From 0ee686ffb15e0fad03f60a3ccd8cc2c62a2bd238 Mon Sep 17 00:00:00 2001
From: Michael Mayer <michael@photoprism.app>
Date: Thu, 17 Mar 2022 17:02:38 +0100
Subject: [PATCH] Docker: Make sure /sbin/gosu exists and has the right
 permissions #2120

see https://github.com/photoprism/photoprism/discussions/2120
---
 Makefile                              | 4 ++--
 docker/develop/armv7/Dockerfile       | 4 +++-
 docker/develop/bullseye/Dockerfile    | 4 +++-
 docker/develop/buster/Dockerfile      | 4 +++-
 docker/develop/impish/Dockerfile      | 4 +++-
 docker/photoprism/armv7/Dockerfile    | 5 +++--
 docker/photoprism/bullseye/Dockerfile | 3 +++
 docker/photoprism/buster/Dockerfile   | 5 +++--
 docker/photoprism/impish/Dockerfile   | 5 +++--
 scripts/dist/entrypoint.sh            | 8 ++++----
 10 files changed, 30 insertions(+), 16 deletions(-)

diff --git a/Makefile b/Makefile
index db091b9a5..6fd66bef9 100644
--- a/Makefile
+++ b/Makefile
@@ -77,10 +77,10 @@ install:
 	mkdir --mode=$(INSTALL_MODE) -p $(DESTDIR)
 	env TMPDIR="$(BUILD_PATH)" ./scripts/dist/install-tensorflow.sh $(DESTDIR)
 	rm -rf --preserve-root $(DESTDIR)/include
-	(cd $(DESTDIR) && mkdir -p bin lib assets config config/examples)
+	(cd $(DESTDIR) && mkdir -p bin sbin lib assets config config/examples)
 	./scripts/build.sh prod "$(DESTDIR)/bin/$(BINARY_NAME)"
 	[ -f "$(GOBIN)/gosu" ] || go install github.com/tianon/gosu@latest
-	cp $(GOBIN)/gosu $(DESTDIR)/bin/gosu
+	cp $(GOBIN)/gosu $(DESTDIR)/sbin/gosu
 	[ ! -f "$(GOBIN)/exif-read-tool" ] || cp $(GOBIN)/exif-read-tool $(DESTDIR)/bin/exif-read-tool
 	rsync -r -l --safe-links --exclude-from=assets/.buildignore --chmod=a+r,u+rw ./assets/ $(DESTDIR)/assets
 	cp scripts/dist/heif-convert.sh $(DESTDIR)/bin/heif-convert
diff --git a/docker/develop/armv7/Dockerfile b/docker/develop/armv7/Dockerfile
index fb23eba51..d7fd37a3e 100644
--- a/docker/develop/armv7/Dockerfile
+++ b/docker/develop/armv7/Dockerfile
@@ -110,7 +110,9 @@ RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
 
 # install Go tools
 RUN /usr/local/go/bin/go install github.com/tianon/gosu@latest; \
-    cp /go/bin/gosu /bin/gosu && \
+    cp /go/bin/gosu /sbin/gosu && \
+    chown root:root /sbin/gosu && \
+    chmod 755 /sbin/gosu && \
     echo "alias ll='ls -alh'" > /photoprism/.bash_aliases && \
     echo "alias ll='ls -alh'" > /root/.bash_aliases && \
     echo "ALL ALL=(ALL) NOPASSWD:SETENV: ALL" >> /etc/sudoers.d/all && \
diff --git a/docker/develop/bullseye/Dockerfile b/docker/develop/bullseye/Dockerfile
index 9fdc124ce..efa306d3c 100644
--- a/docker/develop/bullseye/Dockerfile
+++ b/docker/develop/bullseye/Dockerfile
@@ -121,7 +121,9 @@ RUN /usr/local/go/bin/go install github.com/tianon/gosu@latest && \
     /usr/local/go/bin/go install github.com/kyoh86/richgo@latest && \
     /usr/local/go/bin/go install github.com/psampaz/go-mod-outdated@latest && \
     /usr/local/go/bin/go install github.com/dsoprea/go-exif/v3/command/exif-read-tool@latest; \
-    cp /go/bin/gosu /bin/gosu && \
+    cp /go/bin/gosu /sbin/gosu && \
+    chown root:root /sbin/gosu && \
+    chmod 755 /sbin/gosu && \
     echo "alias go=richgo ll='ls -alh'" > /photoprism/.bash_aliases && \
     echo "alias go=richgo ll='ls -alh'" > /root/.bash_aliases && \
     echo "ALL ALL=(ALL) NOPASSWD:SETENV: ALL" >> /etc/sudoers.d/all && \
diff --git a/docker/develop/buster/Dockerfile b/docker/develop/buster/Dockerfile
index 52c1f6155..c0b62fb8c 100644
--- a/docker/develop/buster/Dockerfile
+++ b/docker/develop/buster/Dockerfile
@@ -120,7 +120,9 @@ RUN /usr/local/go/bin/go install github.com/tianon/gosu@latest && \
     /usr/local/go/bin/go install github.com/kyoh86/richgo@latest && \
     /usr/local/go/bin/go install github.com/psampaz/go-mod-outdated@latest && \
     /usr/local/go/bin/go install github.com/dsoprea/go-exif/v3/command/exif-read-tool@latest; \
-    cp /go/bin/gosu /bin/gosu && \
+    cp /go/bin/gosu /sbin/gosu && \
+    chown root:root /sbin/gosu && \
+    chmod 755 /sbin/gosu && \
     echo "alias go=richgo ll='ls -alh'" > /photoprism/.bash_aliases && \
     echo "alias go=richgo ll='ls -alh'" > /root/.bash_aliases && \
     echo "ALL ALL=(ALL) NOPASSWD:SETENV: ALL" >> /etc/sudoers.d/all && \
diff --git a/docker/develop/impish/Dockerfile b/docker/develop/impish/Dockerfile
index 97432e439..d78267e5a 100644
--- a/docker/develop/impish/Dockerfile
+++ b/docker/develop/impish/Dockerfile
@@ -121,7 +121,9 @@ RUN /usr/local/go/bin/go install github.com/tianon/gosu@latest && \
     /usr/local/go/bin/go install github.com/kyoh86/richgo@latest && \
     /usr/local/go/bin/go install github.com/psampaz/go-mod-outdated@latest && \
     /usr/local/go/bin/go install github.com/dsoprea/go-exif/v3/command/exif-read-tool@latest; \
-    cp /go/bin/gosu /bin/gosu && \
+    cp /go/bin/gosu /sbin/gosu && \
+    chown root:root /sbin/gosu && \
+    chmod 755 /sbin/gosu && \
     echo "alias go=richgo ll='ls -alh'" > /photoprism/.bash_aliases && \
     echo "alias go=richgo ll='ls -alh'" > /root/.bash_aliases && \
     echo "ALL ALL=(ALL) NOPASSWD:SETENV: ALL" >> /etc/sudoers.d/all && \
diff --git a/docker/photoprism/armv7/Dockerfile b/docker/photoprism/armv7/Dockerfile
index be3edf4c9..7adf16cce 100644
--- a/docker/photoprism/armv7/Dockerfile
+++ b/docker/photoprism/armv7/Dockerfile
@@ -85,8 +85,9 @@ RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
     echo 'APT::Install-Suggests "false";' > /etc/apt/apt.conf.d/80suggests && \
     echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/80forceyes && \
     echo 'APT::Get::Fix-Missing "true";' > /etc/apt/apt.conf.d/80fixmissing && \
-    cp /opt/photoprism/bin/gosu /bin/gosu && \
-    chown root:root /bin/gosu && \
+    mv /opt/photoprism/sbin/gosu /sbin/gosu && \
+    chown root:root /sbin/gosu && \
+    chmod 755 /sbin/gosu && \
     groupadd -f -r -g 44 video && groupadd -f -r -g 109 render && groupadd -f -g 1000 photoprism && \
     useradd -m -g 1000 -u 1000 -d /photoprism -G video,render photoprism && \
     chmod 777 /photoprism && \
diff --git a/docker/photoprism/bullseye/Dockerfile b/docker/photoprism/bullseye/Dockerfile
index 49f1b6f0f..d37a42277 100644
--- a/docker/photoprism/bullseye/Dockerfile
+++ b/docker/photoprism/bullseye/Dockerfile
@@ -90,6 +90,9 @@ EXPOSE 2342
 
 # copy dist files
 COPY --from=build /opt/photoprism/ /opt/photoprism
+RUN mv /opt/photoprism/sbin/gosu /sbin/gosu && \
+    chown root:root /sbin/gosu && \
+    chmod 755 /sbin/gosu
 
 # set container entrypoint script
 ENTRYPOINT ["/scripts/entrypoint.sh"]
diff --git a/docker/photoprism/buster/Dockerfile b/docker/photoprism/buster/Dockerfile
index 613c0ea93..2627d2382 100644
--- a/docker/photoprism/buster/Dockerfile
+++ b/docker/photoprism/buster/Dockerfile
@@ -85,8 +85,9 @@ RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
     echo 'APT::Install-Suggests "false";' > /etc/apt/apt.conf.d/80suggests && \
     echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/80forceyes && \
     echo 'APT::Get::Fix-Missing "true";' > /etc/apt/apt.conf.d/80fixmissing && \
-    cp /opt/photoprism/bin/gosu /bin/gosu && \
-    chown root:root /bin/gosu && \
+    mv /opt/photoprism/sbin/gosu /sbin/gosu && \
+    chown root:root /sbin/gosu && \
+    chmod 755 /sbin/gosu && \
     groupadd -f -r -g 44 video && groupadd -f -r -g 109 render && groupadd -f -g 1000 photoprism && \
     useradd -m -g 1000 -u 1000 -d /photoprism -G video,render photoprism && \
     chmod 777 /photoprism && \
diff --git a/docker/photoprism/impish/Dockerfile b/docker/photoprism/impish/Dockerfile
index e7ac7ae2b..37671d3b5 100644
--- a/docker/photoprism/impish/Dockerfile
+++ b/docker/photoprism/impish/Dockerfile
@@ -84,8 +84,9 @@ RUN echo 'APT::Acquire::Retries "3";' > /etc/apt/apt.conf.d/80retries && \
     echo 'APT::Install-Suggests "false";' > /etc/apt/apt.conf.d/80suggests && \
     echo 'APT::Get::Assume-Yes "true";' > /etc/apt/apt.conf.d/80forceyes && \
     echo 'APT::Get::Fix-Missing "true";' > /etc/apt/apt.conf.d/80fixmissing && \
-    cp /opt/photoprism/bin/gosu /bin/gosu && \
-    chown root:root /bin/gosu && \
+    mv /opt/photoprism/sbin/gosu /sbin/gosu && \
+    chown root:root /sbin/gosu && \
+    chmod 755 /sbin/gosu && \
     groupadd -f -r -g 44 video && groupadd -f -r -g 109 render && groupadd -f -g 1000 photoprism && \
     useradd -m -g 1000 -u 1000 -d /photoprism -G video,render photoprism && \
     chmod 777 /photoprism && \
diff --git a/scripts/dist/entrypoint.sh b/scripts/dist/entrypoint.sh
index 6b46450f5..f5483b1c6 100755
--- a/scripts/dist/entrypoint.sh
+++ b/scripts/dist/entrypoint.sh
@@ -95,15 +95,15 @@ if [[ ${INIT_SCRIPT} ]] && [[ $(/usr/bin/id -u) == "0" ]] && [[ ${PHOTOPRISM_UID
     echo "${@}"
 
     # run command as uid:gid
-    ([[ ${DOCKER_ENV} != "prod" ]] || /bin/gosu "${PHOTOPRISM_UID}:${PHOTOPRISM_GID}" "/scripts/audit.sh") \
-     && /bin/gosu "${PHOTOPRISM_UID}:${PHOTOPRISM_GID}" "$@" &
+    ([[ ${DOCKER_ENV} != "prod" ]] || /sbin/gosu "${PHOTOPRISM_UID}:${PHOTOPRISM_GID}" "/scripts/audit.sh") \
+     && /sbin/gosu "${PHOTOPRISM_UID}:${PHOTOPRISM_GID}" "$@" &
   else
     echo "switching to uid ${PHOTOPRISM_UID}"
     echo "${@}"
 
     # run command as uid
-    ([[ ${DOCKER_ENV} != "prod" ]] || /bin/gosu "${PHOTOPRISM_UID}" "/scripts/audit.sh") \
-     && /bin/gosu "${PHOTOPRISM_UID}" "$@" &
+    ([[ ${DOCKER_ENV} != "prod" ]] || /sbin/gosu "${PHOTOPRISM_UID}" "/scripts/audit.sh") \
+     && /sbin/gosu "${PHOTOPRISM_UID}" "$@" &
   fi
 else
   echo "running as uid $(id -u)"