magento / magento-cloud-docker

All Submissions you make to Magento Inc. (“Magento") through GitHub are subject to the following terms and conditions: (1) You grant Magento a perpetual, worldwide, non-exclusive, no charge, royalty free, irrevocable license under your applicable copyrights and patents to reproduce, prepare derivative works of, display, publically perform, sublicense and distribute any feedback, ideas, code, or other information (“Submission") you submit through GitHub. (2) Your Submission is an original work of authorship and you are the owner or are legally entitled to grant the license stated above. (3) You agree to the Contributor License Agreement found here: https://github.com/magento/magento2/blob/master/CONTRIBUTOR_LICENSE_AGREEMENT.html
Open Software License 3.0
256 stars 191 forks source link

php-fpm executing php-scripts as root #373

Open psy0rz opened 1 week ago

psy0rz commented 1 week ago

See https://github.com/magento/magento-cloud-docker/blob/develop/images/php/8.3-fpm/etc/php-fpm.conf#L6

There is no user directive, so by default php-fpm will try to run as root, which is allowed since the -R flag is used: https://github.com/magento/magento-cloud-docker/blob/develop/images/php/8.3-fpm/Dockerfile#L151

This in turn can create files as root, like stuff in /app/generated/...

Then when trying to switch to and from developer mode from the cli container (as user www), you will get permission issues.

Very strange that this is the default for an official magento container, is has to be a bug right?

psy0rz commented 1 week ago

So the correct file should have the user = www directive, like this:


[global]

error_log = /proc/self/fd/2
daemonize = no

[www]

user = www

; if we send this to /proc/self/fd/1, it never appears
access.log = /proc/self/fd/2

listen = [::]:9000

pm = dynamic
pm.max_children = 10
pm.start_servers = 4
pm.min_spare_servers = 2
pm.max_spare_servers = 6
pm.status_path = /status

clear_env = no

env[MAGE_MODE] = $MAGENTO_RUN_MODE

; Ensure worker stdout and stderr are sent to the main error log.
catch_workers_output = yes