From 7226f95da4834d5e38cc4d0896ece8369840c814 Mon Sep 17 00:00:00 2001
From: doankhachung <doankhachung@sutunam.com>
Date: Thu, 28 May 2026 15:06:08 +0700
Subject: [PATCH] fix(runtime): run php-fpm as remapped user

---
 docker/php/etc/entrypoint.sh           |  7 +++++++
 tests/php_runtime_cron_support_test.go | 10 ++++++++++
 2 files changed, 17 insertions(+)

diff --git a/docker/php/etc/entrypoint.sh b/docker/php/etc/entrypoint.sh
index 3bb41af3..c8dd258d 100755
--- a/docker/php/etc/entrypoint.sh
+++ b/docker/php/etc/entrypoint.sh
@@ -23,12 +23,15 @@ if [ -n "${PUID:-}" ] && [ "${PUID}" != "1000" ]; then
   fi
 fi
 
+UID_REMAP_CHANGED=0
 if [ -n "${PUID:-}" ]; then
   CURRENT_UID=$(id -u www-data)
   if [ "${CURRENT_UID}" != "${PUID}" ]; then
     echo "Updating www-data UID to ${PUID}..."
     if ! sudo usermod -u "${PUID}" www-data; then
       echo "Warning: could not update www-data UID to ${PUID}; continuing with UID ${CURRENT_UID}." >&2
+    else
+      UID_REMAP_CHANGED=1
     fi
   fi
 fi
@@ -136,4 +139,8 @@ if [ -n "${NODE_VERSION:-}" ]; then
   fi
 fi
 
+if [ "${UID_REMAP_CHANGED}" = "1" ] && [ "$(id -u)" != "$(id -u www-data)" ]; then
+  exec sudo -E -H -u www-data "$@"
+fi
+
 exec "$@"
diff --git a/tests/php_runtime_cron_support_test.go b/tests/php_runtime_cron_support_test.go
index 2d872cec..29198bb0 100644
--- a/tests/php_runtime_cron_support_test.go
+++ b/tests/php_runtime_cron_support_test.go
@@ -62,6 +62,16 @@ func TestPHPEntrypointUpdatesGIDBeforeUID(t *testing.T) {
 	}
 }
 
+func TestPHPEntrypointRelaunchesProcessAfterUIDRemap(t *testing.T) {
+	content := readProjectFileForTest(t, filepath.Join("docker", "php", "etc", "entrypoint.sh"))
+	if !strings.Contains(content, "UID_REMAP_CHANGED=1") {
+		t.Fatalf("expected php entrypoint to track successful UID remaps, got:\n%s", content)
+	}
+	if !strings.Contains(content, "exec sudo -E -H -u www-data \"$@\"") {
+		t.Fatalf("expected php entrypoint to launch php-fpm as remapped www-data, got:\n%s", content)
+	}
+}
+
 func TestPHPEntrypointStartsCrondBestEffort(t *testing.T) {
 	content := readProjectFileForTest(t, filepath.Join("docker", "php", "etc", "entrypoint.sh"))
 	if !strings.Contains(content, "sudo crond 2>/dev/null || true") {