Services/shop-platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

chore(docker): 强制修复PHP容器内的权限

Browse Source
This commit is contained in:
ZF Sun
2025-12-08 10:04:07 +08:00
parent 51fd354cbf
commit cff7580880
1 changed files with 70 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

86
docker/php/entrypoint.sh
View File

@@ -1,15 +1,25 @@
#!/bin/bash #!/bin/bash
set -e set -e
# 设置全局umask
umask 0002
echo "=== ThinkPHP Docker权限初始化 ===" echo "=== ThinkPHP Docker权限初始化 ==="
# 定义应用根目录
APP_ROOT="/var/www/html"
# 获取正确的用户和组
if [ -n "$USER_ID" ] && [ -n "$GROUP_ID" ]; then
# 如果指定了用户ID修改www-data
usermod -u $USER_ID www-data
groupmod -g $GROUP_ID www-data
fi
echo "当前用户: $(whoami)"
echo "UID: $(id -u), GID: $(id -g)"
# 修复目录所有权和权限 # 修复目录所有权和权限
fix_directory_permissions() { fix_directory_permissions() {
local dir=$1 local dir=$1
echo "修复目录权限: $dir" echo "修复PHP目录权限: $dir"
# 确保目录存在 # 确保目录存在
mkdir -p "$dir" mkdir -p "$dir"
@@ -25,33 +35,77 @@ fix_directory_permissions() {
# 尝试设置ACL如果支持 # 尝试设置ACL如果支持
if command -v setfacl >/dev/null 2>&1; then if command -v setfacl >/dev/null 2>&1; then
setfacl -d -m u:www-data:rwx -m u:root:rwx "$dir" 2>/dev/null || true setfacl -dR -m u:www-data:rwx "$dir"
setfacl -Rm u:www-data:rwx "$dir" 2>/dev/null || true
fi fi
find "$dir" -type d -exec chmod 775 {} \;
find "$dir" -type f -exec chmod 775 {} \;
find "$dir" -type d -exec chmod g+s {} \;
find "$dir" -type f -exec chmod g+s {} \;
echo "$dir 权限设置完成" # 设置umask
umask 0002
echo "$dir 权限设置完成, 目录权限: $(stat -c '%a %n' "$dir"), setgid权限: $(stat -c '%a %n' "$dir" | grep 's')"
} }
# 处理所有需要权限的目录 # 处理所有需要权限的目录
directories=("runtime" "upload") directories=("runtime" "upload" "runtime/log" "runtime/cache" "runtime/temp")
for dir in "${directories[@]}"; do for dir in "${directories[@]}"; do
fix_directory_permissions "/var/www/html/$dir" fix_directory_permissions "$APP_ROOT/$dir"
done done
# 验证权限 # 验证权限
echo "=== 权限验证 ===" echo "=== 权限验证 ==="
echo "当前用户: $(whoami)" echo "当前用户: $(whoami)"
echo "当前UID: $(id -u), GID: $(id -g)" echo "当前UID: $(id -u), GID: $(id -g)"
echo "当前umask: $(umask)" echo "当前umask: $(umask)"
# 测试写入权限 # 验证www-data用户是否可以在runtime和upload目录下新建子目录
sudo -u www-data mkdir -p /var/www/html/runtime/test_dir 2>/dev/null && \
echo "✅ runtime目录新建子目录测试通过" || \
echo "❌ runtime目录新建子目录失败"
sudo -u www-data mkdir -p /var/www/html/upload/test_dir 2>/dev/null && \ # 方法1使用sudo
echo "✅ upload目录新建子目录测试通过" || \ if command -v sudo >/dev/null 2>&1; then
echo "❌ upload目录新建子目录失败" echo "使用sudo测试..."
if sudo -u www-data mkdir -p $APP_ROOT/runtime/log/test_dir 2>/dev/null; then
echo "✅ sudo: runtime目录创建子目录成功 [使用www-data用户]"
rm -rf $APP_ROOT/runtime/log/test_dir
else
echo "❌ sudo: runtime目录创建子目录失败 [使用www-data用户]"
fi
fi
# 方法2使用su
echo "使用su测试..."
if su -s /bin/sh -c "mkdir -p $APP_ROOT/runtime/log/test_dir" www-data 2>/dev/null; then
echo "✅ su: runtime目录创建子目录成功 [使用www-data用户]"
rm -rf $APP_ROOT/runtime/log/test_dir
else
echo "❌ su: runtime目录创建子目录失败 [使用www-data用户]"
fi
# 方法3使用runuser
if command -v runuser >/dev/null 2>&1; then
echo "使用runuser测试..."
if runuser -u www-data -- mkdir -p $APP_ROOT/runtime/log/test_dir 2>/dev/null; then
echo "✅ runuser: runtime目录创建子目录成功 [使用www-data用户]"
rm -rf $APP_ROOT/runtime/log/test_dir
else
echo "❌ runuser: runtime目录创建子目录失败 [使用www-data用户]"
fi
fi
# 检查www-data用户和组
echo "检查www-data用户..."
id www-data
groups www-data
# 检查目录的实际权限
echo "检查目录权限..."
ls -ld $APP_ROOT/runtime/log
ls -ld $APP_ROOT/runtime/cache
ls -ld $APP_ROOT/runtime/temp
ls -ld $APP_ROOT/upload
echo "=== 启动应用 ===" echo "=== 启动应用 ==="