Open damienfern opened 1 week ago
Hi, @damienfern
I'm also interested in this question!
For now I'm using the following edits to run FrankenPHP as the built-in user www-data
.
@@ -53,8 +53,9 @@
fi
fi
- setfacl -R -m u:www-data:rwX -m u:"$(whoami)":rwX var
- setfacl -dR -m u:www-data:rwX -m u:"$(whoami)":rwX var
+ chgrp -R www-data var /data /config
+ setfacl -R -m u:www-data:rwX -m u:"$(whoami)":rwX var /data /config
+ setfacl -dR -m u:www-data:rwX -m u:"$(whoami)":rwX var /data /config
fi
-exec docker-php-entrypoint "$@"
+su -c "docker-php-entrypoint $*" -s '/bin/sh' 'www-data'
With this edit the container still runs as root
, but FrankenPHP runs as www-data
.
I'm not sure if this is the correct way, but in my case it works so far.
I would also be glad if this template contained information about a more correct way to run the container not as an privileged user.
Modifying the Dockerfile
like this should help: https://frankenphp.dev/docs/docker/#running-as-a-non-root-user
A doc PR explaining how to change this template to run as a non-root user is very welcome, however, we'll not do that by default, because this causes many issues.
Hi,
Thx for this template, very useful ! :pray:
Many resources suggest using an unprivileged user in container in order to prevent privilege escalation attacks(e.g. OWASP https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-2-set-a-user or Docker docs https://docs.docker.com/build/building/best-practices/#user).
It seems it's not the case on this template with FrankenPHP and based on its doc, FrankenPHP can be used with an unprivileged user. Is it on purpose, or is it a feature that can be added to this template ?