From a40aaa9aad27f24994b4a5e38796b5024f12345b Mon Sep 17 00:00:00 2001 From: Jan Kunzmann Date: Fri, 2 Dec 2016 21:38:50 +0100 Subject: [PATCH 1/4] Simplify archive extraction --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index cb8d7f6..79b6e37 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,8 +5,8 @@ RUN apk add --no-cache bash curl dovecot mysql-client c-client imap-dev \ && docker-php-ext-install imap mysqli \ && apk del imap-dev \ && rm -rf /var/cache/apk/* \ - && curl --location https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-${VERSION}/postfixadmin-${VERSION}.tar.gz | tar xzf - \ - && mv postfixadmin* /www \ + && curl --location https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-${VERSION}/postfixadmin-${VERSION}.tar.gz \ + | tar xzf - --one-top-level=/www --strip=1 \ && mkdir /config COPY config.php php.ini run.sh / CMD /run.sh From b05e283c312f9cbd15f64ce1a0054914c7cc97ba Mon Sep 17 00:00:00 2001 From: Jan Kunzmann Date: Fri, 2 Dec 2016 21:44:06 +0100 Subject: [PATCH 2/4] Security improvements * Fix ownership of application code * Run webserver without root privileges * Don't output any errors to the browser * Use `exec` to ease docker process handling --- Dockerfile | 8 ++++---- php.ini | 2 ++ run.sh | 12 ++++++++---- 3 files changed, 14 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 79b6e37..65f841e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,12 +1,12 @@ FROM php:7-alpine ENV VERSION=3.1 -EXPOSE 80 -RUN apk add --no-cache bash curl dovecot mysql-client c-client imap-dev \ +EXPOSE 8000 +RUN apk add --no-cache bash curl dovecot mysql-client c-client imap-dev su-exec \ && docker-php-ext-install imap mysqli \ && apk del imap-dev \ && rm -rf /var/cache/apk/* \ && curl --location https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-${VERSION}/postfixadmin-${VERSION}.tar.gz \ - | tar xzf - --one-top-level=/www --strip=1 \ + | tar xzf - --no-same-owner --one-top-level=/www --strip=1 \ && mkdir /config COPY config.php php.ini run.sh / -CMD /run.sh +CMD ["/run.sh"] diff --git a/php.ini b/php.ini index c93fe3e..88278c2 100644 --- a/php.ini +++ b/php.ini @@ -1,4 +1,6 @@ error_reporting=E_ALL & ~E_NOTICE & ~E_DEPRECATED +display_errors=Off +log_errors=Off memory_limit=128M upload_max_filesize=128M post_max_size=128M diff --git a/run.sh b/run.sh index 1448993..d5340ac 100755 --- a/run.sh +++ b/run.sh @@ -1,7 +1,5 @@ #!/bin/bash -cmd_php="php -S 0.0.0.0:80 -c php.ini -t /www" - wait_for_mysql() { until mysql --host=$MYSQL_HOST --user=$MYSQL_USER --password=$MYSQL_PASSWORD --execute="USE $MYSQL_DATABASE;" &>/dev/null; do echo "waiting for mysql to start..." @@ -30,7 +28,7 @@ init_config() { } init_db() { - $cmd_php & + php -S 127.0.0.1:80 -c php.ini -t /www & wait_for_php pid_php=$! setup_password="s3cr3t"; @@ -55,4 +53,10 @@ if [ ! -f .initialized ]; then touch .initialized fi -$cmd_php + +trap 'kill -9 $(jobs -p)' EXIT +trap 'exit' INT TERM + +su-exec nobody php -S 0.0.0.0:8000 -c /php.ini -t /www & + +wait From 684d21b7155504ae096be84f8cb32eb08a0d5dd8 Mon Sep 17 00:00:00 2001 From: Jan Kunzmann Date: Mon, 5 Dec 2016 12:55:32 +0100 Subject: [PATCH 3/4] Fix template cache dir permissions --- Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Dockerfile b/Dockerfile index 65f841e..4f23b0a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,8 @@ RUN apk add --no-cache bash curl dovecot mysql-client c-client imap-dev su-exec && rm -rf /var/cache/apk/* \ && curl --location https://downloads.sourceforge.net/project/postfixadmin/postfixadmin/postfixadmin-${VERSION}/postfixadmin-${VERSION}.tar.gz \ | tar xzf - --no-same-owner --one-top-level=/www --strip=1 \ + && mkdir -p /www/templates_c \ + && chown nobody /www/templates_c \ && mkdir /config COPY config.php php.ini run.sh / CMD ["/run.sh"] From 6ecae6d5bf129b4d1d13ed4cc2ab8960bc041240 Mon Sep 17 00:00:00 2001 From: Jan Kunzmann Date: Sun, 16 Jul 2017 01:08:39 +0200 Subject: [PATCH 4/4] Update README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ce993b3..19c5b5e 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # PostfixAdmin Docker image -[![](https://badge.imagelayers.io/konjak/postfixadmin:latest.svg)](https://imagelayers.io/?images=konjak/postfixadmin:latest) - Production ready Docker container for [PostfixAdmin](http://postfixadmin.sourceforge.net/) with MySQL usage. +This is a fork from [konstantinj/docker-postfixadmin](https://github.com/konstantinj/docker-postfixadmin) with a tiny security addition. + ## Features - why using this image instead of several others? - Uses [alpine](https://registry.hub.docker.com/_/alpine/) base image