Made PHP run under the PHP user for added security

eXistenZNL · eXistenZNL · commit 1e1bbaab8823 · 2017-05-16T23:50:25.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
+files/s6-overlay
 .idea
diff --git a/Dockerfile-5.6 b/Dockerfile-5.6
@@ -7,7 +7,10 @@ RUN apk -U upgrade && apk add \
     nginx \
     php5 \
     php5-fpm \
-    && rm -rf /var/cache/apk/*
+    && rm -rf /var/cache/apk/* \
+    && addgroup -S php \
+    && adduser -S -G php php
+
 
 COPY files/s6-overlay files/general files/php5 /
 
diff --git a/Dockerfile-7.0 b/Dockerfile-7.0
@@ -7,7 +7,9 @@ RUN apk -U upgrade && apk add \
     nginx \
     php7 \
     php7-fpm \
-    && rm -rf /var/cache/apk/*
+    && rm -rf /var/cache/apk/* \
+    && addgroup -S php \
+    && adduser -S -G php php
 
 COPY files/s6-overlay files/general files/php7 /
 
diff --git a/Dockerfile-7.1 b/Dockerfile-7.1
@@ -7,7 +7,9 @@ RUN apk -U upgrade && apk add \
     nginx \
     php7 \
     php7-fpm \
-    && rm -rf /var/cache/apk/*
+    && rm -rf /var/cache/apk/* \
+    && addgroup -S php \
+    && adduser -S -G php php
 
 COPY files/s6-overlay files/general files/php7 /
 
diff --git a/Makefile b/Makefile
@@ -1,9 +1,10 @@
 .PHONY: build up clean
 
 build:
-	mkdir files/s6-overlay
-	wget -P /tmp https://github.com/just-containers/s6-overlay/releases/download/v1.19.1.1/s6-overlay-amd64.tar.gz
-	gunzip -c /tmp/s6-overlay-amd64.tar.gz | tar -xf - -C files/s6-overlay
+	test -d files/s6-overlay || mkdir files/s6-overlay
+	test -f files/s6-overlay/init || wget -P /tmp https://github.com/just-containers/s6-overlay/releases/download/v1.19.1.1/s6-overlay-amd64.tar.gz
+	test -f files/s6-overlay/init || gunzip -c /tmp/s6-overlay-amd64.tar.gz | tar -xf - -C files/s6-overlay
+	rm -f s6-overlay-amd64.tar.gz
 	docker build -t existenz/webstack:5.6 -f Dockerfile-5.6 .
 	docker build -t existenz/webstack:7.0 -f Dockerfile-7.0 .
 	docker build -t existenz/webstack:7.1 -f Dockerfile-7.1 .
@@ -28,6 +29,6 @@ clean:
 	docker rmi existenz/webstack:7.1
 
 test:
-	docker ps | grep webstack_56 | grep -q healthy
-	docker ps | grep webstack_70 | grep -q healthy
-	docker ps | grep webstack_71 | grep -q healthy
+	docker ps | grep webstack_56 | grep -q "(healthy)"
+	docker ps | grep webstack_70 | grep -q "(healthy)"
+	docker ps | grep webstack_71 | grep -q "(healthy)"
diff --git a/files/php5/etc/php5/php-fpm.conf b/files/php5/etc/php5/php-fpm.conf
@@ -5,8 +5,8 @@ log_level = notice
 daemonize  = no
 
 [www]
-user = root
-group = root
+user = php
+group = php
 listen = 127.0.0.1:9000
 access.log = /proc/self/fd/2
 catch_workers_output = yes
diff --git a/files/php7/etc/php7/php-fpm.conf b/files/php7/etc/php7/php-fpm.conf
@@ -5,8 +5,8 @@ log_level = notice
 daemonize  = no
 
 [www]
-user = root
-group = root
+user = php
+group = php
 listen = 127.0.0.1:9000
 access.log = /proc/self/fd/2
 catch_workers_output = yes
