Changed: non-root feature

Dockerfile

@@ -4,6 +4,7 @@ LABEL maintainer="Passbolt SA <contact@passbolt.com>"
 
 ENV PASSBOLT_PKG_KEY=0xDE8B853FC155581D
 ENV PASSBOLT_PKG=passbolt-ce-server
+ENV GNUPGHOME=/var/lib/passbolt/.gnupg
 
 RUN apt-get update \
     && DEBIAN_FRONTEND=non-interactive apt-get -y install \
@@ -17,11 +18,38 @@ RUN apt-get update \
       $PASSBOLT_PKG \
       supervisor
 
+RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
+    && rm /etc/nginx/sites-enabled/default \
+    && sed -i '/user www-data;/d' /etc/nginx/nginx.conf \
+    && sed -i 's,/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+    && sed -i "/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
+    && sed -i 's,listen = /run/php/php7.3-fpm.sock,listen = 127.0.0.1:9000,' /etc/php/7.3/fpm/pool.d/www.conf \
+    && sed -i 's,unix:/run/php/php7.3-fpm.sock,127.0.0.1:9000,' /etc/nginx/sites-enabled/nginx-passbolt.conf \
+    && sed -i 's,pid = /run/php/php7.3-fpm.pid,pid = /tmp/php7.3-fpm.pid,' /etc/php/7.3/fpm/php-fpm.conf \
+    && sed -i 's,/var/run/supervisor.sock,/tmp/supervisor.sock,' /etc/supervisor/supervisord.conf \
+# nginx user must own the cache and etc directory to write cache and tweak the nginx config
+    #&& chown -R www-data:0 /var/cache/nginx \
+    #&& chmod -R g+w /var/cache/nginx \
+    && chown -R www-data:0 /etc/nginx \
+    && chmod -R g+w /etc/nginx \
+    && mkdir /etc/passbolt/certs \
+    && chown www-data:0 /etc/passbolt/certs \
+    && chown www-data:0 /var/log/supervisor \
+    && chown -R www-data:0 /var/log/nginx \
+    && ln -sf /dev/stdout /var/log/nginx/passbolt-access.log \
+    && ln -sf /dev/stderr /var/log/nginx/passbolt-error.log \
+    && ln -sf /dev/stderr /var/log/passbolt/error.log \
+    && ln -sf /dev/stderr /var/log/php7.3-fpm.log \
+    && chown -R www-data:0 /var/log/supervisor \
+    && touch /var/www/.profile \
+    && chown www-data:www-data /var/www/.profile
 
 COPY conf/supervisor/*.conf /etc/supervisor/conf.d/
 COPY bin/docker-entrypoint.sh /docker-entrypoint.sh
 COPY scripts/wait-for.sh /usr/bin/wait-for.sh
 
-EXPOSE 80 443
+EXPOSE 8080 4443
+
+USER www-data
 
 CMD ["/docker-entrypoint.sh"]

bin/docker-entrypoint.sh

@@ -2,13 +2,14 @@
 
 set -euo pipefail
 
-gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-/var/www/passbolt/config/gpg/serverkey_private.asc}"
-gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-/var/www/passbolt/config/gpg/serverkey.asc}"
+passbolt_base='/usr/share/php/passbolt'
+passbolt_config="/etc/passbolt"
 
-ssl_key='/etc/ssl/certs/certificate.key'
-ssl_cert='/etc/ssl/certs/certificate.crt'
+gpg_private_key="${PASSBOLT_GPG_SERVER_KEY_PRIVATE:-$passbolt_config/gpg/serverkey_private.asc}"
+gpg_public_key="${PASSBOLT_GPG_SERVER_KEY_PUBLIC:-$passbolt_config/gpg/serverkey.asc}"
 
-export GNUPGHOME="/var/lib/passbolt/.gnupg"
+ssl_key="$passbolt_config/certs/certificate.key"
+ssl_cert="$passbolt_config/certs/certificate.crt"
 
 entropy_check() {
   local entropy_avail
@@ -42,7 +43,7 @@ gpg_gen_key() {
 
   entropy_check
 
-  su -c "gpg --homedir $GNUPGHOME --batch --no-tty --gen-key <<EOF
+  gpg --batch --no-tty --gen-key <<EOF
     Key-Type: default
 		Key-Length: $key_length
 		Subkey-Type: default
@@ -52,46 +53,33 @@ gpg_gen_key() {
     Expire-Date: $expiration
     %no-protection
 		%commit
-EOF" -ls /bin/bash www-data
+EOF
 
-  su -c "gpg --homedir $GNUPGHOME --armor --export-secret-keys $key_email > $gpg_private_key" -ls /bin/bash www-data
-  su -c "gpg --homedir $GNUPGHOME --armor --export $key_email > $gpg_public_key" -ls /bin/bash www-data
+  gpg --armor --export-secret-keys "$key_email" > "$gpg_private_key"
+  gpg --armor --export "$key_email" > "$gpg_public_key"
 }
 
 gpg_import_key() {
-  su -c "gpg --homedir $GNUPGHOME --batch --import $gpg_public_key" -ls /bin/bash www-data
-  su -c "gpg --homedir $GNUPGHOME --batch --import $gpg_private_key" -ls /bin/bash www-data
+  gpg  --batch --import "$gpg_public_key"
+  gpg  --batch --import "$gpg_private_key"
 }
 
 gen_ssl_cert() {
   openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
     -subj '/C=FR/ST=Denial/L=Springfield/O=Dis/CN=www.passbolt.local' \
-    -keyout $ssl_key -out $ssl_cert
+    -keyout "$ssl_key" -out "$ssl_cert"
 }
 
 install() {
-  local app_config="/etc/passbolt/app.php"
-
-  if [ ! -f "$app_config" ]; then
-    su -c "cp $app_config/app.default.php $app_config/app.php" -s /bin/bash www-data
-  fi
-
-  if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f  "$app_config/passbolt.php" ]; then
-    gpg_auto_fingerprint="$(su -c "gpg --homedir $GNUPGHOME --list-keys --with-colons ${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com} |grep fpr |head -1| cut -f10 -d:" -ls /bin/bash www-data)"
+  if [ -z "${PASSBOLT_GPG_SERVER_KEY_FINGERPRINT+xxx}" ] && [ ! -f  "$passbolt_config/passbolt.php" ]; then
+    gpg_auto_fingerprint="$(gpg  --list-keys --with-colons "${PASSBOLT_KEY_EMAIL:-passbolt@yourdomain.com}" |grep fpr |head -1| cut -f10 -d:)"
     export PASSBOLT_GPG_SERVER_KEY_FINGERPRINT=$gpg_auto_fingerprint
+    declare -p | grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT > ~/.profile
   fi
 
-  su -c '/usr/share/php/passbolt/bin/cake passbolt install --no-admin' -s /bin/bash www-data || su -c '/usr/share/php/passbolt/bin/cake passbolt migrate' -s /bin/bash www-data && echo "Enjoy! ☮"
+  "$passbolt_base/bin/cake" passbolt install --no-admin || "$passbolt_base/bin/cake" passbolt migrate && echo "Enjoy! ☮"
 }
 
-email_cron_job() {
-  cron_task='/etc/cron.d/passbolt_email'
-  declare -p | grep -Ev 'BASHOPTS|BASH_VERSINFO|EUID|PPID|SHELLOPTS|UID' > /etc/environment
-  if [ ! -f "$cron_task" ]; then
-    echo "* * * * * su -c \"source /etc/environment ; /var/www/passbolt/bin/cake EmailQueue.sender\" -s /bin/bash www-data >> /var/log/cron.log 2>&1" >> $cron_task
-    crontab /etc/cron.d/passbolt_email
-  fi
-}
 
 if [ ! -f "$gpg_private_key" ] && [ ! -L "$gpg_private_key" ] || \
    [ ! -f "$gpg_public_key" ] && [ ! -L "$gpg_public_key" ]; then
@@ -107,6 +95,5 @@ if [ ! -f "$ssl_key" ] && [ ! -L "$ssl_key" ] && \
 fi
 
 install
-email_cron_job
 
 exec /usr/bin/supervisord -n

conf/supervisor/cron.conf

@@ -1,8 +0,0 @@
-[program:cron]
-command=cron -f -l
-autostart=true
-priority=20
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0

conf/supervisor/php.conf

@@ -1,5 +1,5 @@
 [program:php-fpm]
-command=php-fpm -F
+command=php-fpm7.3 -F
 autostart=true
 priority=5
 stdout_logfile=/dev/stdout

docker-compose.yml

@@ -23,8 +23,8 @@ services:
       - /run
     command: ["/usr/bin/wait-for.sh", "-t", "0", "db:3306", "--", "/docker-entrypoint.sh"]
     ports:
-      - 80:80
-      - 443:443
+      - 80:8080
+      - 443:4443
 
 volumes:
   database_volume:

env/passbolt.env

@@ -1,5 +1,5 @@
 # URL
-APP_FULL_BASE_URL=https://passbolt.local
+APP_FULL_BASE_URL=http://passbolt.local
 
 # Database settings
 DATASOURCES_DEFAULT_HOST=db