Closed ghost closed 4 years ago
I'll pop this on my to-do list. or if you want it badly then raise a PR and I'll incorporate it.
I can help. How about an easy fpm based image? alpine + fpm. TCP based socket for fpm, internal network for the container with an optional nginx instance (or similar). I would use a reverse proxy but whatever works there.
Take a look at the Dockerfile for some of the linuxserver.io images, they basically do sanity checks in the entrypoint script and change the owner of any tmp or data files and directories, then drop privileges (or do so in the dockerfile).
There is already an FPM image, tagged as fpm-alpine-X.X
It auto builds from here https://github.com/tobybatch/kimai2/tree/master/build/fpm-alpine
Does that help?
Yes, this should help, so far what I see in the fpm image:
I will check what others are doing in similar images, but if you have time, feel free to take a look at some of the linuxserver.io images. There should be some fpm-based ones. I can take a look later and paste some links.
I totally understand the issue, and the technology needed to solve it but I'm a little busy at work right now. If you want to make the changes and raise a PR that would be ideal. Else we'll just need to wait until I get a break from my current projects.
Now runs as www-data
It would be great if these images supported right off the shelf to run as an unprivileged user. One potential option to do this is to use a similar RUN entrypoint as linuxserver.io images use:
https://docs.linuxserver.io/general/understanding-puid-and-pgid
Right now, it should not be too difficult to leverage FPM through a socket which another container or host reverse proxy can use to serve the static content and actual PHP processing. This would significantly enhance the 'default' security of the application, so as long as the container itself is properly initialized and configured, saving major Docker-specific vulnerabilities.
:-)