PUID/PGID in `start.sh` no longer passing through

[ross-schlegel]

@SimonMischenkoHawk

I made few more changes to DockerFile and start.sh to further increase security.
2792c05

• Hardened Dockerfile permissions: all code files owned by root:www-data (dirs 755, files 644), only uploads/, users/ and metadata/ are writable by www-data (775)
• .dockerignore entry to exclude the .github directory from build context
• start.sh:
  • Creates and secures metadata/log for Apache logs
  • Dynamically creates and sets permissions on uploads, users, and metadata directories at startup
• Apache VirtualHost updated to redirect ErrorLog and CustomLog into /var/www/metadata/log
• docker: remove symlink add alias for uploads folder

Originally posted by @error311 in #22

Looks like the PR here modified the start.sh script to remove the PUID/PGID components, but the CMD line in the Dockerfile doesn't preserve the usermod/groupmod changes so www-data goes back to 99:100 in the script. I made a quick logging mod locally and got this as the output:

🚀 Running start.sh...
I am: uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu)
Here are your UID: 1000 and GID: 1000
PUID: 1000 PGID: 1000
Here is www-data UID: 99 and GID: 100
chown: changing ownership of '/var/www/metadata/log': Operation not permitted

For reference, I'm setting both PUID and PGID as well as using the -u 1000:1000 directive (in both standalone docker and docker compose). I've also tried every combination of setting/not setting both.

Quick edit: Ideally I would like all mounted directories and files to be owned by 1000:1000.

[snyssen]

I am having the same issue. I am wondering if it wouldn't be best to rely on the work from linuxserver.io and use their base image, which includes the PUID/PGID requirements. I have never done so yet, but I might be interested in opening a PR for this feature.

[error311]

This ended up being the container running as non-root with --user. In that mode, the startup script can’t run usermod/groupmod/chown, so www-data stays at its default UID/GID and ownership changes fail (Operation not permitted).

## Installation & Setup was updated.