From 4ec4012d8914f3dd21b190af7e12b7ccd457bffd Mon Sep 17 00:00:00 2001
From: Denys Vuika <denys.vuika@gmail.com>
Date: Thu, 28 Feb 2019 15:47:22 +0000
Subject: [PATCH] [ACA-2229] docker security fixes (#980)

* docker permission fixes

* remove index.html edit permissions
---
 Dockerfile                      | 3 ++-
 docker/entrypoint.sh            | 4 ----
 nginx.conf => docker/nginx.conf | 2 --
 3 files changed, 2 insertions(+), 7 deletions(-)
 rename nginx.conf => docker/nginx.conf (97%)

diff --git a/Dockerfile b/Dockerfile
index 1795efc7b..c286db5f2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,7 +19,7 @@ ARG GROUPID=1000
 ARG USERNAME=aca
 ARG USERID=33009
 
-COPY nginx.conf /etc/nginx/nginx.conf
+COPY ./docker/nginx.conf /etc/nginx/nginx.conf
 COPY ./docker/entrypoint.sh /
 
 WORKDIR /usr/share/nginx/html
@@ -28,6 +28,7 @@ COPY --from=builder /usr/src/alfresco/licenses ./licenses
 
 RUN addgroup -g ${GROUPID} ${GROUPNAME} && \
   adduser -S -u ${USERID} -G ${GROUPNAME} -s "/bin/bash" ${USERNAME} && \
+  chown -R ${USERNAME}:${GROUPNAME} ./app.config.json && \
   chown -R ${USERNAME}:${GROUPNAME} /var/cache/nginx && \
   touch /var/run/nginx.pid && \
   chown -R ${USERNAME}:${GROUPNAME} /var/run/nginx.pid && \
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 1ce3ab2a3..1f7d7ee24 100644
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -52,10 +52,6 @@ if [[ $ACSURL ]]; then
   sed -i s%{protocol}//{hostname}{:port}%"$ACSURL"%g /usr/share/nginx/html/app.config.json
 fi
 
-if [[ $BASEPATH ]]; then
-  sed -i s%href=\"/\"%href=\""$BASEPATH"\"%g /usr/share/nginx/html/index.html
-fi
-
 if [ -n "${APP_BASE_SHARE_URL}" ];then
   sed -e "s/\"baseShareUrl\": \".*\"/\"baseShareUrl\": \"${APP_BASE_SHARE_URL}\"/g" \
     -i ./app.config.json
diff --git a/nginx.conf b/docker/nginx.conf
similarity index 97%
rename from nginx.conf
rename to docker/nginx.conf
index c994d24ef..09126ac50 100644
--- a/nginx.conf
+++ b/docker/nginx.conf
@@ -18,8 +18,6 @@ http {
     gzip_proxied expired no-cache no-store private auth;
     gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 
-    access_log off;
-
     location / {
       try_files $uri $uri/ /index.html;
     }