From a700df634072efb6336f4939c2743b9d394e7dfb Mon Sep 17 00:00:00 2001
From: "Alexander A. Klimov" <alexander.klimov@icinga.com>
Date: Wed, 15 Feb 2023 14:51:26 +0100
Subject: [PATCH] entrypoint: chown www-data: /data and drop privileges if
 started as root

---
 entrypoint/main.go | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/entrypoint/main.go b/entrypoint/main.go
index 19f86af..9885ed6 100644
--- a/entrypoint/main.go
+++ b/entrypoint/main.go
@@ -18,6 +18,7 @@ import (
 	"time"
 )
 
+const wwwdataUid = 33
 const dataVolume = "/data"
 const modsDir = "/usr/share/icingaweb2/modules"
 const dirMode = 0750
@@ -39,6 +40,24 @@ func entrypoint() error {
 		return nil
 	}
 
+	if os.Getuid() == 0 {
+		logf("info", "Giving %s to the www-data user as we're root", dataVolume)
+
+		if err := os.Chown(dataVolume, wwwdataUid, wwwdataUid); err != nil {
+			return err
+		}
+
+		logf("info", "Dropping privileges as we're root")
+
+		if err := syscall.Setgid(wwwdataUid); err != nil {
+			return err
+		}
+
+		if err := syscall.Setuid(wwwdataUid); err != nil {
+			return err
+		}
+	}
+
 	if os.Getpid() == 1 {
 		logf("info", "Initializing %s as we're the init process", dataVolume)