explicitly set nginx and php to use unprivileged locations

deskpro · Sep 19, 2024 · 8c7a906 · 8c7a906
1 parent ef01b73
commit 8c7a906
Show file tree

Hide file tree

Showing 11 changed files with 26 additions and 21 deletions.
diff --git a/etc/nginx/conf.d/01-deskpro_setup.conf.tmpl b/etc/nginx/conf.d/01-deskpro_setup.conf.tmpl
@@ -1,9 +1,9 @@
 upstream dpv5_api {
-  server unix:/run/php_fpm_dp_default.sock max_fails=0 fail_timeout=0;
+  server unix:/tmp/php_fpm_dp_default.sock max_fails=0 fail_timeout=0;
 }
 
 upstream dpv5_api_internal {
-  server unix:/run/php_fpm_dp_internal.sock max_fails=0 fail_timeout=0;
+  server unix:/tmp/php_fpm_dp_internal.sock max_fails=0 fail_timeout=0;
 }
 
 # dpv5_api_backend: Use separate fpm-pool for internal requests

diff --git a/etc/nginx/conf.d/03-status.conf.tmpl b/etc/nginx/conf.d/03-status.conf.tmpl
@@ -30,6 +30,6 @@ server {
 
     fastcgi_param SCRIPT_NAME '/fpm/status';
     fastcgi_param SCRIPT_FILENAME '/fpm/status';
-    fastcgi_pass unix:/run/php_fpm_$fpm_pool.status.sock;
+    fastcgi_pass unix:/tmp/php_fpm_$fpm_pool.status.sock;
   }
 }
diff --git a/etc/nginx/conf.d/deskpro_server_params.tmpl b/etc/nginx/conf.d/deskpro_server_params.tmpl
@@ -26,17 +26,17 @@ location / {
 }
 
 location ^~ /sys/services/broadcaster/ {
-    fastcgi_pass unix:/run/php_fpm_dp_broadcaster.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_broadcaster.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
 location ~ ^/(admin\-api|agent\-api)/ {
-    fastcgi_pass unix:/run/php_fpm_dp_gql.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_gql.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
 location ~ ^/(ticket\-channels|sys/services)/ {
-    fastcgi_pass unix:/run/php_fpm_dp_internal.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_internal.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
@@ -103,19 +103,19 @@ location ~ ^/deskpro-messenger/assets/ {
 }
 
 location ^~ /firebase-messaging-sw.js {
-    fastcgi_pass unix:/run/php_fpm_dp_default.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_default.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
 location ~ ^/deskpro-messenger/ {
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Content-Type-Options "nosniff";
-    fastcgi_pass unix:/run/php_fpm_dp_default.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_default.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
 location ~ \.php$ {
-    fastcgi_pass unix:/run/php_fpm_dp_default.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_default.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 

diff --git a/etc/nginx/nginx.conf.tmpl b/etc/nginx/nginx.conf.tmpl
@@ -5,7 +5,7 @@ worker_processes 1;
 worker_processes {{ getenv "NGINX_WORKER_PROCESSES" "auto" }};
 {{end}}
 pcre_jit on;
-pid /run/nginx.pid;
+pid /tmp/nginx.pid;
 
 events {
     worker_connections {{ getenv "NGINX_WORKER_CONNECTIONS" "10000" }};
@@ -26,6 +26,12 @@ http {
     ssl_session_timeout 1h;
     ssl_session_tickets off;
 
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+
     log_format logjson escape=json
       '{'
       '"ts":"$time_iso8601", '

diff --git a/etc/php/8.3/fpm/php-fpm.conf b/etc/php/8.3/fpm/php-fpm.conf
@@ -1,5 +1,5 @@
 [global]
-pid = /run/php-fpm.pid
+pid = /tmp/php-fpm.pid
 error_log = /var/log/php/fpm_error.log
 log_level = notice
 log_limit = 8192

diff --git a/etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl b/etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl
@@ -2,11 +2,11 @@
 user = dp_app
 group = dp_app
 chdir = /srv/deskpro
-listen = /run/php_fpm_{{.}}.sock
+listen = /tmp/php_fpm_{{.}}.sock
 listen.backlog = {{ getenv "PHP_FPM_LISTEN_BACKLOG" "1000" }}
 listen.mode = 0666
 
-pm.status_listen = /run/php_fpm_{{.}}.status.sock
+pm.status_listen = /tmp/php_fpm_{{.}}.status.sock
 pm.status_path = /fpm/status
 
 catch_workers_output = yes

diff --git a/etc/supervisor/conf.d/logging.conf.tmpl b/etc/supervisor/conf.d/logging.conf.tmpl
@@ -19,7 +19,6 @@ environment=VECTOR_MARKER="{{ getenv "VECTOR_MARKER" "" }}",VECTOR_COLOR=never
 
 [eventlistener:rotate_logs]
 command=/etc/supervisor/rotate-logs
-user=vector
 events=TICK_60
 autorestart=true
 buffer_size=1

diff --git a/test/serverspec/spec/default_web/default_php_spec.rb b/test/serverspec/spec/default_web/default_php_spec.rb
@@ -71,7 +71,7 @@
   end
 
   describe command('phpfpminfo --pool dp_default') do
-    its(:stdout) { should contain "listen = /run/php_fpm_dp_default.sock" }
+    its(:stdout) { should contain "listen = /tmp/php_fpm_dp_default.sock" }
     its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ }
     its(:stdout) { should contain "pm = ondemand" }
     its(:stdout) { should contain "pm.max_children = 20" }
@@ -81,7 +81,7 @@
   end
 
   describe command('phpfpminfo --pool dp_internal') do
-    its(:stdout) { should contain "listen = /run/php_fpm_dp_internal.sock" }
+    its(:stdout) { should contain "listen = /tmp/php_fpm_dp_internal.sock" }
     its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ }
     its(:stdout) { should contain "pm = ondemand" }
     its(:stdout) { should contain "pm.max_children = 1000" }
@@ -91,7 +91,7 @@
   end
 
   describe command('phpfpminfo --pool dp_gql') do
-    its(:stdout) { should contain "listen = /run/php_fpm_dp_gql.sock" }
+    its(:stdout) { should contain "listen = /tmp/php_fpm_dp_gql.sock" }
     its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ }
     its(:stdout) { should contain "pm = ondemand" }
     its(:stdout) { should contain "pm.max_children = 20" }
@@ -101,7 +101,7 @@
   end
 
   describe command('phpfpminfo --pool dp_broadcaster') do
-    its(:stdout) { should contain "listen = /run/php_fpm_dp_broadcaster.sock" }
+    its(:stdout) { should contain "listen = /tmp/php_fpm_dp_broadcaster.sock" }
     its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ }
     its(:stdout) { should contain "pm = ondemand" }
     its(:stdout) { should contain "pm.max_children = 1000" }

diff --git a/usr/local/bin/phpinfo b/usr/local/bin/phpinfo
@@ -39,7 +39,7 @@ if [[ $use_php_fpm -eq 1 ]]; then
   SCRIPT_NAME=/usr/local/share/deskpro/phpinfo.php \
     SCRIPT_FILENAME=/usr/local/share/deskpro/phpinfo.php \
     REQUEST_METHOD=GET \
-    cgi-fcgi -bind -connect /run/php_fpm_dp_default.sock
+    cgi-fcgi -bind -connect /tmp/php_fpm_dp_default.sock
 else
   php /usr/local/share/deskpro/phpinfo.php
 fi
diff --git a/usr/local/sbin/entrypoint.d/05-opc.sh b/usr/local/sbin/entrypoint.d/05-opc.sh
@@ -35,7 +35,7 @@ opc_main() {
 
   boot_log_message DEBUG "[bc_opc_2_8] Linking /run/php-fpm/dp_default.sock -> /run/php_fpm_dp_default.sock"
   mkdir -p /run/php-fpm
-  ln -sf /run/php_fpm_dp_default.sock /run/php-fpm/dp_default.sock
+  ln -sf /tmp/php_fpm_dp_default.sock /run/php-fpm/dp_default.sock
 
   for pool in "dp_broadcaster" "dp_default" "dp_gql" "dp_internal"; do
     if [ -e "/deskpro/config/${pool}.conf" ]; then

diff --git a/usr/local/sbin/entrypoint.d/41-deskpro-config.sh b/usr/local/sbin/entrypoint.d/41-deskpro-config.sh
@@ -25,7 +25,7 @@ function deskpro_config_main() {
     done
   } > /srv/deskpro/INSTANCE_DATA/config.php
 
-  chown root:root "/srv/deskpro/INSTANCE_DATA/config.php"
+  chown dp_app:dp_app "/srv/deskpro/INSTANCE_DATA/config.php"
   chmod 0644 "/srv/deskpro/INSTANCE_DATA/config.php"
 }