Running apache as an arbitrary user gives "bad user name" error

[ghost]

I am using:

• Docker Desktop WSL 2 backend
• wordpress:php7.4-apache

I have wordpress folder mounted to /var/www/html. Because the files are owned by www-data I can't edit them. I try to run the image as an arbitrary user, but I get apache2: bad user name 1000.

Code for testing purpose:

docker run -d \
--name wordpress \
--mount type=bind,source=/home/adrian/workspace/wordpress,target=/var/www/html \
-e APACHE_RUN_USER=1000 \
-e APACHE_RUN_GROUP=1000 \
wordpress:php7.4-apache

[wglambert]

For the APACHE_RUN_USER variable you need to include the # with it
https://github.com/docker-library/docs/tree/master/php#running-as-an-arbitrary-user

https://httpd.apache.org/docs/2.4/mod/mod_unixd.html#user
# followed by a user number.

[ghost]

How I missed that? Thank you!

[ghost]

I have one more question because running as an arbitrary-user still does not solve the underlying issue that I am facing.

With this image, I should be able:

• Edit the bind-mounted files
• Update core, theme, and plugins through dashboard

By default, I can do only one thing at a time. Do I miss anything? What would be a recommended and clean solution?

[wglambert]

It's possibly a permissions error, what specific issue are you getting when you try to "do more than one thing at a time" through the dashboard?

You could also try asking over at the Docker Community Forums, Docker Community Slack, or Stack Overflow. Since these repos aren't really a user-help forum

[ghost]

Yes, it is about permissions.

• If I run the image as it is, I am not able to edit the files.
• If I run the image as an arbitrary user, I can edit the files, but I can't do updates through the dashboard. It will ask for FTP.

[wglambert]

You'll want to make your bind-mount permissible to the user in the container or change the user in the container to fit.
#369 (comment) #246 (comment)

[ghost]

I think I am not explaining it well. Since I am running the container as an arbitrary user (Ubuntu 1000:1000), shouldn't I be able to install updates through the WordPress dashboard as well?

I run this code:

docker run -d \
--name wordpress10 \
--network dev \
-e WORDPRESS_DB_HOST=mariadb \
-e WORDPRESS_DB_USER=root \
-e WORDPRESS_DB_PASSWORD=root \
-e WORDPRESS_DB_NAME=wordpress \
-e WORDPRESS_DEBUG=1 \
-e APACHE_RUN_USER=#1000 \
-e APACHE_RUN_GROUP=#1000 \
-p 80:80 \
--mount type=bind,source=/home/adrian/workspace/wordpress10,target=/var/www/html \
wordpress:php7.4-apache

I check the file permission, all good

adrian@DESKTOP-A4FC2UH:~/workspace$ stat wordpress10
  File: wordpress10
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 830h/2096d      Inode: 42693       Links: 5
Access: (0755/drwxr-xr-x)  Uid: ( 1000/  adrian)   Gid: ( 1000/  adrian)
Access: 2020-06-17 15:11:20.350000000 +0300
Modify: 2020-06-17 15:11:20.350000000 +0300
Change: 2020-06-17 15:11:20.350000000 +0300

Now, I open it in browser, install WordPress and try to update through dashboard:
To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed. If you do not remember your credentials, you should contact your web host.

[wglambert]

In the container Apache is running as 1000:1000 but WordPress is www-data, you'll want to add --user 1000:1000 to your docker run line

[ghost]

If I add --user, I get Cannot mkdir: Permission denied, and the main folder is created as root.

adrian@DESKTOP-A4FC2UH:~/workspace$ stat wordpress20
  File: wordpress20
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 810h/2064d      Inode: 46090       Links: 2
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)

[wglambert]

I can't reproduce, also you're stating "wordpress20" instead of "wordpress10" as your docker run command had shown. But I don't see anything that would change the owner of that folder to root

$ ls -l
total 8
-rw-r--r--    1 root     root           578 Jun 17 16:51 docker-compose.yml
drwxr-xr-x    5 1000     1000          4096 Jun 17 16:53 test

$ docker run -d --name wordpress10 --name wordpress -e WORDPRESS_DB_HOST=mariadb -e WORDPRESS_DB_USER=root -e WORDPRESS_DB_PASSWORD=root -e WORDPRESS_DB_NAME=wordpress -e WORDPRESS_DEBUG=1 -e APACHE_RUN_USER=#1000 -e APACHE_RUN_GROUP=#1000 -p 80:80 --mount type=bind,source="$PWD"/test,target=/var/www/html wordpress:php7.4-apache
dda3bc62dc4b18b675786810fb394c518783be6754d0262077756a448eb644f8

$ docker exec -it wordpress bash

root@dda3bc62dc4b:/var/www/html# ls -al
total 216
drwxr-xr-x  5 1000 1000  4096 Jun 17 16:53 .
drwxr-xr-x  1 root root    18 Jun  9 13:35 ..
-rw-r--r--  1 1000 1000   234 Jun 17 16:53 .htaccess
-rw-r--r--  1 1000 1000   405 Feb  6 06:33 index.php
-rw-r--r--  1 1000 1000 19915 Feb 12 11:54 license.txt
-rw-r--r--  1 1000 1000  7278 Jan 10 14:05 readme.html
-rw-r--r--  1 1000 1000  6912 Feb  6 06:33 wp-activate.php
drwxr-xr-x  9 1000 1000  4096 Jun 10 21:48 wp-admin
-rw-r--r--  1 1000 1000   351 Feb  6 06:33 wp-blog-header.php
-rw-r--r--  1 1000 1000  2332 Jun  2 20:26 wp-comments-post.php
-rw-r--r--  1 1000 1000  2823 Jun 17 16:53 wp-config-sample.php
-rw-r--r--  1 1000 1000  3187 Jun 17 16:53 wp-config.php
drwxr-xr-x  4 1000 1000    52 Jun 10 21:48 wp-content
-rw-r--r--  1 1000 1000  3940 Feb  6 06:33 wp-cron.php
drwxr-xr-x 21 1000 1000  8192 Jun 10 21:48 wp-includes
-rw-r--r--  1 1000 1000  2496 Feb  6 06:33 wp-links-opml.php
-rw-r--r--  1 1000 1000  3300 Feb  6 06:33 wp-load.php
-rw-r--r--  1 1000 1000 47874 Feb 10 03:50 wp-login.php
-rw-r--r--  1 1000 1000  8509 Apr 14 11:34 wp-mail.php
-rw-r--r--  1 1000 1000 19396 Apr 10 03:59 wp-settings.php
-rw-r--r--  1 1000 1000 31111 Feb  6 06:33 wp-signup.php
-rw-r--r--  1 1000 1000  4755 Feb  6 06:33 wp-trackback.php
-rw-r--r--  1 1000 1000  3133 Feb  6 06:33 xmlrpc.php
root@dda3bc62dc4b:/var/www/html# cd ..

root@dda3bc62dc4b:/var/www# stat html/
  File: html/
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 300054h/3145812d        Inode: 18758       Links: 5
Access: (0755/drwxr-xr-x)  Uid: ( 1000/ UNKNOWN)   Gid: ( 1000/ UNKNOWN)
Access: 2020-06-17 16:53:34.659873536 +0000
Modify: 2020-06-17 16:53:24.723813553 +0000
Change: 2020-06-17 16:53:24.723813553 +0000

root@dda3bc62dc4b:/var/www# exit
exit

$ stat test
  File: test
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 300054h/3145812d        Inode: 18758       Links: 5
Access: (0755/drwxr-xr-x)  Uid: ( 1000/ UNKNOWN)   Gid: ( 1000/ UNKNOWN)
Access: 2020-06-17 16:53:34.000000000
Modify: 2020-06-17 16:53:24.000000000
Change: 2020-06-17 16:53:24.000000000

[ghost]

In your test, you added APACHE_RUN variables, it created those files with the right permission. But, now if you install WordPress, you can't update, it will ask for FTP.

In your previous comment, you mentioned --user 1000:1000, and that's what gives permission denied. Does it makes sense?

[wglambert]

I'm not able to reproduce

docker-compose.yml

version: '3.1'

services:

  wordpress:
    image: wordpress
    restart: always
    ports:
      - 8080:80
    user: 1000:1000
    environment:
      APACHE_RUN_USER: '#1000'
      APACHE_RUN_GROUP: '#1000'
      WORDPRESS_DB_HOST: db
      WORDPRESS_DB_USER: exampleuser
      WORDPRESS_DB_PASSWORD: examplepass
      WORDPRESS_DB_NAME: exampledb
    volumes:
      - ./test:/var/www/html
    sysctls:
      net.ipv4.ip_unprivileged_port_start: 0

  db:
    image: mysql:5.7
    restart: always
    environment:
      MYSQL_DATABASE: exampledb
      MYSQL_USER: exampleuser
      MYSQL_PASSWORD: examplepass
      MYSQL_RANDOM_ROOT_PASSWORD: '1'
    volumes:
      - db:/var/lib/mysql

volumes:
  db:

$ mkdir test

$ chmod 755 test && chown 1000:1000 test

$ docker-compose up -d
Creating network "wordpress_default" with the default driver
Creating volume "wordpress_wordpress" with default driver
Creating volume "wordpress_db" with default driver
Starting wordpress_wordpress_1 ... done
Creating wordpress_db_1        ... done

$ docker exec wordpress_wordpress_1 stat /var/www/html
  File: /var/www/html
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 801h/2049d      Inode: 1104462     Links: 5
Access: (0755/drwxr-xr-x)  Uid: ( 1000/ UNKNOWN)   Gid: ( 1000/ UNKNOWN)
Access: 2020-06-17 17:47:05.668777171 +0000
Modify: 2020-06-17 17:48:12.760656287 +0000
Change: 2020-06-17 17:48:12.760656287 +0000

$ stat test
  File: test
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 801h/2049d      Inode: 1104462     Links: 5
Access: (0755/drwxr-xr-x)  Uid: ( 1000/ UNKNOWN)   Gid: ( 1000/ UNKNOWN)
Access: 2020-06-17 10:47:05.668777171 -0700
Modify: 2020-06-17 10:48:12.760656287 -0700
Change: 2020-06-17 10:48:12.760656287 -0700

You could also try asking over at the Docker Community Forums, Docker Community Slack, or Stack Overflow. Since these repos aren't really a user-help forum

[yosifkit]

I have to ask, are you running on OSX or Windows 10? The reason I ask is that the permissions presented to the container across the bind mount from the host to the VM are very screwy. The container sees everything as root owned but has access to change things if they try, but most programs see the permissions and bail (as they should).

[ghost]

• Windows 10 Version 2004
• Docker Desktop WSL 2 backend
• Ubuntu 20.04
• The bind-mount is on WSL / Ubuntu
• I access it using VS Code Remote WSL

[yosifkit]

running on OSX or Windows 10 [...] The container sees everything as root owned [on the bind mount]

Due to the way Docker Desktop shares the local file system to the container (--mount), there is nothing we can do in the image. Wordpress/PHP sees it as root owned (with 755? permissions) and so assumes that it does not have access.

[ghost]

I figured it out. It looks counter-intuitive at first, but now it makes sense. I am posting the code here, for the records.

1. You have to manually create the mount source folder and make sure it have the right permission.
   mkdir wordpress

2. Create the container. You have to use both APACHE_RUN variables and --user flag.

docker run -d \
--name wordpress \
--network dev \
-e WORDPRESS_DB_HOST=mariadb \
-e WORDPRESS_DB_USER=root \
-e WORDPRESS_DB_PASSWORD=root \
-e WORDPRESS_DB_NAME=wordpress \
-e WORDPRESS_DEBUG=1 \
-e APACHE_RUN_GROUP=#1000 \
-e APACHE_RUN_USER=#1000 \
-p 80:80 \
--user 1000:1000 \
--sysctl net.ipv4.ip_unprivileged_port_start=0 \
--mount type=bind,source="$PWD"/wordpress,target=/var/www/html \
wordpress:php7.4-apache