Question 264719 in PHP Question posted in
Official manual can be found here.

Docker: NGINX and PHP: Why change the default user/group?

I started learning about Docker and setting up NGINX and PHP. I looked at some examples and saw the following example: https://github.com/aschmelyun/lc-the-docker-tutorial/blob/main/nginx.dockerfile

There are two dockerfiles, one for NGINX (nginx.dockerfile):

FROM nginx:stable-alpine

ENV NGINXUSER=laravel
ENV NGINXGROUP=laravel

RUN mkdir -p /var/www/html/public

ADD nginx/default.conf /etc/nginx/conf.d/default.conf

RUN sed -i "s/user www-data/user ${NGINXUSER}/g" /etc/nginx/nginx.conf

RUN adduser -g ${NGINXGROUP} -s /bin/sh -D ${NGINXUSER}

and one for PHP (php.dockerfile):

FROM php:8-fpm-alpine

ENV PHPGROUP=laravel
ENV PHPUSER=laravel

RUN adduser -g ${PHPGROUP} -s /bin/sh -D ${PHPUSER}

RUN sed -i "s/user = www-data/user = ${PHPUSER}/g" /usr/local/etc/php-fpm.d/www.conf
RUN sed -i "s/group = www-data/group = ${PHPGROUP}/g" /usr/local/etc/php-fpm.d/www.conf

RUN mkdir -p /var/www/html/public

RUN docker-php-ext-install pdo pdo_mysql

CMD ["php-fpm", "-y", "/usr/local/etc/php-fpm.conf", "-R"]

In both cases new user & group are created (user laravel assigned to the group laravel), and then using sed command config files are modified:

  • For NGINX it replaces all occurrences of the user www-data with laravel in /etc/nginx/nginx.conf;
  • For PHP it does a similar thing: It replaces occurrences of user & group www-data with laravel.

3 interrelated questions:

Question 1: Does this mean that NGINX and PHP (I guess just FPM, and CLI will not be there because it pulls php:8-fpm-alpine base image from Docker Hub which doesn’t include CLI, right?) will run as the laravel user inside containers? (If yes, please also look at Question 3).

Question 2: Is there any practical reason to change the default user for NGINX and PHP-FPM, as in the examples above?

Question 3: In php.dockerfile at the end there’s this command:

CMD ["php-fpm", "-y", "/usr/local/etc/php-fpm.conf", "-R"]

I searched on Stackoverflow what this -R means, and I found the following answer: https://stackoverflow.com/a/49178410/4437206
If I understand correctly, this means that PHP-FPM will run as root? If so, then it will not run as the laravel user we added and therefore, what’s the point of adding the laravel user?

Tags:

2

Answers


  1. 0
    1. Yes.
    2. Running things as root inside of a container is still bad as root can and does have the ability to leverage exploits to escape the container. With non-root users this is much closer to impossible.
    3. -R just stops FPM from complaining about it, it does not actually change who is executing it.
    Login or Signup to reply.
  2. 0

    If you are going to run your images from an orchestrator (like kubernetes or openshift) running in unprivileged mode, you are not allowed to run processes as some user uids. The same applies for ports.

    Nginx’s root process always needs to starts as a root user, while it spawns child processes as the user you have provided. That’s why there are unprivileged nginx images that fixes that. Php-fpm doesn’t work like that, it just starts as the user stated in the Dockerfile or stated by the orchestrator.

    And it’s always a bad practice to run processes in your image as root, since the kernel of the host is available inside the container. If somebody get access to the shell of your running image, they will have access to the kernel and basically the entire host.

    The same applies for ports, every listener on ports 1 to 1000 need to be bound by root. All the other ports from 1001 to 65535 don’t. That’s why you often see nginx port configuration on port 8080 and 8443.

    To answer your last question, php-fpm -R is used to allow child processes to run as root, not to start as root.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search