---------------------------------------------------------------------------------------------------------------
FROM ubuntu:24.04
EXPOSE 80
EXPOSE 443
RUN \
sed -i 's/# \(.*multiverse$\)/\1/g' /etc/apt/sources.list && \
apt-get update && \
apt-get -y upgrade && \
apt-get install -y build-essential && \
apt-get install -y software-properties-common && \
apt-get install -y byobu curl git htop man unzip vim wget && \
rm -rf /var/lib/apt/lists/*
# update the repository sources list
# and install dependencies
RUN apt-get update \
&& apt-get install -y curl \
&& apt-get -y autoclean
RUN mkdir /client_ssl
RUN apt-get install -y mc
RUN apt install mariadb-client -y
RUN apt install mysql-client -y
RUN apt-get install -y lynx # neede by mc F3
RUN apt-get install -y pkg-config #needed by watchman
RUN apt-get install -y wget
RUN apt-get install -y gpg-agent wget
RUN apt-get update
RUN apt install -y zlib1g-dev supervisor
RUN apt install -y apache2 php libapache2-mod-php php-mysql php-ctype php-curl
RUN apt install -y php-dom php-fpm php-gd php-intl php-mbstring php-opcache
RUN apt install -y php-phar php-xml php-xmlreader php-zip php-fileinfo php-iconv php-imagick
# ENTRYPOINT ["/usr/sbin/apache2ctl", "start"]
CMD ["apache2ctl", "-DFOREGROUND"]
-----------------------------------------------------------------------------------------------------------
I am glad it runs apache and php. However, it is running them as root. So, my question is how can this be avoided and be able to run websites and php code with no problems but as non root? The installation of Apache creates the user www-data. Should I use this user or another? how?
If you are talking about safety, don’t install anything in the container that the process in it doesn’t need. For example a midnight commander and a text-based web browser. Everything you install is a potential security risk basically. And it doesn’t mean it is very likely to go wrong, but that is a general rule if you want a secure container even if you don’t run the process as root.
Regarding the user that owns the process, it mainly depends on the httpd server configuration. You need to configure it to save the pid file to somewhere where the user has write permission. Logs would normally go to the standard output and error streams, but if there is anything that the server writses to the filesystem, that has to b configured to write it to a folder which is writable by the user.
Since you installed Apache HTTPD without using the official httpd image, I assume you are familiar with Apache HTTPD. Since I don’t frequently configure it recently, I assume you can find the related config parameters. But something like PidFile should be the first you configure.
As far as I remember, if you start httpd as non-root, it won’t try to run its threads as another user, so you probably don’T even need to change tha in the config file, but maybe I just remember the PHP FPM configuration. Which you also have in the container.
Frankly, I would run apache httpd and PHP FPM i separate containers on use Apache HTTPD with the PHP module without FPM. (I didn’t notice @bluepuma77’s post before sending mine, but I agree)
Ther are other, not security related issues with the Dockerfile which I won’t write about here to keep the topic clean, but in short: you should follow the same logic in the second half of the Dockerfile as in the first.