[sso-admin] Fix permsissions for node_modules, ncq

node_modules needs proper permissions on image build and the Nextcloud
queue on run-time.

We also realised the user must be www-data for compatibility with the NC
image.

dd-sso/admin/docker/Dockerfile

@@ -42,7 +42,16 @@ RUN wget -O /usr/lib/python3.8/site-packages/diceware/wordlists/wordlist_cat_asc
 COPY admin/src /admin
 COPY admin/docker/run.sh /run.sh
 
-# Ensure node dependencies
+# Ensure www-data group and user (82 is default in alpine)
-RUN cd /admin/admin && HOME=/tmp su -s /bin/sh -m nobody -c "yarn install"
+RUN addgroup -g 82 -S www-data; adduser -u 82 -D -S -G www-data www-data
+
+# Fix directory permissions
+# Ensure node dependencies too
+RUN cd /admin/admin && \
+	chown www-data:www-data "." && \
+	mkdir -p "${NODE_MODULES_FOLDER:-node_modules}" && \
+	chown www-data:www-data "${NODE_MODULES_FOLDER:-node_modules}" && \
+	HOME=/tmp su -s /bin/sh -m www-data -c \
+		"yarn install --modules-folder '${NODE_MODULES_FOLDER:-node_modules}'"
 
 CMD [ "/run.sh" ]

dd-sso/admin/docker/run.sh

@@ -20,12 +20,13 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 # We possibly need to fix bad old permissions
-chown -R nobody:nogroup \
+chown -R www-data:www-data \
         /admin/custom \
         /admin/moodledata/saml2 /admin/saml_certs \
 	"${DATA_FOLDER}" \
-        "${LEGAL_PATH}"
+        "${LEGAL_PATH}" \
+        "${NC_MAIL_QUEUE_FOLDER}"
 
 cd /admin
 export PYTHONWARNINGS="ignore:Unverified HTTPS request"
-exec su -s /bin/sh -m nobody -c 'python3 start.py'
+exec su -s /bin/sh -m www-data -c 'python3 start.py'

dd-sso/docker-compose-parts/admin.yml

@@ -30,7 +30,6 @@ services:
     restart: unless-stopped
     volumes:
     - /etc/localtime:/etc/localtime:ro
-    - ${BUILD_SSO_ROOT_PATH}/admin/src:/admin:ro
     - ${BUILD_SSO_ROOT_PATH}/init/keycloak/jsons:/admin/keycloak-init:ro
     - ${CUSTOM_PATH}/custom:/admin/custom:rw
     - ${DATA_FOLDER}/avatars:/admin/avatars:ro