Change of permissions in entrypoint.sh

[lycofron]

Hi,

I migrated from Lychee 3 and I got it work, read-only though. As I tried to upload a photo (just to see if I can) all I got was this:

2019-05-12 19:56:56 -- error -- App\ModelFunctions\PhotoFunctions::add -- 262 -- Could not move photo to uploads

About my setup: a machine running docker, upload and config directories in a separate, storage server via SMB/CIFS share.

I suspected that this must be permissions related, so I tried a simple write to the uploads directory.

www-data@docker-container:~/html/Lychee-Laravel$ cd /uploads
www-data@docker-container:/uploads$ touch file.txt
touch: cannot touch 'file.txt': Permission denied
www-data@docker-container:/uploads$ ls -l file.txt
-rw-r--r--+ 1 lychee lychee 0 May 13 09:52 file.txt
www-data@docker-container:/uploads$ logout
<redacted>:~/.docker/main-services$ docker exec -ti -u lychee mainservices_lychee-laravel_1 /bin/bash -l
lychee@docker-container:/var/www/html/Lychee-Laravel$ cd /uploads
lychee@docker-container:/uploads$ touch file.txt
lychee@docker-container:/uploads$ ls -l file.txt
-rw-r--r--+ 1 lychee lychee 0 May 13 09:53 file.txt
lychee@docker-container:/uploads$ rm file.txt 
lychee@docker-container:/uploads$ touch file.txt
lychee@docker-container:/uploads$ ls -l file.txt
-rw-r--r--+ 1 lychee lychee 0 May 13 09:54 file.txt
lychee@docker-container:/uploads$ echo "hello" > file.txt 
lychee@docker-container:/uploads$ ls -l file.txt
-rw-r--r--+ 1 lychee lychee 6 May 13 09:54 file.txt
lychee@docker-container:/uploads$ cat file.txt 
hello
lychee@docker-container:/uploads$ rm file.txt 
lychee@docker-container:/uploads$ ls -l 
total 0
drwxrwxrwx+ 2 lychee lychee 0 May 12 20:35 big
drwxrwxrwx+ 2 lychee lychee 0 May 11 13:20 import
drwxrwxrwx+ 2 lychee lychee 0 Oct  1  2017 medium
drwxrwxrwx+ 2 lychee lychee 0 May 10 13:52 small
drwxrwxrwx+ 2 lychee lychee 0 Oct  1  2017 thumb
lychee@docker-container:/uploads$ cd ..
lychee@docker-container:/$ ls -l
total 72
...
drwxr-xr-x+   2 lychee lychee    0 May 12 20:39 conf
drwxrwxrwx+   3 lychee lychee    0 May 11 13:20 importer
drwxrwxrwx+   7 lychee lychee    0 May 13 09:54 uploads
...
lychee@docker-container:/$ logout
<redacted>:~/.docker/main-services$ 

So, in brief, user www-data can't write, only user lychee can, but it's user www-data who handles files during import.

Now, if I change ownership of uploads folder, that's what I get:

lychee-laravel_1  | chown: changing ownership of '/uploads/small/index.html': Permission denied
lychee-laravel_1  | chown: changing ownership of '/uploads/small': Permission denied
lychee-laravel_1  | chown: changing ownership of '/uploads/medium/c9d7814faafd6c8198f9eb4830f87d59.JPG': Permission denied
lychee-laravel_1  | chown: changing ownership of '/uploads/medium/598e6e7556ba81c47a503c620daebb4f.JPG': Permission denied
lychee-laravel_1  | chown: changing ownership of '/uploads/medium/c985a5643757b6c9726927dd18a5f1d0.JPG': Permission denied
lychee-laravel_1  | chown: changing ownership of '/uploads/medium/fb72b153dd0da9ccabc80c8510f2fa06.JPG': Permission denied
lychee-laravel_1  | chown: changing ownership of '/uploads/medium/74383014a074162c2a5d9df494632418.JPG': Permission denied
lychee-laravel_1  | chown: changing ownership of '/uploads/medium/64b0831bc378b6db5feae75fe6cd2369.JPG': Permission denied

and docker container fails to start.

So, I just wanted to ask: are lines 43-47 of entrypoint.sh completely necessary? Can't we just check them before running and then omit them?

Thank you.

[Chostakovitch]

The entrypoint script should probably be improved, sorry for not looking at it for months.

However, line 46 chmod -R a+rw /uploads should allow all users to write to /uploads (not a good idea), so how the /uploads folder can be read-only for group and others ?

I think that these lines have been added when switching from root user to lychee user inside the container.

[roblandry]

I changed permissions in #23.
I added www-data to the lychee group and gave 775 permissions on /uploads.

Let me know if this does not resolve your problem. Closing for now.