From 71498232e30d9b42ca5df7db50bfabca02ec21b1 Mon Sep 17 00:00:00 2001 From: "Alexander A. Klimov" Date: Fri, 17 Feb 2023 16:59:40 +0100 Subject: [PATCH] entrypoint: give /dev/stdout and /dev/stderr to the www-data user as root to allow apache2 to open them after dropping privileges. --- entrypoint/main.go | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/entrypoint/main.go b/entrypoint/main.go index ada459c..4f8216f 100644 --- a/entrypoint/main.go +++ b/entrypoint/main.go @@ -57,6 +57,21 @@ func entrypoint() error { return nil }) + for _, stdio := range [...]string{"/dev/stdout", "/dev/stderr"} { + logf("info", "Giving %s to the www-data user as we're root", stdio) + + file, err := os.Open(stdio) + if err != nil { + return err + } + + if err := syscall.Fchown(int(file.Fd()), wwwdataUid, wwwdataUid); err != nil { + return err + } + + _ = file.Close() + } + logf("info", "Dropping privileges as we're root") if err := syscall.Setgid(wwwdataUid); err != nil {