fix(ownership): change Kong permissions to be kong:root

Dockerfile.apk

@@ -30,11 +30,14 @@ RUN set -ex; \
     fi \
     && tar -C / -xzf /tmp/kong.apk.tar.gz \
     && apk add --no-cache libstdc++ libgcc perl tzdata libcap zlib zlib-dev bash \
-    && adduser -S kong \
     && addgroup -S kong \
+    && adduser -S -G kong kong \
     && mkdir -p "${KONG_PREFIX}" \
-    && chown -R kong:0 ${KONG_PREFIX} \
-    && chown kong:0 /usr/local/bin/kong \
+    && chown -R root:kong ${KONG_PREFIX} \
+    && chown -R root:kong /usr/local/lib/lua \
+    && chown -R root:kong /usr/local/lib/luarocks \
+    && chown -R root:kong /usr/local/share/lua \
+    && chown root:kong /usr/local/bin/kong \
     && chmod -R g=u ${KONG_PREFIX} \
     && rm -rf /tmp/kong.apk.tar.gz \
     && ln -s /usr/local/openresty/bin/resty /usr/local/bin/resty \

Dockerfile.deb

@@ -29,8 +29,11 @@ RUN set -ex; \
     && apt-get install --yes /tmp/kong.deb \
     && rm -rf /var/lib/apt/lists/* \
     && rm -rf /tmp/kong.deb \
-    && chown kong:0 /usr/local/bin/kong \
-    && chown -R kong:0 ${KONG_PREFIX} \
+    && chown -R root:kong ${KONG_PREFIX} \
+    && chown -R root:kong /usr/local/lib/lua \
+    && chown -R root:kong /usr/local/lib/luarocks \
+    && chown -R root:kong /usr/local/share/lua \
+    && chown root:kong /usr/local/bin/kong \
     && ln -s /usr/local/openresty/bin/resty /usr/local/bin/resty \
     && ln -s /usr/local/openresty/luajit/bin/luajit /usr/local/bin/luajit \
     && ln -s /usr/local/openresty/luajit/bin/luajit /usr/local/bin/lua \

Dockerfile.rpm

@@ -50,8 +50,13 @@ RUN set -ex; \
     && rpm -iv /tmp/kong.rpm \
     && microdnf -y clean all \
     && rm /tmp/kong.rpm \
-    && chown kong:0 /usr/local/bin/kong \
-    && chown -R kong:0 ${KONG_PREFIX} \
+    && echo "addgroup -S kong" \
+    && echo "adduser -S -G kong kong" \
+    && chown -R root:kong ${KONG_PREFIX} \
+    && chown -R root:kong /usr/local/lib/lua \
+    && chown -R root:kong /usr/local/lib/luarocks \
+    && chown -R root:kong /usr/local/share/lua \
+    && chown root:kong /usr/local/bin/kong \
     && ln -s /usr/local/openresty/bin/resty /usr/local/bin/resty \
     && ln -s /usr/local/openresty/luajit/bin/luajit /usr/local/bin/luajit \
     && ln -s /usr/local/openresty/luajit/bin/luajit /usr/local/bin/lua \

tests/05-ownership.test.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+function run_test {
+  # the suite name below will only be used when running this file directly, when
+  # running through "test.sh" it must be provided using the "--suite" option.
+  tinitialize "Docker-Kong test suite" "${BASH_SOURCE[0]}"
+
+  tchapter "ownership is root:kong"
+
+
+  for filename in \
+    /usr/local/share/lua/5.1/ \
+    /usr/local/share/lua/5.1/kong/plugins/ \
+    /usr/local/lib/lua/5.1/ \
+    /usr/local/lib/luarocks/rocks-5.1/
+  do
+    ttest "owenership $filename"
+    local USR
+    local GRP
+    USR=$(docker run -ti --rm "kong-$BASE" ls -ld $filename | awk '{print $3}')
+    GRP=$(docker run -ti --rm "kong-$BASE" ls -ld $filename | awk '{print $4}')
+    if [ "$USR:$GRP" == "root:kong" ]; then
+      tsuccess
+    else
+      tmessage "user and group found to be $USR:$GRP"
+      tfailure
+    fi
+  done
+
+  tfinish
+}
+
+# No need to modify anything below this comment
+
+# shellcheck disable=SC1090  # do not follow source
+[[ "$T_PROJECT_NAME" == "" ]] && set -e && if [[ -f "${1:-$(dirname "$(realpath "$0")")/test.sh}" ]]; then source "${1:-$(dirname "$(realpath "$0")")/test.sh}"; else source "${1:-$(dirname "$(realpath "$0")")/run.sh}"; fi && set +e
+run_test

ubuntu/Dockerfile

@@ -41,8 +41,11 @@ RUN set -ex; \
     && apt install --yes /tmp/kong.deb \
     && rm -rf /var/lib/apt/lists/* \
     && rm -rf /tmp/kong.deb \
-    && chown kong:0 /usr/local/bin/kong \
-    && chown -R kong:0 /usr/local/kong \
+    && chown -R root:kong /usr/local/kong \
+    && chown -R root:kong /usr/local/lib/lua \
+    && chown -R root:kong /usr/local/lib/luarocks \
+    && chown -R root:kong /usr/local/share/lua \
+    && chown root:kong /usr/local/bin/kong \
     && ln -s /usr/local/openresty/bin/resty /usr/local/bin/resty \
     && ln -s /usr/local/openresty/luajit/bin/luajit /usr/local/bin/luajit \
     && ln -s /usr/local/openresty/luajit/bin/luajit /usr/local/bin/lua \