Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running apache2 as www-data #190

Closed
wants to merge 2 commits into from
Closed

Running apache2 as www-data #190

wants to merge 2 commits into from

Conversation

deekthesqueak
Copy link

Changes Apache ports to be outside of restrictive port range to allow apache-foreground to be run as www-data and not root.

@deekthesqueak
Changes Apache ports to be outside of restrictive port range to allow…
e8e05dd 
… apache-foreground to be run as www-data and not root.
@deekthesqueak deekthesqueak mentioned this pull request Feb 8, 2016
Closed
@yosifkit
Copy link
Member

As this could break current users' deployments I would be hesitant to change. The current configuration is the same as most default Linux installs; it is the accepted way for Apache/httpd to drop permissions itself. The process running as root does not handle requests, so a remote user cannot use it to gain root access. There is further discussion on askubuntu.com.

In docker 1.10, you can use the user namespaces to change which user "container root" maps to.

@tianon
Copy link
Member

tianon commented Apr 5, 2017

I think this one is already about as decent as we can be without breaking backwards compatibility -- with some minor configuration changes, -u www-data should work as-is (since Apache will just warn if it can't change to the user requested in the configuration, at most):

FROM php:7-apache
RUN sed -i 's/80/8080/g' /etc/apache2/sites-available/000-default.conf /etc/apache2/ports.conf
USER www-data
$ docker build .
Sending build context to Docker daemon 2.048 kB
Step 1/3 : FROM php:7-apache
 ---> bc943f239a7f
Step 2/3 : RUN sed -i 's/80/8080/g' /etc/apache2/sites-available/000-default.conf /etc/apache2/ports.conf
 ---> Running in 84c37c1db043
 ---> 94d6861d578a
Removing intermediate container 84c37c1db043
Step 3/3 : USER www-data
 ---> Running in 2ce018e8363d
 ---> 87926a4f33dc
Removing intermediate container 2ce018e8363d
Successfully built 87926a4f33dc
$ docker run -it --rm 87926a4f33dc
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.17. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.17. Set the 'ServerName' directive globally to suppress this message
[Wed Apr 05 19:33:14.218299 2017] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.10 (Debian) PHP/7.1.0 configured -- resuming normal operations
[Wed Apr 05 19:33:14.218348 2017] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

Thanks for the contribution and discussion! ❤️

@tianon tianon closed this Apr 5, 2017
@tianon tianon mentioned this pull request Apr 5, 2017
Closed
@Akash-Nayak Akash-Nayak mentioned this pull request Jan 18, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@deekthesqueak @yosifkit @tianon