No PHP production settings in Nextcloud 21-apache Docker image

[oviserv]

In the Docker image generic production settings for PHP are not configured. For example the display_errors setting has value On while the recommendation in php.ini-production is Off. From a security view this can be seen as a suboptimal configuration. Is this an opportunity for a security improvement?

The solution is quite easy as the php.ini-production file provides a template. During the image build the template file can be copied and modified on a few places to suit the Nextcloud demands. In a Dockerfile:

RUN  cp /usr/local/etc/php/php.ini-production /usr/local/etc/php/php.ini && \
    sed -i 's/^memory_limit/;memory_limit/' /usr/local/etc/php/php.ini && \
    sed -i 's/^post_max_size/;post_max_size/' /usr/local/etc/php/php.ini && \
    sed -i 's/^upload_max_filesize/;upload_max_filesize/' \
      /usr/local/etc/php/php.ini && \
    sed -i 's/^expose_php.*$/expose_php = Off/' /usr/local/etc/php/php.ini && \
    sed -i 's/^max_execution_time.*$/max_execution_time = 3600/' \
      /usr/local/etc/php/php.ini && \
    sed -i 's/^max_input_time.*$/max_input_time = 3600/' \
      /usr/local/etc/php/php.ini

The first three sed's comment out values that are already set in ./conf.d/nextcloud.ini. The fourth sed disables the not needed X-Powered-By header and the last two sed's are a prerequisite to enable large file upload. This change was tested on a Nextcloud production server(21.0.5) and seems to run without errors. Can this change be applied to the Nextcloud 21-apache Docker image (and other images?).

[J0WI]

Duplicate of docker-library/php#873