:
-    image: nginx
+    image: nginxinc/nginx-unprivileged:alpine
     ports:
       - 8080:80
     links:
diff --git a/stack.yml b/stack.yml
index 631ab045..b137d8a3 100644
--- a/stack.yml
+++ b/stack.yml
@@ -12,10 +12,10 @@ services:
       - POSTGRES_PASSWORD=nextcloud
 
   app:
-    image: nextcloud
+    image: nextcloud:unprivileged
     restart: always
     ports:
-      - 8080:80
+      - 8080:8080
     volumes:
       - nextcloud:/var/www/html
     environment:
@@ -27,7 +27,7 @@ services:
       - db
 
   cron:
-    image: nextcloud
+    image: nextcloud:unprivileged
     restart: always
     volumes:
       - nextcloud:/var/www/html
diff --git a/update.sh b/update.sh
index 5fc6da1f..158c0e5c 100755
--- a/update.sh
+++ b/update.sh
@@ -7,22 +7,40 @@ declare -A php_version=(
 	[17.0]='7.3'
 )
 
+declare -A image_tag=(
+	[apache]='apache'
+	[apache-unprivileged]='apache'
+	[fpm]='fpm'
+	[fpm-unprivileged]='fpm'
+	[fpm-alpine]='fpm-alpine'
+	[fpm-alpine-unprivileged]='fpm-alpine'
+)
+
 declare -A cmd=(
 	[apache]='apache2-foreground'
+	[apache-unprivileged]='apache2-foreground'
 	[fpm]='php-fpm'
+	[fpm]='php-fpm'
+	[fpm-alpine]='php-fpm'
 	[fpm-alpine]='php-fpm'
 )
 
 declare -A base=(
 	[apache]='debian'
+	[apache-unprivileged]='debian'
 	[fpm]='debian'
+	[fpm-unprivileged]='debian'
 	[fpm-alpine]='alpine'
+	[fpm-alpine-unprivileged]='alpine'
 )
 
 declare -A extras=(
 	[apache]='\nRUN a2enmod headers rewrite remoteip ;\\\n    {\\\n     echo RemoteIPHeader X-Real-IP ;\\\n     echo RemoteIPTrustedProxy 10.0.0.0/8 ;\\\n     echo RemoteIPTrustedProxy 172.16.0.0/12 ;\\\n     echo RemoteIPTrustedProxy 192.168.0.0/16 ;\\\n    } > /etc/apache2/conf-available/remoteip.conf;\\\n    a2enconf remoteip'
+	[apache-unprivileged]='\nRUN a2enmod headers rewrite remoteip ;\\\n    {\\\n     echo RemoteIPHeader X-Real-IP ;\\\n     echo RemoteIPTrustedProxy 10.0.0.0/8 ;\\\n     echo RemoteIPTrustedProxy 172.16.0.0/12 ;\\\n     echo RemoteIPTrustedProxy 192.168.0.0/16 ;\\\n    } > /etc/apache2/conf-available/remoteip.conf;\\\n    a2enconf remoteip\n\nRUN set -ex; \\\n    sed -i "s/Listen 80/Listen 8080/" /etc/apache2/ports.conf; \\\n    sed -i "s/VirtualHost *:80/VirtualHost *:8080/" /etc/apache2/sites-available/*.conf\n\nEXPOSE 8080'
 	[fpm]=''
+	[fpm-unprivileged]=''
 	[fpm-alpine]=''
+	[fpm-alpine-unprivileged]=''
 )
 
 declare -A crontab_int=(
@@ -74,8 +92,11 @@ declare -A pecl_versions=(
 
 variants=(
 	apache
+	apache-unprivileged
 	fpm
+	fpm-unprivileged
 	fpm-alpine
+	fpm-alpine-unprivileged
 )
 
 min_version='17.0'
@@ -114,10 +135,16 @@ function create_variant() {
 
 	echo "updating $fullversion [$1] $variant"
 
+	if [[ "$variant" == *-unprivileged ]]; then
+		unprivileged_user="\nUSER www-data\n"
+	else
+		unprivileged_user=""
+	fi
+
 	# Replace the variables.
 	sed -ri -e '
 		s/%%PHP_VERSION%%/'"$phpVersion"'/g;
-		s/%%VARIANT%%/'"$variant"'/g;
+		s/%%VARIANT%%/'"${image_tag[$variant]}"'/g;
 		s/%%VERSION%%/'"$fullversion"'/g;
 		s/%%BASE_DOWNLOAD_URL%%/'"$2"'/g;
 		s/%%CMD%%/'"${cmd[$variant]}"'/g;
@@ -125,8 +152,9 @@ function create_variant() {
 		s/%%APCU_VERSION%%/'"${pecl_versions[APCu]}"'/g;
 		s/%%MEMCACHED_VERSION%%/'"${pecl_versions[memcached]}"'/g;
 		s/%%REDIS_VERSION%%/'"${pecl_versions[redis]}"'/g;
-		s/%%IMAGICK_VERSION%%/'"${pecl_versions[imagick]}"'/g;
-		s/%%CRONTAB_INT%%/'"$crontabInt"'/g;
+    s/%%IMAGICK_VERSION%%/'"${pecl_versions[imagick]}"'/g;
+    s/%%CRONTAB_INT%%/'"$crontabInt"'/g;
+		s/%%USER%%/'"$unprivileged_user"'/g;
 	' "$dir/Dockerfile"
 
 	case "$phpVersion" in
@@ -165,7 +193,7 @@ function create_variant() {
 	cp -rT .config "$dir/config"
 
 	# Remove Apache config if we're not an Apache variant.
-	if [ "$variant" != "apache" ]; then
+	if [ "$variant" != "apache" ] && [ "$variant" != "apache-unprivileged" ]; then
 		rm "$dir/config/apache-pretty-urls.config.php"
 	fi
 }