From 838d4081551dae9c0270e3b56948eb5e76d5cce8 Mon Sep 17 00:00:00 2001
From: root <root@livewire.acdc>
Date: Sun, 21 May 2023 21:20:18 -0300
Subject: [PATCH 1/2] change to run the mysql server as the given UID:GID if
 provided

---
 data/bin/docker-entrypoint.sh | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/data/bin/docker-entrypoint.sh b/data/bin/docker-entrypoint.sh
index c381d6f..b5a3f2c 100755
--- a/data/bin/docker-entrypoint.sh
+++ b/data/bin/docker-entrypoint.sh
@@ -2,12 +2,15 @@
 
 set -e
 
-if [ -n "$GID" ]; then
-    groupmod -o -g "$GID" www-data
-fi
+if [ -n "$UID" ] && [ -n "$GID" ] && [ "$(id -u)" = '0' ]; then
+    userdel www-data
+    groupadd -o -g "$GID" www-data
+    useradd -o -M -u "$UID" -g "$GID" www-data
 
-if [ -n "$UID" ]; then
-    usermod -o -u "$UID" www-data
+    userdel mysql
+    groupadd -o -g "$GID" mysql
+    useradd -o -M -u "$UID" -g "$GID" mysql
+    chown -R mysql:mysql /run/mysqld
 fi
 
 # Re-set permission to the `www-data` user if current user is root

From dcbaef727164f28efc8404abcf747b3f509bebb2 Mon Sep 17 00:00:00 2001
From: root <root@livewire.acdc>
Date: Thu, 25 May 2023 18:34:07 -0300
Subject: [PATCH 2/2] several changes to run as non-root user

---
 .gitignore                          |  1 -
 Dockerfile                          | 12 ++++++-
 data/apache2/php.ini                |  4 +--
 data/bin/create_mysql_admin_user.sh |  7 +++-
 data/bin/cron.sh                    |  2 +-
 data/bin/docker-entrypoint.sh       | 10 +++---
 data/bin/mysql.sh                   |  8 +++--
 data/bin/run.sh                     |  9 +++++-
 data/mysql/my.cnf                   | 50 +++++++++++++++++++++++++++++
 data/supercronic/crontab            |  1 +
 data/supervisord/supervisord.conf   |  3 +-
 11 files changed, 90 insertions(+), 17 deletions(-)
 create mode 100644 data/mysql/my.cnf
 create mode 100644 data/supercronic/crontab

diff --git a/.gitignore b/.gitignore
index 518431e..40231f8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,5 @@
 3.7.0.tar.gz
 data/config/ampache.cfg.php
 data/log/*
-data/mysql/*
 data/media/*
 nohup.out
diff --git a/Dockerfile b/Dockerfile
index b362827..6f5a6df 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,8 @@
+FROM golang:1.19 AS build-supercronic-stage
+
+RUN git clone https://github.com/aptible/supercronic.git /tmp/supercronic
+RUN cd /tmp/supercronic && CGO_ENABLED=0 GOOS=linux go build
+
 FROM debian:stable
 LABEL maintainer="lachlan-00"
 
@@ -66,6 +71,8 @@ RUN     apt-get -q -q update \
     &&  find /var/www -type d -name ".git*" -print0 | xargs -0 rm -rf {} \
     &&  chown -R www-data:www-data /var/www \
     &&  chmod -R 775 /var/www \
+    &&  sed -i 's#/var/run/apache2#/tmp/apache2#' /etc/apache2/envvars \
+    &&  sed -i 's#/var/log/apache2#/var/log/ampache#' /etc/apache2/envvars \
     &&  rm -rf /var/cache/* /tmp/* /var/tmp/* /root/.cache /var/www/docs /var/www/.tx \
     &&  echo '30 * * * *   /usr/local/bin/ampache_cron.sh' | crontab -u www-data - \
     &&  sed -i 's/^# *\(en_US.UTF-8\)/\1/' /etc/locale.gen \
@@ -86,9 +93,12 @@ COPY data/apache2/php.ini /etc/php/8.1/apache2/
 COPY data/config/ampache.cfg.* /var/tmp/
 COPY data/logrotate.d/* /etc/logrotate.d/
 COPY data/supervisord/supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+COPY data/mysql/my.cnf /etc/mysql/my.cnf
+COPY --from=build-supercronic-stage /tmp/supercronic/supercronic /usr/local/bin/supercronic
+COPY data/supercronic/crontab /etc/crontab
 
 RUN  chown www-data:www-data /var/tmp/ampache.cfg.* \
     &&  chmod +x /usr/local/bin/*.sh
 
 ENTRYPOINT ["docker-entrypoint.sh"]
-CMD ["run.sh"]
+CMD ["/usr/local/bin/run.sh"]
diff --git a/data/apache2/php.ini b/data/apache2/php.ini
index 08c17a2..b04903c 100644
--- a/data/apache2/php.ini
+++ b/data/apache2/php.ini
@@ -1062,7 +1062,7 @@ cli_server.color = On
 [Pdo_mysql]
 ; Default socket name for local MySQL connects.  If empty, uses the built-in
 ; MySQL defaults.
-pdo_mysql.default_socket=
+pdo_mysql.default_socket=/tmp/mysql/mysqld.sock
 
 [Phar]
 ; https://php.net/phar.readonly
@@ -1175,7 +1175,7 @@ mysqli.default_port = 3306
 ; Default socket name for local MySQL connects.  If empty, uses the built-in
 ; MySQL defaults.
 ; https://php.net/mysqli.default-socket
-mysqli.default_socket =
+mysqli.default_socket = /tmp/mysql/mysqld.sock
 
 ; Default host for mysqli_connect() (doesn't apply in safe mode).
 ; https://php.net/mysqli.default-host
diff --git a/data/bin/create_mysql_admin_user.sh b/data/bin/create_mysql_admin_user.sh
index 82270ed..7e23d7b 100755
--- a/data/bin/create_mysql_admin_user.sh
+++ b/data/bin/create_mysql_admin_user.sh
@@ -1,6 +1,11 @@
 #!/bin/bash
 
-mysqld_safe &
+if [ "$(id -u)" = '0' ]; then
+    user=www-data
+else
+    user=$(id -u)
+fi
+mysqld_safe --user $user &
 sleep 5
 
 RET=1
diff --git a/data/bin/cron.sh b/data/bin/cron.sh
index cd67dcb..0f4aa1e 100755
--- a/data/bin/cron.sh
+++ b/data/bin/cron.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-cron -f
+exec supercronic /etc/crontab
diff --git a/data/bin/docker-entrypoint.sh b/data/bin/docker-entrypoint.sh
index b5a3f2c..994818a 100755
--- a/data/bin/docker-entrypoint.sh
+++ b/data/bin/docker-entrypoint.sh
@@ -6,17 +6,15 @@ if [ -n "$UID" ] && [ -n "$GID" ] && [ "$(id -u)" = '0' ]; then
     userdel www-data
     groupadd -o -g "$GID" www-data
     useradd -o -M -u "$UID" -g "$GID" www-data
-
-    userdel mysql
-    groupadd -o -g "$GID" mysql
-    useradd -o -M -u "$UID" -g "$GID" mysql
-    chown -R mysql:mysql /run/mysqld
 fi
 
 # Re-set permission to the `www-data` user if current user is root
 # This avoids permission denied if the data volume is mounted by root
 if [ "$1" = '/usr/local/bin/run.sh' ] && [ "$(id -u)" = '0' ]; then
-    chown -R www-data:www-data /var/www/config /var/log/ampache
+    chown -R www-data:www-data /var/www/config /var/log/ampache /var/lib/mysql
+    chown www-data:www-data /var/www/public/play/.htaccess /var/www/public/rest/.htaccess /var/www/public/channel/.htaccess
+    chown www-data:www-data /var/tmp/ampache.cfg.*
+    rm -fr /var/lib/php/sessions/* && chown www-data:www-data /var/lib/php/sessions
     exec gosu www-data "$@"
 else
   exec "$@"
diff --git a/data/bin/mysql.sh b/data/bin/mysql.sh
index 7a64628..c27a9ab 100755
--- a/data/bin/mysql.sh
+++ b/data/bin/mysql.sh
@@ -1,3 +1,7 @@
 #!/bin/sh
-
-exec mysqld_safe --syslog
+if [ "$(id -u)" = '0' ]; then
+    user=www-data
+else
+    user=$(id -u)
+fi
+exec mysqld_safe --user $user
diff --git a/data/bin/run.sh b/data/bin/run.sh
index 312eb90..27110aa 100755
--- a/data/bin/run.sh
+++ b/data/bin/run.sh
@@ -1,9 +1,16 @@
 #!/bin/bash
 
+mkdir /tmp/mysql /tmp/apache2
+chmod 750 /tmp/mysql /tmp/apache2
 if [[ ! -d /var/lib/mysql/mysql ]]; then
     echo "=> An empty or uninitialized MySQL volume is detected in $VOLUME_HOME"
     echo "=> Installing MySQL ..."
-    mysql_install_db --auth-root-authentication-method=normal --user=mysql
+    if [ "$(id -u)" = '0' ]; then
+        user=www-data
+    else
+        user=$(id -u)
+    fi
+    mysql_install_db --auth-root-authentication-method=normal --user $user
     echo "=> Done!"
     create_mysql_admin_user.sh
 else
diff --git a/data/mysql/my.cnf b/data/mysql/my.cnf
new file mode 100644
index 0000000..3508047
--- /dev/null
+++ b/data/mysql/my.cnf
@@ -0,0 +1,50 @@
+# /etc/mysql/mariadb.cnf
+[client-server]
+# Port or socket location where to connect
+# port = 3306
+socket = /tmp/mysql/mysqld.sock
+
+# /etc/mysql/conf.d/mysqldump.cnf
+[mysqldump]
+quick
+quote-names
+max_allowed_packet      = 16M
+
+# /etc/mysql/mariadb.conf.d/50-mysqld_safe.cnf
+[mysqld_safe]
+nice = 0
+skip_log_error
+syslog
+
+# /etc/mysql/mariadb.conf.d/50-server.cnf
+# this is only for the mysqld standalone daemon
+[mysqld]
+#
+# * Basic Settings
+#
+pid-file                = /tmp/mysql/mysqld.pid
+basedir                 = /usr
+datadir                 = /var/lib/mysql
+tmpdir                  = /tmp
+lc-messages-dir         = /usr/share/mysql
+lc-messages             = en_US
+skip-external-locking
+log-error               = /var/log/ampache/mysqld.log
+
+# Instead of skip-networking the default is now to listen only on
+# localhost which is more compatible and is not less secure.
+bind-address            = 127.0.0.1
+
+# The following can be used as easy to replay backup logs or for replication.
+# note: if you are setting up a replication slave, see README.Debian about
+#       other settings you may need to change.
+expire_logs_days        = 10
+
+#
+# * Character sets
+#
+
+# MySQL/MariaDB default is Latin1, but in Debian we rather default to the full
+# utf8 4-byte character set. See also client.cnf
+character-set-server  = utf8mb4
+collation-server      = utf8mb4_general_ci
diff --git a/data/supercronic/crontab b/data/supercronic/crontab
new file mode 100644
index 0000000..b784c80
--- /dev/null
+++ b/data/supercronic/crontab
@@ -0,0 +1 @@
+30 * * * *   /usr/local/bin/ampache_cron.sh
diff --git a/data/supervisord/supervisord.conf b/data/supervisord/supervisord.conf
index 4e08b34..50a68df 100644
--- a/data/supervisord/supervisord.conf
+++ b/data/supervisord/supervisord.conf
@@ -1,8 +1,7 @@
 [supervisord]
 nodaemon=true
-user=root
 loglevel=info
-logfile=/var/log/supervisor/supervisord.log
+logfile=/var/log/ampache/supervisord.log
 pidfile=/tmp/supervisord.pid
 
 [program:cron]