From ef01b730be5863ff9d2c912aa62a0507590a9bbd Mon Sep 17 00:00:00 2001
From: Chris Robinson <chris.robinson@deskpro.com>
Date: Wed, 18 Sep 2024 16:48:08 +0100
Subject: [PATCH 1/3] Change user for nginx and php processes

---
 etc/supervisor/conf.d/logging.conf.tmpl | 1 +
 etc/supervisor/conf.d/web.conf.tmpl     | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/etc/supervisor/conf.d/logging.conf.tmpl b/etc/supervisor/conf.d/logging.conf.tmpl
index 05c6b57..0961326 100644
--- a/etc/supervisor/conf.d/logging.conf.tmpl
+++ b/etc/supervisor/conf.d/logging.conf.tmpl
@@ -19,6 +19,7 @@ environment=VECTOR_MARKER="{{ getenv "VECTOR_MARKER" "" }}",VECTOR_COLOR=never
 
 [eventlistener:rotate_logs]
 command=/etc/supervisor/rotate-logs
+user=vector
 events=TICK_60
 autorestart=true
 buffer_size=1
diff --git a/etc/supervisor/conf.d/web.conf.tmpl b/etc/supervisor/conf.d/web.conf.tmpl
index fa33554..e4dec49 100644
--- a/etc/supervisor/conf.d/web.conf.tmpl
+++ b/etc/supervisor/conf.d/web.conf.tmpl
@@ -3,6 +3,8 @@ command=/usr/sbin/nginx -g "daemon off;"
 autostart={{ getenv "SVC_NGINX_ENABLED" "false" | ternary "true" "false" }}
 autorestart=true
 exitcodes=0
+user=dp_app
+group=dp_app
 startsecs=1
 startretries=3
 redirect_stderr=true
@@ -22,6 +24,8 @@ command=/usr/sbin/php-fpm8.3 -F
 autostart={{ getenv "SVC_PHP_FPM_ENABLED" "false" | ternary "true" "false" }}
 autorestart=true
 exitcodes=0
+user=dp_app
+group=dp_app
 startsecs=1
 startretries=3
 redirect_stderr=true

From 8c7a906a39a9f1697795a0169276cdc798b25069 Mon Sep 17 00:00:00 2001
From: Chris Robinson <chris.robinson@deskpro.com>
Date: Thu, 19 Sep 2024 11:04:30 +0100
Subject: [PATCH 2/3] explicitly set nginx and php to use unprivileged
 locations

---
 etc/nginx/conf.d/01-deskpro_setup.conf.tmpl          |  4 ++--
 etc/nginx/conf.d/03-status.conf.tmpl                 |  2 +-
 etc/nginx/conf.d/deskpro_server_params.tmpl          | 12 ++++++------
 etc/nginx/nginx.conf.tmpl                            |  8 +++++++-
 etc/php/8.3/fpm/php-fpm.conf                         |  2 +-
 etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl          |  4 ++--
 etc/supervisor/conf.d/logging.conf.tmpl              |  1 -
 test/serverspec/spec/default_web/default_php_spec.rb |  8 ++++----
 usr/local/bin/phpinfo                                |  2 +-
 usr/local/sbin/entrypoint.d/05-opc.sh                |  2 +-
 usr/local/sbin/entrypoint.d/41-deskpro-config.sh     |  2 +-
 11 files changed, 26 insertions(+), 21 deletions(-)

diff --git a/etc/nginx/conf.d/01-deskpro_setup.conf.tmpl b/etc/nginx/conf.d/01-deskpro_setup.conf.tmpl
index 2f4b827..0635ba9 100644
--- a/etc/nginx/conf.d/01-deskpro_setup.conf.tmpl
+++ b/etc/nginx/conf.d/01-deskpro_setup.conf.tmpl
@@ -1,9 +1,9 @@
 upstream dpv5_api {
-  server unix:/run/php_fpm_dp_default.sock max_fails=0 fail_timeout=0;
+  server unix:/tmp/php_fpm_dp_default.sock max_fails=0 fail_timeout=0;
 }
 
 upstream dpv5_api_internal {
-  server unix:/run/php_fpm_dp_internal.sock max_fails=0 fail_timeout=0;
+  server unix:/tmp/php_fpm_dp_internal.sock max_fails=0 fail_timeout=0;
 }
 
 # dpv5_api_backend: Use separate fpm-pool for internal requests
diff --git a/etc/nginx/conf.d/03-status.conf.tmpl b/etc/nginx/conf.d/03-status.conf.tmpl
index e6db55e..d38ca1c 100644
--- a/etc/nginx/conf.d/03-status.conf.tmpl
+++ b/etc/nginx/conf.d/03-status.conf.tmpl
@@ -30,6 +30,6 @@ server {
 
     fastcgi_param SCRIPT_NAME '/fpm/status';
     fastcgi_param SCRIPT_FILENAME '/fpm/status';
-    fastcgi_pass unix:/run/php_fpm_$fpm_pool.status.sock;
+    fastcgi_pass unix:/tmp/php_fpm_$fpm_pool.status.sock;
   }
 }
diff --git a/etc/nginx/conf.d/deskpro_server_params.tmpl b/etc/nginx/conf.d/deskpro_server_params.tmpl
index 930c324..3a3612a 100644
--- a/etc/nginx/conf.d/deskpro_server_params.tmpl
+++ b/etc/nginx/conf.d/deskpro_server_params.tmpl
@@ -26,17 +26,17 @@ location / {
 }
 
 location ^~ /sys/services/broadcaster/ {
-    fastcgi_pass unix:/run/php_fpm_dp_broadcaster.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_broadcaster.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
 location ~ ^/(admin\-api|agent\-api)/ {
-    fastcgi_pass unix:/run/php_fpm_dp_gql.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_gql.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
 location ~ ^/(ticket\-channels|sys/services)/ {
-    fastcgi_pass unix:/run/php_fpm_dp_internal.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_internal.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
@@ -103,19 +103,19 @@ location ~ ^/deskpro-messenger/assets/ {
 }
 
 location ^~ /firebase-messaging-sw.js {
-    fastcgi_pass unix:/run/php_fpm_dp_default.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_default.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
 location ~ ^/deskpro-messenger/ {
     add_header X-XSS-Protection "1; mode=block";
     add_header X-Content-Type-Options "nosniff";
-    fastcgi_pass unix:/run/php_fpm_dp_default.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_default.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
 location ~ \.php$ {
-    fastcgi_pass unix:/run/php_fpm_dp_default.sock;
+    fastcgi_pass unix:/tmp/php_fpm_dp_default.sock;
     include /etc/nginx/conf.d/deskpro_fastcgi_params;
 }
 
diff --git a/etc/nginx/nginx.conf.tmpl b/etc/nginx/nginx.conf.tmpl
index 36a24dc..30db0ea 100644
--- a/etc/nginx/nginx.conf.tmpl
+++ b/etc/nginx/nginx.conf.tmpl
@@ -5,7 +5,7 @@ worker_processes 1;
 worker_processes {{ getenv "NGINX_WORKER_PROCESSES" "auto" }};
 {{end}}
 pcre_jit on;
-pid /run/nginx.pid;
+pid /tmp/nginx.pid;
 
 events {
     worker_connections {{ getenv "NGINX_WORKER_CONNECTIONS" "10000" }};
@@ -26,6 +26,12 @@ http {
     ssl_session_timeout 1h;
     ssl_session_tickets off;
 
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+
     log_format logjson escape=json
       '{'
       '"ts":"$time_iso8601", '
diff --git a/etc/php/8.3/fpm/php-fpm.conf b/etc/php/8.3/fpm/php-fpm.conf
index 66a6c59..78a82ad 100644
--- a/etc/php/8.3/fpm/php-fpm.conf
+++ b/etc/php/8.3/fpm/php-fpm.conf
@@ -1,5 +1,5 @@
 [global]
-pid = /run/php-fpm.pid
+pid = /tmp/php-fpm.pid
 error_log = /var/log/php/fpm_error.log
 log_level = notice
 log_limit = 8192
diff --git a/etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl b/etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl
index b66f1b9..e9189f8 100644
--- a/etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl
+++ b/etc/php/8.3/fpm/pool.d/01-deskpro.conf.tmpl
@@ -2,11 +2,11 @@
 user = dp_app
 group = dp_app
 chdir = /srv/deskpro
-listen = /run/php_fpm_{{.}}.sock
+listen = /tmp/php_fpm_{{.}}.sock
 listen.backlog = {{ getenv "PHP_FPM_LISTEN_BACKLOG" "1000" }}
 listen.mode = 0666
 
-pm.status_listen = /run/php_fpm_{{.}}.status.sock
+pm.status_listen = /tmp/php_fpm_{{.}}.status.sock
 pm.status_path = /fpm/status
 
 catch_workers_output = yes
diff --git a/etc/supervisor/conf.d/logging.conf.tmpl b/etc/supervisor/conf.d/logging.conf.tmpl
index 0961326..05c6b57 100644
--- a/etc/supervisor/conf.d/logging.conf.tmpl
+++ b/etc/supervisor/conf.d/logging.conf.tmpl
@@ -19,7 +19,6 @@ environment=VECTOR_MARKER="{{ getenv "VECTOR_MARKER" "" }}",VECTOR_COLOR=never
 
 [eventlistener:rotate_logs]
 command=/etc/supervisor/rotate-logs
-user=vector
 events=TICK_60
 autorestart=true
 buffer_size=1
diff --git a/test/serverspec/spec/default_web/default_php_spec.rb b/test/serverspec/spec/default_web/default_php_spec.rb
index a3bf680..3b98dd6 100644
--- a/test/serverspec/spec/default_web/default_php_spec.rb
+++ b/test/serverspec/spec/default_web/default_php_spec.rb
@@ -71,7 +71,7 @@
   end
 
   describe command('phpfpminfo --pool dp_default') do
-    its(:stdout) { should contain "listen = /run/php_fpm_dp_default.sock" }
+    its(:stdout) { should contain "listen = /tmp/php_fpm_dp_default.sock" }
     its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ }
     its(:stdout) { should contain "pm = ondemand" }
     its(:stdout) { should contain "pm.max_children = 20" }
@@ -81,7 +81,7 @@
   end
 
   describe command('phpfpminfo --pool dp_internal') do
-    its(:stdout) { should contain "listen = /run/php_fpm_dp_internal.sock" }
+    its(:stdout) { should contain "listen = /tmp/php_fpm_dp_internal.sock" }
     its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ }
     its(:stdout) { should contain "pm = ondemand" }
     its(:stdout) { should contain "pm.max_children = 1000" }
@@ -91,7 +91,7 @@
   end
 
   describe command('phpfpminfo --pool dp_gql') do
-    its(:stdout) { should contain "listen = /run/php_fpm_dp_gql.sock" }
+    its(:stdout) { should contain "listen = /tmp/php_fpm_dp_gql.sock" }
     its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ }
     its(:stdout) { should contain "pm = ondemand" }
     its(:stdout) { should contain "pm.max_children = 20" }
@@ -101,7 +101,7 @@
   end
 
   describe command('phpfpminfo --pool dp_broadcaster') do
-    its(:stdout) { should contain "listen = /run/php_fpm_dp_broadcaster.sock" }
+    its(:stdout) { should contain "listen = /tmp/php_fpm_dp_broadcaster.sock" }
     its(:stdout) { should match /php_admin_value\[display_errors\] =\s*$/ }
     its(:stdout) { should contain "pm = ondemand" }
     its(:stdout) { should contain "pm.max_children = 1000" }
diff --git a/usr/local/bin/phpinfo b/usr/local/bin/phpinfo
index b601d85..56c563b 100755
--- a/usr/local/bin/phpinfo
+++ b/usr/local/bin/phpinfo
@@ -39,7 +39,7 @@ if [[ $use_php_fpm -eq 1 ]]; then
   SCRIPT_NAME=/usr/local/share/deskpro/phpinfo.php \
     SCRIPT_FILENAME=/usr/local/share/deskpro/phpinfo.php \
     REQUEST_METHOD=GET \
-    cgi-fcgi -bind -connect /run/php_fpm_dp_default.sock
+    cgi-fcgi -bind -connect /tmp/php_fpm_dp_default.sock
 else
   php /usr/local/share/deskpro/phpinfo.php
 fi
diff --git a/usr/local/sbin/entrypoint.d/05-opc.sh b/usr/local/sbin/entrypoint.d/05-opc.sh
index 9cb3b70..a8ae3f0 100755
--- a/usr/local/sbin/entrypoint.d/05-opc.sh
+++ b/usr/local/sbin/entrypoint.d/05-opc.sh
@@ -35,7 +35,7 @@ opc_main() {
 
   boot_log_message DEBUG "[bc_opc_2_8] Linking /run/php-fpm/dp_default.sock -> /run/php_fpm_dp_default.sock"
   mkdir -p /run/php-fpm
-  ln -sf /run/php_fpm_dp_default.sock /run/php-fpm/dp_default.sock
+  ln -sf /tmp/php_fpm_dp_default.sock /run/php-fpm/dp_default.sock
 
   for pool in "dp_broadcaster" "dp_default" "dp_gql" "dp_internal"; do
     if [ -e "/deskpro/config/${pool}.conf" ]; then
diff --git a/usr/local/sbin/entrypoint.d/41-deskpro-config.sh b/usr/local/sbin/entrypoint.d/41-deskpro-config.sh
index 23add82..fd74960 100755
--- a/usr/local/sbin/entrypoint.d/41-deskpro-config.sh
+++ b/usr/local/sbin/entrypoint.d/41-deskpro-config.sh
@@ -25,7 +25,7 @@ function deskpro_config_main() {
     done
   } > /srv/deskpro/INSTANCE_DATA/config.php
 
-  chown root:root "/srv/deskpro/INSTANCE_DATA/config.php"
+  chown dp_app:dp_app "/srv/deskpro/INSTANCE_DATA/config.php"
   chmod 0644 "/srv/deskpro/INSTANCE_DATA/config.php"
 }
 

From 808b66a25e093b663913ecfda33c1173d4e2dccc Mon Sep 17 00:00:00 2001
From: Chris Robinson <chris.robinson@deskpro.com>
Date: Thu, 19 Sep 2024 13:41:05 +0100
Subject: [PATCH 3/3] run nginx as nginx user

---
 etc/supervisor/conf.d/web.conf.tmpl | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/etc/supervisor/conf.d/web.conf.tmpl b/etc/supervisor/conf.d/web.conf.tmpl
index e4dec49..13627dc 100644
--- a/etc/supervisor/conf.d/web.conf.tmpl
+++ b/etc/supervisor/conf.d/web.conf.tmpl
@@ -3,8 +3,8 @@ command=/usr/sbin/nginx -g "daemon off;"
 autostart={{ getenv "SVC_NGINX_ENABLED" "false" | ternary "true" "false" }}
 autorestart=true
 exitcodes=0
-user=dp_app
-group=dp_app
+user=nginx
+group=nginx
 startsecs=1
 startretries=3
 redirect_stderr=true