[server-ce] run node scripts as www-data user (#27504)

GitOrigin-RevId: 2fbfe1ae33b42a5a9a696be811d122882093cd49
2025-12-05 01:10:29 +00:00 · 2025-07-30 13:29:53 +02:00
parent 03a4bbb96b
commit 678d6809b9
12 changed files with 17 additions and 17 deletions
--- a/server-ce/bin/flush-history-queues
+++ b/server-ce/bin/flush-history-queues
@@ -5,4 +5,4 @@ set -euo pipefail
 source /etc/container_environment.sh
 source /etc/overleaf/env.sh
 cd /overleaf/services/project-history
-node scripts/flush_all.js 100000
+exec /sbin/setuser www-data node scripts/flush_all.js 100000
--- a/server-ce/bin/force-history-resyncs
+++ b/server-ce/bin/force-history-resyncs
@@ -5,4 +5,4 @@ set -euo pipefail
 source /etc/container_environment.sh
 source /etc/overleaf/env.sh
 cd /overleaf/services/project-history
-node scripts/force_resync.js 1000 force
+exec /sbin/setuser www-data node scripts/force_resync.js 1000 force
--- a/server-ce/bin/grunt
+++ b/server-ce/bin/grunt
@@ -11,22 +11,22 @@ cd /overleaf/services/web
 case "$TASK" in
  user:create-admin)
    echo "The grunt command is deprecated, run the create-user script using node instead"
-    node modules/server-ce-scripts/scripts/create-user.mjs --admin "$@"
+    exec /sbin/setuser www-data node modules/server-ce-scripts/scripts/create-user.mjs --admin "$@"
    ;;

  user:delete)
    echo "The grunt command is deprecated, run the delete-user script using node instead"
-    node modules/server-ce-scripts/scripts/delete-user.mjs "$@"
+    exec /sbin/setuser www-data node modules/server-ce-scripts/scripts/delete-user.mjs "$@"
    ;;

  check:mongo)
    echo "The grunt command is deprecated, run the check-mongodb script using node instead"
-    node modules/server-ce-scripts/scripts/check-mongodb.mjs
+    exec /sbin/setuser www-data node modules/server-ce-scripts/scripts/check-mongodb.mjs
    ;;

  check:redis)
    echo "The grunt command is deprecated, run the check-redis script using node instead"
-    node modules/server-ce-scripts/scripts/check-redis.mjs
+    exec /sbin/setuser www-data node modules/server-ce-scripts/scripts/check-redis.mjs
    ;;

  *)
--- a/server-ce/cron/project-history-flush-all.sh
+++ b/server-ce/cron/project-history-flush-all.sh
@@ -9,6 +9,6 @@ date

 source /etc/container_environment.sh
 source /etc/overleaf/env.sh
-cd /overleaf/services/project-history && node scripts/flush_all.js
+cd /overleaf/services/project-history && /sbin/setuser www-data node scripts/flush_all.js

 echo "Done flushing all project-history changes"
--- a/server-ce/init_preshutdown_scripts/00_close_site
+++ b/server-ce/init_preshutdown_scripts/00_close_site
@@ -12,7 +12,7 @@ echo "closed" > "${SITE_MAINTENANCE_FILE}"
 sleep 5

 # giving a grace period of 5 seconds for users before disconnecting them and start shutting down
-cd /overleaf/services/web && node scripts/disconnect_all_users.mjs --delay-in-seconds=5 >> /var/log/overleaf/web.log 2>&1
+cd /overleaf/services/web && /sbin/setuser www-data node scripts/disconnect_all_users.mjs --delay-in-seconds=5 >> /var/log/overleaf/web.log 2>&1

 EXIT_CODE="$?"
 if [ $EXIT_CODE -ne 0 ]
--- a/server-ce/init_preshutdown_scripts/01_flush_document_updater
+++ b/server-ce/init_preshutdown_scripts/01_flush_document_updater
@@ -3,7 +3,7 @@
 . /etc/container_environment.sh
 . /etc/overleaf/env.sh

-cd /overleaf/services/document-updater && node scripts/flush_all.js >> /var/log/overleaf/document-updater.log 2>&1
+cd /overleaf/services/document-updater && /sbin/setuser www-data node scripts/flush_all.js >> /var/log/overleaf/document-updater.log 2>&1

 EXIT_CODE="$?"
 if [ $EXIT_CODE -ne 0 ]
--- a/server-ce/init_preshutdown_scripts/02_flush_project_history
+++ b/server-ce/init_preshutdown_scripts/02_flush_project_history
@@ -3,7 +3,7 @@
 . /etc/container_environment.sh
 . /etc/overleaf/env.sh

-cd /overleaf/services/project-history && node scripts/flush_all.js >> /var/log/overleaf/project-history.log 2>&1
+cd /overleaf/services/project-history && /sbin/setuser www-data node scripts/flush_all.js >> /var/log/overleaf/project-history.log 2>&1

 EXIT_CODE="$?"
 if [ $EXIT_CODE -ne 0 ]
--- a/server-ce/init_scripts/500_check_db_access.sh
+++ b/server-ce/init_scripts/500_check_db_access.sh
@@ -3,6 +3,6 @@ set -e

 echo "Checking can connect to mongo and redis"
 cd /overleaf/services/web
-node modules/server-ce-scripts/scripts/check-mongodb.mjs
-node modules/server-ce-scripts/scripts/check-redis.mjs
+/sbin/setuser www-data node modules/server-ce-scripts/scripts/check-mongodb.mjs
+/sbin/setuser www-data node modules/server-ce-scripts/scripts/check-redis.mjs
 echo "All checks passed"
--- a/server-ce/init_scripts/900_run_web_migrations.sh
+++ b/server-ce/init_scripts/900_run_web_migrations.sh
@@ -9,5 +9,5 @@ fi

 echo "Running migrations for $environment"
 cd /overleaf/services/web
-npm run migrations -- migrate -t "$environment"
+/sbin/setuser www-data npm run migrations -- migrate -t "$environment"
 echo "Finished migrations"
--- a/server-ce/init_scripts/910_check_texlive_images
+++ b/server-ce/init_scripts/910_check_texlive_images
@@ -3,4 +3,4 @@ set -e

 echo "Checking texlive images"
 cd /overleaf/services/web
-node modules/server-ce-scripts/scripts/check-texlive-images.mjs
+/sbin/setuser www-data node modules/server-ce-scripts/scripts/check-texlive-images.mjs
--- a/server-ce/init_scripts/910_initiate_doc_version_recovery
+++ b/server-ce/init_scripts/910_initiate_doc_version_recovery
@@ -10,7 +10,7 @@ RESYNCS_NEEDED_FILE=/var/lib/overleaf/data/history/doc-version-recovery-resyncs-

 echo "Checking for doc version recovery. This can take a while if needed. Logs are in $LOG_FILE"
 cd /overleaf/services/history-v1
-LOG_LEVEL=info DOC_VERSION_RECOVERY_RESYNCS_NEEDED_FILE="$RESYNCS_NEEDED_FILE" node storage/scripts/recover_doc_versions.js 2>&1 | tee -a "$LOG_FILE"
+LOG_LEVEL=info DOC_VERSION_RECOVERY_RESYNCS_NEEDED_FILE="$RESYNCS_NEEDED_FILE" /sbin/setuser www-data node storage/scripts/recover_doc_versions.js 2>&1 | tee -a "$LOG_FILE"

 function resyncAllProjectsInBackground() {
  waitForService docstore 3016
--- a/server-ce/test/host-admin.js
+++ b/server-ce/test/host-admin.js
@@ -127,7 +127,7 @@ app.post(
        'sharelatex',
        'bash',
        '-c',
-        `source /etc/container_environment.sh && ${env} && node ${JSON.stringify(script)} ${args.map(a => JSON.stringify(a)).join(' ')}`,
+        `source /etc/container_environment.sh && ${env} && /sbin/setuser www-data node ${JSON.stringify(script)} ${args.map(a => JSON.stringify(a)).join(' ')}`,
      ],
      (error, stdout, stderr) => {
        res.json({
@@ -162,7 +162,7 @@ app.post(
        'sharelatex',
        'bash',
        '-c',
-        `source /etc/container_environment.sh && grunt ${JSON.stringify(task)} ${args.map(a => JSON.stringify(a)).join(' ')}`,
+        `source /etc/container_environment.sh && /sbin/setuser www-data grunt ${JSON.stringify(task)} ${args.map(a => JSON.stringify(a)).join(' ')}`,
      ],
      (error, stdout, stderr) => {
        res.json({