From what I understand, running a Docker container with full permissions as the root user isn’t ideal due to potential security risks. It might be better to limit the Docker container’s access to the file system by setting the user manually in the Dockerfile or elsewhere.
A few weeks ago, I stumbled upon the user flag in docker-compose. If I’m interpreting it correctly, it allows setting the execution user’s UID and GID.
So, wouldn’t it be a good idea to set this flag to "82:82" for all containers that are sharing files with the Nextcloud server? This way, files wouldn’t accidentally be created or accessed as root.
Are there any internal functionalities or considerations within Nextcloud that would make this approach inadvisable?
I would really appreciate any input on this matter.
From what I understand, running a Docker container with full permissions as the root user isn’t ideal due to potential security risks
There are security trade-offs in both directions. It depends on what you’re most concerned about security-wise.
A few weeks ago, I stumbled upon the user flag in docker-compose. If I’m interpreting it correctly, it allows setting the execution user’s UID and GID
[…]
Are there any internal functionalities or considerations within Nextcloud that would make this approach inadvisable?
Yes, you can use Docker’s user with the image. The main caveat is if you’re using Redis (typical) the PHP redis-session handler config can’t be set by the entrypoint automatically (see here).
(You’ll see the error in the container startup).
You can readily fix this by mounting your own /usr/local/etc/php/conf.d/redis-session.ini within the container with the changes. Example for doing that is here.