Run nginx as unprevileged user

Author: rcmadhankumar

src/bci_build/package/appcontainers.py

@@ -278,6 +278,8 @@ def _get_nginx_kwargs(os_version: OsVersion):
                 "nginx",
                 "findutils",
                 _envsubst_pkg_name(os_version),
+                "sed",
+                "grep",
             ]
         )
         + (["libcurl-mini4"] if os_version.is_sl16 else []),
@@ -298,8 +300,15 @@ def _get_nginx_kwargs(os_version: OsVersion):
             COPY index.html /srv/www/htdocs/
             {DOCKERFILE_RUN} chmod +x /docker-entrypoint.d/*.sh /usr/local/bin/docker-entrypoint.sh
             {DOCKERFILE_RUN} install -d -o nginx -g nginx -m 750 /var/log/nginx; \
+                install -d /var/cache/nginx /var/run/nginx; \
                 ln -sf /dev/stdout /var/log/nginx/access.log; \
-                ln -sf /dev/stderr /var/log/nginx/error.log
+                ln -sf /dev/stderr /var/log/nginx/error.log; \
+                chown -R nginx:nginx /var/cache/nginx; \
+                chown -R nginx:nginx /etc/nginx; \
+                chown -R nginx:nginx /var/run/nginx; \
+                install -d -o nginx -g nginx /tmp/client_temp /tmp/proxy_temp /tmp/fastcgi_temp /tmp/uwsgi_temp /tmp/scgi_temp; \
+                chown -R nginx:nginx /tmp; \
+                chmod -R g+w /var/cache/nginx /var/log/nginx /etc/nginx /var/run/nginx /tmp
             STOPSIGNAL SIGQUIT"""),
     }
 

src/bci_build/package/nginx/README.md.j2

@@ -41,6 +41,12 @@ The template above is then rendered to `/etc/nginx/conf.d/default.conf` as follo
 ```nginx
 listen  80;
 ```
+## Running nginx as a non-root user
+To run the image as a less privileged user using the `nginx` user, do the following:
+```ShellSession
+$ podman run -it --user nginx --rm -p 8080:8080 -v /path/to/html/:/srv/www/htdocs/:Z -v $PWD/nginx.conf:/etc/nginx/nginx.conf:Z {{ image.pretty_reference }}
+```
+**Note:** When running as the `nginx` user the default port is 8080.
 
 ## Environment variables
 

src/bci_build/package/nginx/docker-entrypoint.sh

@@ -44,4 +44,23 @@ if [ "$1" = "nginx" ] || [ "$1" = "nginx-debug" ]; then
     fi
 fi
 
+# Ensure PID path is set to /var/run/nginx.pid for both privileged and unprivileged users
+sed -i 's,^#\?\s*pid\s\+.*;$,pid /var/run/nginx/nginx.pid;,' /etc/nginx/nginx.conf
+# modify temp paths for both privileged and unprivileged users
+sed -i "/^http {/a \        proxy_temp_path /tmp/proxy_temp;\n        client_body_temp_path /tmp/client_temp;\n        fastcgi_temp_path /tmp/fastcgi_temp;\n        uwsgi_temp_path /tmp/uwsgi_temp;\n        scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf
+
+CURRENT_UID=$(id -u)
+if [ "$CURRENT_UID" -gt "0" ]; then
+    # Running as Unprivileged User
+    entrypoint_log "$0: Running as unprivileged user (UID: $CURRENT_UID). Configuring for unprivileged mode (Port 8080)."
+
+    # Remove 'user' directive (unprivileged users can't switch users)
+    sed -i '/^user/d' /etc/nginx/nginx.conf
+    entrypoint_log "$0: Removed 'user' directive for unprivileged worker."
+
+    sed -i 's/listen \(.*\)80;/listen \18080;/' /etc/nginx/conf.d/default.conf 2>/dev/null || \
+    sed -i 's/listen \(.*\)80;/listen \18080;/' /etc/nginx/nginx.conf 2>/dev/null || true
+    entrypoint_log "$0: Listening on port 8080."
+fi
+
 exec "$@"