From 2774f97d57504694ef3cc219d3375ac46556bee4 Mon Sep 17 00:00:00 2001
From: Shrikant Sharat Kandula <shrikant@appsmith.com>
Date: Wed, 15 Nov 2023 11:28:25 +0530
Subject: [PATCH] feat: Support running as a non-root user (#28290)

Running an Appsmith as a non-root user:

```sh
docker run --name appsmith --user 70:70
```

The `70:70` figures are the UID and GID respectively. It can mostly be
any number, safe to user figures are 70 to 79, or anything above 200 and
below 65000. The important bit, is that it shouldn't change on restart
or manual updates etc.

No product functionality should be affected when running as a non-root
user.
---
 Dockerfile                                             |  5 ++++-
 deploy/docker/fs/opt/appsmith/entrypoint.sh            | 10 +++++++---
 deploy/docker/fs/opt/appsmith/renew-certificate.sh     |  2 +-
 deploy/docker/fs/opt/appsmith/run-with-env.sh          |  2 +-
 .../fs/opt/appsmith/templates/supervisord/cron.conf    |  3 +--
 5 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 4af1d28854..55e3511a87 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -32,7 +32,10 @@ RUN cd ./utils && npm install --only=prod && npm install --only=prod -g . && cd
   && chmod +x *.sh templates/nginx-app.conf.sh /watchtower-hooks/*.sh \
   # Disable setuid/setgid bits for the files inside container.
   && find / \( -path /proc -prune \) -o \( \( -perm -2000 -o -perm -4000 \) -print -exec chmod -s '{}' + \) || true \
-  && node prepare-image.mjs
+  && node prepare-image.mjs \
+  && mkdir -p /.mongodb/mongosh /appsmith-stacks \
+  && chmod ugo+w /etc /appsmith-stacks \
+  && chmod -R ugo+w /var/lib/nginx /var/log/nginx /var/run /usr/sbin/cron /.mongodb /etc/ssl /usr/local/share
 
 LABEL com.centurylinklabs.watchtower.lifecycle.pre-check=/watchtower-hooks/pre-check.sh
 LABEL com.centurylinklabs.watchtower.lifecycle.pre-update=/watchtower-hooks/pre-update.sh
diff --git a/deploy/docker/fs/opt/appsmith/entrypoint.sh b/deploy/docker/fs/opt/appsmith/entrypoint.sh
index c76c665d70..734e5dbbd4 100644
--- a/deploy/docker/fs/opt/appsmith/entrypoint.sh
+++ b/deploy/docker/fs/opt/appsmith/entrypoint.sh
@@ -2,6 +2,8 @@
 
 set -e
 
+echo "Running as: $(id)"
+
 stacks_path=/appsmith-stacks
 
 export SUPERVISORD_CONF_TARGET="$TMP/supervisor-conf.d/"  # export for use in supervisord.conf
@@ -68,7 +70,7 @@ init_env_file() {
   TEMPLATES_PATH="/opt/appsmith/templates"
 
   # Build an env file with current env variables. We single-quote the values, as well as escaping any single-quote characters.
-  printenv | grep -E '^APPSMITH_|^MONGO_' | sed "s/'/'\\\''/g; s/=/='/; s/$/'/" > "$TEMPLATES_PATH/pre-define.env"
+  printenv | grep -E '^APPSMITH_|^MONGO_' | sed "s/'/'\\\''/g; s/=/='/; s/$/'/" > "$TMP/pre-define.env"
 
   echo "Initialize .env file"
   if ! [[ -e "$ENV_PATH" ]]; then
@@ -99,7 +101,7 @@ init_env_file() {
   echo "Load environment configuration"
   set -o allexport
   . "$ENV_PATH"
-  . "$TEMPLATES_PATH/pre-define.env"
+  . "$TMP/pre-define.env"
   set +o allexport
 }
 
@@ -345,7 +347,9 @@ configure_supervisord() {
       mkdir -p "$stacks_path/data/redis"
     fi
     if ! [[ -e "/appsmith-stacks/ssl/fullchain.pem" ]] || ! [[ -e "/appsmith-stacks/ssl/privkey.pem" ]]; then
-      cp "$supervisord_conf_source/cron.conf" "$SUPERVISORD_CONF_TARGET"
+      if [[ -n "${APPSMITH_CUSTOM_DOMAIN-}" ]]; then
+        cp "$supervisord_conf_source/cron.conf" "$SUPERVISORD_CONF_TARGET"
+      fi
     fi
     if [[ $runEmbeddedPostgres -eq 1 ]]; then
       cp "$supervisord_conf_source/postgres.conf" "$SUPERVISORD_CONF_TARGET"
diff --git a/deploy/docker/fs/opt/appsmith/renew-certificate.sh b/deploy/docker/fs/opt/appsmith/renew-certificate.sh
index 2c8cc25abd..3a4981accb 100644
--- a/deploy/docker/fs/opt/appsmith/renew-certificate.sh
+++ b/deploy/docker/fs/opt/appsmith/renew-certificate.sh
@@ -3,7 +3,7 @@
 set -e
 
 ENV_PATH="/appsmith-stacks/configuration/docker.env"
-PRE_DEFINED_ENV_PATH="/opt/appsmith/templates/pre-define.env"
+PRE_DEFINED_ENV_PATH="$TMP/pre-define.env"
 if [[ -f /appsmith-stacks/configuration/docker.env ]]; then
   echo 'Load environment configuration'
   set -o allexport
diff --git a/deploy/docker/fs/opt/appsmith/run-with-env.sh b/deploy/docker/fs/opt/appsmith/run-with-env.sh
index 7a892cddc1..93a7bf65fc 100755
--- a/deploy/docker/fs/opt/appsmith/run-with-env.sh
+++ b/deploy/docker/fs/opt/appsmith/run-with-env.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 ENV_PATH="/appsmith-stacks/configuration/docker.env"
-PRE_DEFINED_ENV_PATH="/opt/appsmith/templates/pre-define.env"
+PRE_DEFINED_ENV_PATH="$TMP/pre-define.env"
 echo 'Load environment configuration'
 set -o allexport
 . "$ENV_PATH"
diff --git a/deploy/docker/fs/opt/appsmith/templates/supervisord/cron.conf b/deploy/docker/fs/opt/appsmith/templates/supervisord/cron.conf
index 16b24e79a3..17c5426d02 100644
--- a/deploy/docker/fs/opt/appsmith/templates/supervisord/cron.conf
+++ b/deploy/docker/fs/opt/appsmith/templates/supervisord/cron.conf
@@ -1,6 +1,5 @@
 [program:cron]
 command=/usr/sbin/cron -f
-user=root
 priority=35
 autostart=true
 autorestart=true
@@ -13,4 +12,4 @@ stderr_logfile_maxbytes=10MB
 stdout_logfile_backups=5
 stderr_logfile_backups=5
 stdout_events_enabled=true
-stderr_events_enabled=true
\ No newline at end of file
+stderr_events_enabled=true