switch to non-root user in app container

Vagrantfile

@@ -32,11 +32,12 @@ Vagrant.configure("2") do |config|
 		app.vm.network "forwarded_port", guest: 8081, host: 8081
 
 		app.ssh.insert_key = true
-		app.ssh.username = "root"
+		app.ssh.username = "vagrant"
 		app.ssh.password = "vagrant"
 
 		app.vm.provider "docker" do |d|
-			d.image = "quay.io/pterodactyl/vagrant-panel"
+			d.build_dir = "./build" 
+			d.build_args = "-f=build/Dockerfile-panel"
 			d.create_args = [
 			    "-it",
 			    "--add-host=host.pterodactyl.test:172.17.0.1",
@@ -47,12 +48,12 @@ Vagrant.configure("2") do |config|
 
 			if ENV['FILE_SYNC_METHOD'] === 'docker-sync'
 				d.volumes = [
-				    "panel-sync:/root/app:nocopy",
+				    "panel-sync:/home/vagrant/app:nocopy",
 				    "#{vagrant_root}/.data/certificates:/etc/ssl/private:ro"
 				]
 			else
 				d.volumes = [
-				    "#{vagrant_root}/code/panel:/root/app:cached",
+				    "#{vagrant_root}/code/panel:/home/vagrant/app:cached",
 				    "#{vagrant_root}/.data/certificates:/etc/ssl/private:ro"
 				]
 			end
@@ -64,9 +65,9 @@ Vagrant.configure("2") do |config|
 		app.vm.provision :hostmanager
 		app.vm.provision "deploy_nginx_config", type: "file", source: "#{vagrant_root}/build/configs/nginx/pterodactyl.test.conf", destination: "/tmp/.deploy/nginx/pterodactyl.test.conf"
 		app.vm.provision "deploy_supervisor_config", type: "file", source: "#{vagrant_root}/build/configs/supervisor/pterodactyl.conf", destination: "/tmp/.deploy/supervisor/pterodactyl.conf"
-		app.vm.provision "configure_application", type: "shell", path: "#{vagrant_root}/scripts/deploy_app.sh"
+		app.vm.provision "configure_application", type: "shell", privileged: false, path: "#{vagrant_root}/scripts/deploy_app.sh"
 		app.vm.provision "setup", type: "shell", run: "never", inline: <<-SHELL
-			cd /root/app
+			cd /home/vagrant/app
 
 			cp .env .env.bkup
 			php artisan key:generate --force --no-interaction
@@ -97,6 +98,7 @@ Vagrant.configure("2") do |config|
 		wings.vm.network :private_network, ip: "192.168.50.3"
 
 		wings.vm.provision "provision", type: "shell", path: "#{vagrant_root}/scripts/provision_wings.sh"
+		config.vm.provision "file", source: "~/.gitconfig", destination: ".gitconfig"
 	end
 
 	config.vm.define "daemon", autostart: false do |daemon|

build/Dockerfile-panel

@@ -35,6 +35,10 @@ RUN curl -sL https://deb.nodesource.com/setup_12.x | sudo -E bash - \
 	&& curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer \
 	&& rm -rf /var/lib/apt/lists/*
 
-EXPOSE 80
+RUN useradd -m -s /bin/bash -p $(echo "vagrant" | openssl passwd -1 -stdin) vagrant \
+	&& echo 'ALL            ALL = (ALL) NOPASSWD: ALL' > /etc/sudoers
 
-ENTRYPOINT /usr/bin/supervisord && service ssh start && service cron start && /bin/bash
+EXPOSE 80
+USER vagrant
+
+ENTRYPOINT sudo su -c "/usr/bin/supervisord && service ssh start && service cron start && /bin/bash"

scripts/deploy_app.sh

@@ -1,8 +1,8 @@
 #!/bin/bash
 export DEBIAN_FRONTEND=noninteractive
 
-cp /tmp/.deploy/supervisor/pterodactyl.conf /etc/supervisor/conf.d/pterodactyl.conf
+sudo cp /tmp/.deploy/supervisor/pterodactyl.conf /etc/supervisor/conf.d/pterodactyl.conf
-cp /tmp/.deploy/nginx/pterodactyl.test.conf /etc/nginx/sites-available/pterodactyl.test.conf
+sudo cp /tmp/.deploy/nginx/pterodactyl.test.conf /etc/nginx/sites-available/pterodactyl.test.conf
 
 # Needed for FPM to start correctly.
 mkdir -p /run/php
@@ -10,9 +10,10 @@ mkdir -p /run/php
 # Disable xdebug on the CLI for _MASSIVE_ performance improvement
 phpdismod -s cli xdebug
 
-cd /root/app
+cd /home/vagrant/app
+sudo chown -R vagrant:vagrant *
+sudo chown -R www-data:www-data storage
 chmod -R 755 storage/* bootstrap/cache
-chown -R www-data:www-data storage
 
 # Start out in a "this isn't a new install" mode
 freshInstall=false
@@ -29,14 +30,14 @@ composer install --no-interaction --prefer-dist --no-suggest --no-scripts --no-p
 php artisan config:clear
 
 # Configure the cronjob
-(crontab -l 2>/dev/null; echo "* * * * * php /root/app/artisan schedule:run >> /dev/null 2>&1") | crontab -
+(crontab -l 2>/dev/null; echo "* * * * * php /home/vagrant/app/artisan schedule:run >> /dev/null 2>&1") | crontab -
 
 # Create symlink
-rm -f /root/app
+sudo rm -f /srv/www
-ln -s /root/app /srv/www
+sudo ln -s /home/vagrant/app /srv/www
 
 # Configure OPCache
-cat >> /etc/php/7.4/cli/conf.d/10-opcache.ini <<EOF
+sudo cat | sudo tee -a /etc/php/7.4/cli/conf.d/10-opcache.ini > /dev/null <<EOF
 opcache.revalidate_freq = 0
 opcache.max_accelerated_files = 11003
 opcache.memory_consumption = 192
@@ -46,7 +47,7 @@ opcache.enable = 1
 opcache.enable_cli = 1
 EOF
 
-cat >> /etc/php/7.4/fpm/conf.d/20-xdebug.ini <<EOF
+sudo cat | sudo tee -a /etc/php/7.4/fpm/conf.d/20-xdebug.ini > /dev/null <<EOF
 xdebug.remote_enable = 1
 xdebug.remote_host = host.docker.internal
 xdebug.remote_port = 9000
@@ -57,14 +58,14 @@ EOF
 yarn install --no-progress
 
 # Cleanup
-rm -rfv /var/www
+sudo rm -rfv /var/www
-rm -rv /etc/nginx/sites-enabled/*
+sudo rm -rv /etc/nginx/sites-enabled/*
-ln -s /etc/nginx/sites-available/pterodactyl.test.conf /etc/nginx/sites-enabled/pterodactyl.test.conf
+sudo ln -s /etc/nginx/sites-available/pterodactyl.test.conf /etc/nginx/sites-enabled/pterodactyl.test.conf
 
 # Start processes
-supervisorctl reread
+sudo supervisorctl reread
-supervisorctl update
+sudo supervisorctl update
-supervisorctl start pteroq:*
+sudo supervisorctl start pteroq:*
-supervisorctl restart nginx
+sudo supervisorctl restart nginx
 
 echo "done."