Add user privileges to alter contents of /usr/share/nginx/html

[mstaal]

Is your feature request related to a problem? Please describe

The default nginx user supplied by the image cannot execute scripts that alter the contents of /usr/share/nginx/html. I would like to be able to do that so that I can add a /docker-entrypoint.d script that adds a JS/JSON file with environment variables for a static React build.

Describe the solution you'd like

I have currently made a trick myself based on your own Dockerfiles and how they provide ownership and rights to the /etc/nginx and /var/cache/nginx directories. The trick follows from the snippet below. After having made the trick, I add the shell script to /docker-entrypoint.d, and everything works as expected. I hope you will consider including this (or a similar) change to your base image.

FROM nginxinc/nginx-unprivileged:1.23.1-alpine

ARG UID=101
USER root
# implement changes to run NGINX as an unprivileged user
# let nginx user own the html directory to write environment variables
RUN chown -R $UID:0 /usr/share/nginx/html && chmod -R g+w /usr/share/nginx/html
USER $UID

COPY --from=build-stage /app/build/ /usr/share/nginx/html
COPY --from=build-stage /app/env.sh /docker-entrypoint.d

EXPOSE 8080

Describe alternatives you've considered

Alternatively, it would be nice with some more clear documentation on how to executing scripts / altering the contents of /usr/share/nginx/html. It took me a lot of time understanding the default constraints of nginx-unprivileged.

[thresheek]

The problem here is that making /usr/share/nginx/html user-writable means that during the lifetime of a container it will be writable by the same worker processes nginx spawns, which is a bad idea security-wise.

[mstaal]

The problem here is that making /usr/share/nginx/html user-writable means that during the lifetime of a container it will be writable by the same worker processes nginx spawns, which is a bad idea security-wise.

Could an alternative be to make a separate entrypoint script that removes the user writability after the remainder entrypoint scripts have been executed? I feel it would be nice to have some sort of (secure) way of injecting environment variables into an image during spin-up of the image.

[thresheek]

Well, we cant even make it user-writable during the entrypoint script since they're also launched as an unprivileged user.

Regarding injecting variables to the image, would the following work for you: nginx/docker-nginx#431 and nginx/docker-nginx#687 work for you instead?

[mstaal]

Well, we cant even make it user-writable during the entrypoint script since they're also launched as an unprivileged user.

Regarding injecting variables to the image, would the following work for you: nginxinc/docker-nginx#431 and nginxinc/docker-nginx#687 work for you instead?

Thanks for the suggestion - I will take a look at it!

[alessfg]

Closing this for the time being! Hopefully the above links did end up proving useful!