From 32305b4d3a306e72ab62a823bf2eeac621d58885 Mon Sep 17 00:00:00 2001
From: thylong <theotime@protonmail.com>
Date: Wed, 27 Dec 2023 17:31:07 +0100
Subject: [PATCH] feat(non-root): run container as non-root with read-only fs

This commit allows any container based on linkstack image
to be run as non-root with apache user and limit to RO the
filesystem permissions. Ensuring a much more secured runtime.
---
 Dockerfile                 | 5 +++++
 configs/apache2/httpd.conf | 6 ++++++
 docker-compose.yml         | 4 +++-
 docker-entrypoint.sh       | 3 +++
 4 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index c64320a..ef6f116 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -42,12 +42,17 @@ COPY configs/apache2/httpd.conf /etc/apache2/httpd.conf
 COPY configs/apache2/ssl.conf /etc/apache2/conf.d/ssl.conf
 COPY configs/php/php.ini /etc/php8.2/php.ini
 
+RUN chown apache:apache /etc/ssl/apache2/server.pem
+RUN chown apache:apache /etc/ssl/apache2/server.key
+
 RUN chown -R apache:apache /htdocs
 RUN find /htdocs -type d -print0 | xargs -0 chmod 0755
 RUN find /htdocs -type f -print0 | xargs -0 chmod 0644
 
 COPY --chmod=0755 docker-entrypoint.sh /usr/local/bin/
 
+USER apache:apache
+
 HEALTHCHECK CMD curl -f http://localhost -A "HealthCheck" || exit 1
 
 # Set console entry path
diff --git a/configs/apache2/httpd.conf b/configs/apache2/httpd.conf
index 07611bf..7339f53 100644
--- a/configs/apache2/httpd.conf
+++ b/configs/apache2/httpd.conf
@@ -487,3 +487,9 @@ LogLevel ${LOG_LEVEL}
 #
 IncludeOptional /etc/apache2/conf.d/*.conf
 AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/javascript application/json
+
+#
+# The PidFile directive sets the file to which the server records the
+# process id of the daemon. If the filename is not absolute, then it
+# is assumed to be relative to the ServerRoot.
+PidFile /htdocs/httpd.pid
diff --git a/docker-compose.yml b/docker-compose.yml
index 75bba42..c3c6eda 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -17,11 +17,13 @@ services:
     ports:
       - '8080:80'
       - '8081:443'
+    restart: unless-stopped
+    user: apache:apache
+    # read_only: true
     depends_on:
       - mysql
     links:
       - mysql
-    restart: unless-stopped
   mysql:
     image: mysql:8
     environment:
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 56fb8df..8e9a50f 100644
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -35,6 +35,9 @@ echo '+ ------------------------------------------------------------------ +'
 # | -- MISC -- | #
 # + ---------- + #
 
+# Apache gets grumpy about PID files pre-existing
+rm -f /htdocs/httpd.pid
+
 echo '| ------------------------------------------------------------------ |'
 echo '| Running Apache                                                     |'
 echo '+ ------------------------------------------------------------------ +'