add wodby to www-data group wodby/php#22

ripaelit · Feb 16, 2018 · 87fd17c · 87fd17c
1 parent aaede00
commit 87fd17c
Show file tree

Hide file tree

Showing 23 changed files with 147 additions and 186 deletions.
diff --git a/5.3/Dockerfile b/5.3/Dockerfile
@@ -33,7 +33,7 @@ RUN set -xe; \
     \
 	addgroup -g 1000 -S wodby; \
 	adduser -u 1000 -D -S -s /bin/bash -G wodby wodby; \
-	adduser www-data wodby; \
+	adduser wodby www-data; \
 	sed -i '/^wodby/s/!/*/' /etc/shadow; \
 	echo "PS1='\w\$ '" >> /home/wodby/.bashrc; \
     \
@@ -197,22 +197,19 @@ RUN set -xe; \
     # Add composer bins to $PATH
     su-exec wodby echo "export PATH=/home/wodby/.composer/vendor/bin:${PATH}" > /home/wodby/.profile; \
     \
-    # Script to fix volumes permissions via sudo.
-    echo "chown wodby:wodby ${FILES_DIR} ${APP_ROOT}" > /usr/local/bin/fix-volumes-permissions.sh; \
-    chmod +x /usr/local/bin/fix-volumes-permissions.sh; \
-    \
     # Configure sudoers
     if [[ -n "${PHP_DEV}" ]]; then \
         echo 'wodby ALL=(root) NOPASSWD:SETENV:ALL' > /etc/sudoers.d/wodby; \
     else \
         { \
             echo -n 'wodby ALL=(root) NOPASSWD:SETENV: ' ; \
             echo -n '/usr/local/sbin/php-fpm, ' ; \
+            echo -n '/usr/local/bin/files-import.sh, ' ; \
             echo -n '/usr/local/bin/gen-ssh-keys.sh, ' ; \
-            echo -n '/usr/local/bin/fix-volumes-permissions.sh, ' ; \
+            echo -n '/usr/local/bin/init-volumes.sh, ' ; \
             echo -n '/usr/local/bin/migrate.sh, ' ; \
             echo -n '/usr/sbin/sshd, ' ; \
-            echo "/usr/sbin/crond" ; \
+            echo '/usr/sbin/crond' ; \
         } | tee /etc/sudoers.d/wodby; \
     fi; \
     \
@@ -224,26 +221,30 @@ RUN set -xe; \
         "${APP_ROOT}" \
         "${CONF_DIR}" \
         "${FILES_DIR}/public" \
-        "${FILES_DIR}/private"; \
+        "${FILES_DIR}/private" \
+        "${FILES_DIR}/xdebug/traces" \
+        "${FILES_DIR}/xdebug/profiler" \
+        /home/wodby/.ssh; \
     \
-    chmod 775 "${FILES_DIR}/public" "${FILES_DIR}/private"; \
-    su-exec wodby mkdir /home/wodby/.ssh; \
+    chmod -R 775 "${FILES_DIR}"; \
+    chown -R www-data:www-data "${FILES_DIR}"; \
+    chown -R wodby:wodby \
+        "${APP_ROOT}" \
+        "${CONF_DIR}" \
+        "${PHP_INI_DIR}/conf.d" \
+        /usr/local/etc/php-fpm.d/ \
+        /home/wodby/; \
     \
+    # SSHD
     touch /etc/ssh/sshd_config; \
     chown wodby: /etc/ssh/sshd_config; \
     \
+    # Crontab
     rm /etc/crontabs/root; \
     touch /etc/crontabs/wodby; \
     chown root:wodby /etc/crontabs/wodby; \
     chmod 660 /etc/crontabs/wodby; \
     \
-    chown -R wodby:wodby \
-        /var/www \
-        "${PHP_INI_DIR}/conf.d" \
-        "${FILES_DIR}" \
-        /usr/local/etc/php-fpm.d/ \
-        /home/wodby/.profile; \
-    \
     # Cleanup
     su-exec wodby composer clear-cache; \
     docker-php-source delete; \

diff --git a/5.3/actions/actions.mk b/5.3/actions/actions.mk
@@ -32,7 +32,7 @@ git-checkout:
 
 files-import:
 	$(call check_defined, source)
-	files-import.sh $(source)
+	sudo -E files-import.sh $(source)
 
 init-public-storage:
 	$(call check_defined, public_dir)

diff --git a/5.3/actions/files-import.sh b/5.3/actions/files-import.sh
@@ -14,10 +14,10 @@ get-archive.sh "${source}" "${tmp_dir}" "zip tgz tar.gz tar"
 # TODO: allow top level dir import only for wodby archives.
 if [[ -f "${tmp_dir}/.wodby" || (-d "${tmp_dir}/private" && -d "${tmp_dir}/public") ]]; then
     echo "Wodby backup archive detected. Importing to top directory"
-    rsync -rlt --force "${tmp_dir}/" "${FILES_DIR}"
+    rsync -rlt --chown=www-data:www-data "${tmp_dir}/" "${FILES_DIR}"
 else
     echo "Importing files to public directory"
-    rsync -rlt --force "${tmp_dir}/" "${FILES_DIR}/public/"
+    rsync -rlt --chown=www-data:www-data "${tmp_dir}/" "${FILES_DIR}/public/"
 fi
 
 rm -rf "${tmp_dir}"
diff --git a/5.3/actions/init-public-storage.sh b/5.3/actions/init-public-storage.sh
@@ -26,7 +26,4 @@ if [[ -n "${app_public_dir}" ]]; then
     else
         ln -sf "${FILES_DIR}/public" "${app_public_dir}"
     fi
-
-    # Make sure FPM can write to the public folder.
-    chmod 775 "${app_public_dir}"
 fi
diff --git a/5.3/actions/init-volumes.sh b/5.3/actions/init-volumes.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [[ -n "${DEBUG}" ]]; then
+    set -x
+fi
+
+chown wodby:wodby "${APP_ROOT}"
+
+declare -a dirs=(
+    "${FILES_DIR}"
+    "${FILES_DIR}/private"
+    "${FILES_DIR}/public"
+    "${FILES_DIR}/xdebug/profiler"
+    "${FILES_DIR}/xdebug/traces"
+)
+
+for dir in "${dirs[@]}"; do
+    mkdir -p "${dir}"
+    chown www-data:www-data "${dir}"
+    chmod 775 "${dir}"
+done
diff --git a/5.3/actions/migrate.sh b/5.3/actions/migrate.sh
@@ -11,21 +11,7 @@ to="${2:-}"
 
 # Default user changed from www-data (82) to wodby (1000), change recursively codebase permissions on volume.
 if [[ "${to:0:1}" == 5 && "${from:0:1}" < 5 ]]; then
-    echo "1. Migrating to a new major 5.x version. Fixing permissions for:"
-    echo "- Codebase volume except symlinks (public files dir)"
+    echo "Migrating to a new major 5.x version."
+    echo "Fixing permissions for codebase volume except symlinks (public files dir)"
     find "${APP_ROOT}" -uid 82 ! -type l -exec chown wodby:wodby {} +
-    echo "- Files volume (only top level dirs and files)"
-    find "${FILES_DIR}" ! -path "${FILES_DIR}" -uid 82 -maxdepth 1 -exec chown wodby:wodby {} \; -exec chmod 775 {} \;
-
-    if [[ -n "${PHP_XDEBUG_TRACE_OUTPUT_DIR}" ]]; then
-        echo "Repeating actions for xdebug trace output dir"
-        chown wodby:wodby "${PHP_XDEBUG_TRACE_OUTPUT_DIR}"
-        chmod 775 "${PHP_XDEBUG_TRACE_OUTPUT_DIR}"
-    fi
-
-    if [[ -n "${PHP_XDEBUG_PROFILER_OUTPUT_DIR}" ]]; then
-        echo "Repeating actions for xdebug profiler output dir"
-        chown wodby:wodby "${PHP_XDEBUG_PROFILER_OUTPUT_DIR}"
-        chmod 775 "${PHP_XDEBUG_PROFILER_OUTPUT_DIR}"
-    fi
 fi
diff --git a/5.3/docker-entrypoint.sh b/5.3/docker-entrypoint.sh
@@ -14,25 +14,6 @@ _gotpl() {
     fi
 }
 
-# Writable for wodby group (www-data user)
-create_group_writable_dirs() {
-    declare -a dirs=(
-        "${FILES_DIR}/private"
-        "${FILES_DIR}/public"
-    )
-
-    [[ -n "${PHP_XDEBUG_TRACE_OUTPUT_DIR}" ]] && dirs+=("${PHP_XDEBUG_TRACE_OUTPUT_DIR}")
-    [[ -n "${PHP_XDEBUG_PROFILER_OUTPUT_DIR}" ]] && dirs+=("${PHP_XDEBUG_PROFILER_OUTPUT_DIR}")
-
-    for dir in "${dirs[@]}"; do
-        # Check for existence to avoid permissions issues from 4.x version.
-        if [[ ! -d "${dir}" ]]; then
-            mkdir -p "${dir}"
-            chmod 775 "${dir}"
-        fi
-    done
-}
-
 init_ssh_client() {
     _gotpl "ssh_config.tpl" "${ssh_dir}/config"
 
@@ -86,9 +67,8 @@ init_git() {
     git config --global user.name "${GIT_USER_NAME}"
 }
 
-sudo fix-volumes-permissions.sh
+sudo init-volumes.sh
 
-create_group_writable_dirs
 init_ssh_client
 init_git
 process_templates

diff --git a/5.6/Dockerfile b/5.6/Dockerfile
@@ -55,7 +55,7 @@ RUN set -xe; \
     \
 	addgroup -g 1000 -S wodby; \
 	adduser -u 1000 -D -S -s /bin/bash -G wodby wodby; \
-	adduser www-data wodby; \
+    adduser wodby www-data; \
 	sed -i '/^wodby/s/!/*/' /etc/shadow; \
 	echo "PS1='\w\$ '" >> /home/wodby/.bashrc; \
     \
@@ -170,7 +170,7 @@ RUN set -xe; \
     bash /tmp/newrelic/newrelic-install install; \
     rm /usr/local/etc/php/conf.d/newrelic.ini; \
     mkdir -p /var/log/newrelic/; \
-    chown -R wodby:wodby /var/log/newrelic/; \
+    chown -R www-data:www-data /var/log/newrelic/; \
     chmod -R 775 /var/log/newrelic/; \
     \
     pecl install \
@@ -222,19 +222,16 @@ RUN set -xe; \
     # Add composer bins to $PATH
     su-exec wodby echo "export PATH=/home/wodby/.composer/vendor/bin:${PATH}" > /home/wodby/.profile; \
     \
-    # Script to fix volumes permissions via sudo.
-    echo "chown wodby:wodby ${FILES_DIR} ${APP_ROOT}" > /usr/local/bin/fix-volumes-permissions.sh; \
-    chmod +x /usr/local/bin/fix-volumes-permissions.sh; \
-    \
     # Configure sudoers
     if [[ -n "${PHP_DEV}" ]]; then \
         echo 'wodby ALL=(root) NOPASSWD:SETENV:ALL' > /etc/sudoers.d/wodby; \
     else \
         { \
             echo -n 'wodby ALL=(root) NOPASSWD:SETENV: ' ; \
             echo -n '/usr/local/sbin/php-fpm, ' ; \
+            echo -n '/usr/local/bin/files-import.sh, ' ; \
             echo -n '/usr/local/bin/gen-ssh-keys.sh, ' ; \
-            echo -n '/usr/local/bin/fix-volumes-permissions.sh, ' ; \
+            echo -n '/usr/local/bin/init-volumes.sh, ' ; \
             echo -n '/usr/local/bin/migrate.sh, ' ; \
             echo -n '/usr/sbin/sshd, ' ; \
             echo '/usr/sbin/crond' ; \
@@ -249,26 +246,30 @@ RUN set -xe; \
         "${APP_ROOT}" \
         "${CONF_DIR}" \
         "${FILES_DIR}/public" \
-        "${FILES_DIR}/private"; \
+        "${FILES_DIR}/private" \
+        "${FILES_DIR}/xdebug/traces" \
+        "${FILES_DIR}/xdebug/profiler" \
+        /home/wodby/.ssh; \
     \
-    chmod 775 "${FILES_DIR}/public" "${FILES_DIR}/private"; \
-    su-exec wodby mkdir /home/wodby/.ssh; \
+    chmod -R 775 "${FILES_DIR}"; \
+    chown -R www-data:www-data "${FILES_DIR}"; \
+    chown -R wodby:wodby \
+        "${APP_ROOT}" \
+        "${CONF_DIR}" \
+        "${PHP_INI_DIR}/conf.d" \
+        /usr/local/etc/php-fpm.d/ \
+        /home/wodby/; \
     \
+    # SSHD
     touch /etc/ssh/sshd_config; \
     chown wodby: /etc/ssh/sshd_config; \
     \
+    # Crontab
     rm /etc/crontabs/root; \
     touch /etc/crontabs/wodby; \
     chown root:wodby /etc/crontabs/wodby; \
     chmod 660 /etc/crontabs/wodby; \
     \
-    chown -R wodby:wodby \
-        /var/www \
-        "${PHP_INI_DIR}/conf.d" \
-        "${FILES_DIR}" \
-        /usr/local/etc/php-fpm.d/ \
-        /home/wodby/.profile; \
-    \
     # Cleanup
     su-exec wodby composer clear-cache; \
     docker-php-source delete; \

diff --git a/5.6/actions/actions.mk b/5.6/actions/actions.mk
@@ -32,7 +32,7 @@ git-checkout:
 
 files-import:
 	$(call check_defined, source)
-	files-import.sh $(source)
+	sudo -E files-import.sh $(source)
 
 init-public-storage:
 	$(call check_defined, public_dir)

diff --git a/5.6/actions/files-import.sh b/5.6/actions/files-import.sh
@@ -14,10 +14,10 @@ get-archive.sh "${source}" "${tmp_dir}" "zip tgz tar.gz tar"
 # TODO: allow top level dir import only for wodby archives.
 if [[ -f "${tmp_dir}/.wodby" || (-d "${tmp_dir}/private" && -d "${tmp_dir}/public") ]]; then
     echo "Wodby backup archive detected. Importing to top directory"
-    rsync -rlt --force "${tmp_dir}/" "${FILES_DIR}"
+    rsync -rlt --chown=www-data:www-data "${tmp_dir}/" "${FILES_DIR}"
 else
     echo "Importing files to public directory"
-    rsync -rlt --force "${tmp_dir}/" "${FILES_DIR}/public/"
+    rsync -rlt --chown=www-data:www-data "${tmp_dir}/" "${FILES_DIR}/public/"
 fi
 
 rm -rf "${tmp_dir}"
diff --git a/5.6/actions/init-public-storage.sh b/5.6/actions/init-public-storage.sh
@@ -26,7 +26,4 @@ if [[ -n "${app_public_dir}" ]]; then
     else
         ln -sf "${FILES_DIR}/public" "${app_public_dir}"
     fi
-
-    # Make sure FPM can write to the public folder.
-    chmod 775 "${app_public_dir}"
 fi
diff --git a/5.6/actions/init-volumes.sh b/5.6/actions/init-volumes.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [[ -n "${DEBUG}" ]]; then
+    set -x
+fi
+
+chown wodby:wodby "${APP_ROOT}"
+
+declare -a dirs=(
+    "${FILES_DIR}"
+    "${FILES_DIR}/private"
+    "${FILES_DIR}/public"
+    "${FILES_DIR}/xdebug/profiler"
+    "${FILES_DIR}/xdebug/traces"
+)
+
+for dir in "${dirs[@]}"; do
+    mkdir -p "${dir}"
+    chown www-data:www-data "${dir}"
+    chmod 775 "${dir}"
+done
diff --git a/5.6/actions/migrate.sh b/5.6/actions/migrate.sh
@@ -11,21 +11,7 @@ to="${2:-}"
 
 # Default user changed from www-data (82) to wodby (1000), change recursively codebase permissions on volume.
 if [[ "${to:0:1}" == 5 && "${from:0:1}" < 5 ]]; then
-    echo "1. Migrating to a new major 5.x version. Fixing permissions for:"
-    echo "- Codebase volume except symlinks (public files dir)"
+    echo "Migrating to a new major 5.x version."
+    echo "Fixing permissions for codebase volume except symlinks (public files dir)"
     find "${APP_ROOT}" -uid 82 ! -type l -exec chown wodby:wodby {} +
-    echo "- Files volume (only top level dirs and files)"
-    find "${FILES_DIR}" ! -path "${FILES_DIR}" -uid 82 -maxdepth 1 -exec chown wodby:wodby {} \; -exec chmod 775 {} \;
-
-    if [[ -n "${PHP_XDEBUG_TRACE_OUTPUT_DIR}" ]]; then
-        echo "Repeating actions for xdebug trace output dir"
-        chown wodby:wodby "${PHP_XDEBUG_TRACE_OUTPUT_DIR}"
-        chmod 775 "${PHP_XDEBUG_TRACE_OUTPUT_DIR}"
-    fi
-
-    if [[ -n "${PHP_XDEBUG_PROFILER_OUTPUT_DIR}" ]]; then
-        echo "Repeating actions for xdebug profiler output dir"
-        chown wodby:wodby "${PHP_XDEBUG_PROFILER_OUTPUT_DIR}"
-        chmod 775 "${PHP_XDEBUG_PROFILER_OUTPUT_DIR}"
-    fi
 fi
diff --git a/5.6/docker-entrypoint.sh b/5.6/docker-entrypoint.sh
@@ -14,25 +14,6 @@ _gotpl() {
     fi
 }
 
-# Writable for wodby group (www-data user)
-create_group_writable_dirs() {
-    declare -a dirs=(
-        "${FILES_DIR}/private"
-        "${FILES_DIR}/public"
-    )
-
-    [[ -n "${PHP_XDEBUG_TRACE_OUTPUT_DIR}" ]] && dirs+=("${PHP_XDEBUG_TRACE_OUTPUT_DIR}")
-    [[ -n "${PHP_XDEBUG_PROFILER_OUTPUT_DIR}" ]] && dirs+=("${PHP_XDEBUG_PROFILER_OUTPUT_DIR}")
-
-    for dir in "${dirs[@]}"; do
-        # Check for existence to avoid permissions issues from 4.x version.
-        if [[ ! -d "${dir}" ]]; then
-            mkdir -p "${dir}"
-            chmod 775 "${dir}"
-        fi
-    done
-}
-
 init_ssh_client() {
     _gotpl "ssh_config.tpl" "${ssh_dir}/config"
 
@@ -96,9 +77,8 @@ init_git() {
     git config --global user.name "${GIT_USER_NAME}"
 }
 
-sudo fix-volumes-permissions.sh
+sudo init-volumes.sh
 
-create_group_writable_dirs
 init_ssh_client
 init_git
 process_templates