-
-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Address default permissions with webuser
or www-data
users
#253
Comments
Personally I don't care if a What is important for me is the ability to remap the UID and GID of whatever user is running PHP-FPM. I frequently run containers from multiple users that do not have root/sudo access, so having this control is critical to ensuring those users have permissions to directories/files that are bind-mounted into the container. |
Personally I would prefer to use the defaults. I had been trying to switch our Silverstripe sites which are using default PHP images to use the serversideup v2 images and it created a bit of a headache trying to change the user or convert mounted file system permissions. Alternatively if the default was changed, an option to revert back to defaults or set the PHP user via an env variable would be handy. Love the work you doing! |
i prefer to use the defaults too with the ability to change the UID/GID |
I believe that regardless of whether you use Therefore, it’s best to use the default user:group of the base OS and allow users to modify it according to their project setup. Avoid hard-coding UID:GID unless you’re certain that processes in your container don’t share any data with other containers. That’s my personal perspective when initializing Docker containers. |
Thanks for your feedback everyone. I am leaning to NOT add a 👉 My new, but related question
This is why I created Use caseIt's nice to have shell when I need to run Is adding a shell to www-data a good idea? Do you feel it is secure to do this? Thoughts? |
Think of Even if the cafeteria worker is honest, now a bad guy could trick or bribe them to get the keys and access to the whole school. Or if the cafeteria worker makes a mistake, the bad guy could get the keys and make a copy. The It's safer to give users and programs only the access they absolutely have to have. That way there's less risk if one gets compromised. The cafeteria worker doesn't need keys to the chem lab, and |
Thanks @shinsenter! I greatly appreciate your feedback. You and I are definitely on the same page. I highly respect your opinion and I love the analogy too 😃 So in finding the balance of security and user experience:
With PHP requiring |
One of approaches for running Setting the setuid bit on This is less flexible but simple. |
Although this solution would work, this requires a lot of special "know-how" for Laravel developers. I don't think this would be easy enough for most users to have an easy development experience. This is why I was thinking of adding a shell to Having a sudo policy was another thing I was thinking of, but that might add a lot of weight to the docker images. I appreciate any other ideas/feedback if you have any! |
I'm confused, probably because of the plethora of new releases lol. I am deriving an image from In any case, this capability is required for building a flexible PHP stack for more reasons than running |
@jaydrogers As you mentioned, the following command is not working ... So, how i can run the horizon or task scheduler? |
I got it working by implementing this in my dockerfile #287 |
💪 Big UpdateWe have a PR ready for testing that will dramatically improve container security and developer experience: 📖 Long story, short
🙏 Please help test thisEverything is documented on the PR on how to test:
There is also a significant improvement with running Laravel Queues, Schedulers, etc in the PR's Preview Documentation site. We will merge this big change soon if we get good feedback 😅🚀 |
A fix has been released 🥳These changes are now live in our Monitor this CI/CD job for the exact moment these changes will be live (takes about an hour to build): |
This comment was marked as resolved.
This comment was marked as resolved.
@jaydrogers My Dockerfile:
|
Discussed in #252
Originally posted by jaydrogers December 5, 2023
Background
webuser
was added with an ID of9999
www-data
, but this user ID can change between Debian & AlpineRequest for comment
webuser
back? Or should we stick withwww-data
?Next steps
At Server Side Up, we're working on other projects that will likely run into some issues relating to this discussion. As we advance on those projects, we will update this discussion as well. Please chime in with your own experiences too.
The text was updated successfully, but these errors were encountered: