Merge pull request #1400 from adamoutler/root-fixes

fix: root access PHP & Nginx
2026-01-18 11:48:26 -05:00 · 2026-01-10 18:19:16 +11:00
parent 7c441afd4a 15679a6a21
commit 130c40609d
4 changed files with 22 additions and 3 deletions
--- a/install/production-filesystem/services/config/nginx/netalertx.conf.template
+++ b/install/production-filesystem/services/config/nginx/netalertx.conf.template
@@ -1,3 +1,6 @@
+# Set user if running as root (substituted by start-nginx.sh)
+${NGINX_USER_DIRECTIVE}
+
 # Set number of worker processes automatically based on number of CPU cores.
 worker_processes auto;

--- a/install/production-filesystem/services/config/php/php-fpm.d/www.conf
+++ b/install/production-filesystem/services/config/php/php-fpm.d/www.conf
@@ -491,9 +491,11 @@ env[TEMP] = /tmp/run/tmp
 ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
 php_admin_value[sys_temp_dir] = /tmp/run/tmp
 php_admin_value[upload_tmp_dir] = /tmp/run/tmp
-php_admin_value[session.save_path] = /tmp/run/tmp
-php_admin_value[output_buffering] = 262144
+php_admin_value[upload_max_filesize] = 1M
+php_admin_value[post_max_size] = 1M
+php_admin_value[output_buffering] = 524288
 php_admin_flag[implicit_flush] = off
 php_admin_value[realpath_cache_size] = 4096K
+php_admin_value[session.save_path] = /tmp/run/tmp
 php_admin_value[realpath_cache_ttl] = 600
 php_admin_value[memory_limit] = 256M
--- a/install/production-filesystem/services/start-nginx.sh
+++ b/install/production-filesystem/services/start-nginx.sh
@@ -35,9 +35,16 @@ done

 TEMP_CONFIG_FILE=$(mktemp "${TMP_DIR}/netalertx.conf.XXXXXX")

+#In the event PUID is 0 we need to run nginx as root
+#This is useful on legacy systems where we cannot provision root access to a binary
+export NGINX_USER_DIRECTIVE=""
+if [ "$(id -u)" -eq 0 ]; then
+    NGINX_USER_DIRECTIVE="user root;"
+fi
+
 # Shell check doesn't recognize envsubst variables
 # shellcheck disable=SC2016
-if envsubst '${LISTEN_ADDR} ${PORT}' < "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${TEMP_CONFIG_FILE}" 2>/dev/null; then
+if envsubst '${LISTEN_ADDR} ${PORT} ${NGINX_USER_DIRECTIVE}' < "${SYSTEM_NGINX_CONFIG_TEMPLATE}" > "${TEMP_CONFIG_FILE}" 2>/dev/null; then
 	mv "${TEMP_CONFIG_FILE}" "${SYSTEM_SERVICES_ACTIVE_CONFIG_FILE}"
 else
 	echo "Note: Unable to write to ${SYSTEM_SERVICES_ACTIVE_CONFIG_FILE}. Using default configuration."
--- a/install/production-filesystem/services/start-php-fpm.sh
+++ b/install/production-filesystem/services/start-php-fpm.sh
@@ -28,6 +28,13 @@ trap forward_signal INT TERM

 echo "Starting /usr/sbin/php-fpm83 -y \"${PHP_FPM_CONFIG_FILE}\" -F (tee stderr to app.php_errors.log)"
 php_fpm_cmd=(/usr/sbin/php-fpm83 -y "${PHP_FPM_CONFIG_FILE}" -F)
+
+#In the event PUID is 0 we need to run php-fpm as root
+#This is useful on legacy systems where we cannot provision root access to a binary
+if [[ $(id -u) -eq 0 ]]; then
+  php_fpm_cmd+=(-R)
+fi
+
 "${php_fpm_cmd[@]}" 2> >(tee -a "${LOG_APP_PHP_ERRORS}" >&2) &
 php_fpm_pid=$!