grocy-docker
grocy-docker copied to clipboard
Update file ownership of grocy application files
At the moment when cloning grocy application code (PHP assets, web assets) into grocy-docker containers, extraction runs under the www-data and nginx user accounts respectively.
This means that the files are owned by the same user account that the web server (php-fpm, nginx, respectively) process runs as.
Although the root filesystems are read-only already, we could apply another layer of security by ensuring that the files are owned by a separate user account.
That could place a further roadblock against any potential application-level exploits from modifying and/or persisting in the containers.