From 678d6809b9b4e4753fd93c1dd85b6471bd9a3a73 Mon Sep 17 00:00:00 2001
From: Jakob Ackermann <jakob.ackermann@overleaf.com>
Date: Wed, 30 Jul 2025 13:29:53 +0200
Subject: [PATCH] [server-ce] run node scripts as www-data user (#27504)

GitOrigin-RevId: 2fbfe1ae33b42a5a9a696be811d122882093cd49
---
 server-ce/bin/flush-history-queues                        | 2 +-
 server-ce/bin/force-history-resyncs                       | 2 +-
 server-ce/bin/grunt                                       | 8 ++++----
 server-ce/cron/project-history-flush-all.sh               | 2 +-
 server-ce/init_preshutdown_scripts/00_close_site          | 2 +-
 .../init_preshutdown_scripts/01_flush_document_updater    | 2 +-
 .../init_preshutdown_scripts/02_flush_project_history     | 2 +-
 server-ce/init_scripts/500_check_db_access.sh             | 4 ++--
 server-ce/init_scripts/900_run_web_migrations.sh          | 2 +-
 server-ce/init_scripts/910_check_texlive_images           | 2 +-
 server-ce/init_scripts/910_initiate_doc_version_recovery  | 2 +-
 server-ce/test/host-admin.js                              | 4 ++--
 12 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/server-ce/bin/flush-history-queues b/server-ce/bin/flush-history-queues
index b54bc5558c..6c0cd89641 100755
--- a/server-ce/bin/flush-history-queues
+++ b/server-ce/bin/flush-history-queues
@@ -5,4 +5,4 @@ set -euo pipefail
 source /etc/container_environment.sh
 source /etc/overleaf/env.sh
 cd /overleaf/services/project-history
-node scripts/flush_all.js 100000
+exec /sbin/setuser www-data node scripts/flush_all.js 100000
diff --git a/server-ce/bin/force-history-resyncs b/server-ce/bin/force-history-resyncs
index 389c98a4ad..4f48890855 100755
--- a/server-ce/bin/force-history-resyncs
+++ b/server-ce/bin/force-history-resyncs
@@ -5,4 +5,4 @@ set -euo pipefail
 source /etc/container_environment.sh
 source /etc/overleaf/env.sh
 cd /overleaf/services/project-history
-node scripts/force_resync.js 1000 force
+exec /sbin/setuser www-data node scripts/force_resync.js 1000 force
diff --git a/server-ce/bin/grunt b/server-ce/bin/grunt
index 462c68df4d..8595d67109 100755
--- a/server-ce/bin/grunt
+++ b/server-ce/bin/grunt
@@ -11,22 +11,22 @@ cd /overleaf/services/web
 case "$TASK" in
   user:create-admin)
     echo "The grunt command is deprecated, run the create-user script using node instead"
-    node modules/server-ce-scripts/scripts/create-user.mjs --admin "$@"
+    exec /sbin/setuser www-data node modules/server-ce-scripts/scripts/create-user.mjs --admin "$@"
     ;;
 
   user:delete)
     echo "The grunt command is deprecated, run the delete-user script using node instead"
-    node modules/server-ce-scripts/scripts/delete-user.mjs "$@"
+    exec /sbin/setuser www-data node modules/server-ce-scripts/scripts/delete-user.mjs "$@"
     ;;
 
   check:mongo)
     echo "The grunt command is deprecated, run the check-mongodb script using node instead"
-    node modules/server-ce-scripts/scripts/check-mongodb.mjs
+    exec /sbin/setuser www-data node modules/server-ce-scripts/scripts/check-mongodb.mjs
     ;;
 
   check:redis)
     echo "The grunt command is deprecated, run the check-redis script using node instead"
-    node modules/server-ce-scripts/scripts/check-redis.mjs
+    exec /sbin/setuser www-data node modules/server-ce-scripts/scripts/check-redis.mjs
     ;;
 
   *)
diff --git a/server-ce/cron/project-history-flush-all.sh b/server-ce/cron/project-history-flush-all.sh
index 8fe9eea5fc..6895617379 100755
--- a/server-ce/cron/project-history-flush-all.sh
+++ b/server-ce/cron/project-history-flush-all.sh
@@ -9,6 +9,6 @@ date
 
 source /etc/container_environment.sh
 source /etc/overleaf/env.sh
-cd /overleaf/services/project-history && node scripts/flush_all.js
+cd /overleaf/services/project-history && /sbin/setuser www-data node scripts/flush_all.js
 
 echo "Done flushing all project-history changes"
diff --git a/server-ce/init_preshutdown_scripts/00_close_site b/server-ce/init_preshutdown_scripts/00_close_site
index ed5404f817..ac579f4b10 100755
--- a/server-ce/init_preshutdown_scripts/00_close_site
+++ b/server-ce/init_preshutdown_scripts/00_close_site
@@ -12,7 +12,7 @@ echo "closed" > "${SITE_MAINTENANCE_FILE}"
 sleep 5
 
 # giving a grace period of 5 seconds for users before disconnecting them and start shutting down
-cd /overleaf/services/web && node scripts/disconnect_all_users.mjs --delay-in-seconds=5 >> /var/log/overleaf/web.log 2>&1
+cd /overleaf/services/web && /sbin/setuser www-data node scripts/disconnect_all_users.mjs --delay-in-seconds=5 >> /var/log/overleaf/web.log 2>&1
 
 EXIT_CODE="$?"
 if [ $EXIT_CODE -ne 0 ]
diff --git a/server-ce/init_preshutdown_scripts/01_flush_document_updater b/server-ce/init_preshutdown_scripts/01_flush_document_updater
index 0900fe5fac..b4529f856b 100755
--- a/server-ce/init_preshutdown_scripts/01_flush_document_updater
+++ b/server-ce/init_preshutdown_scripts/01_flush_document_updater
@@ -3,7 +3,7 @@
 . /etc/container_environment.sh
 . /etc/overleaf/env.sh
 
-cd /overleaf/services/document-updater && node scripts/flush_all.js >> /var/log/overleaf/document-updater.log 2>&1
+cd /overleaf/services/document-updater && /sbin/setuser www-data node scripts/flush_all.js >> /var/log/overleaf/document-updater.log 2>&1
 
 EXIT_CODE="$?"
 if [ $EXIT_CODE -ne 0 ]
diff --git a/server-ce/init_preshutdown_scripts/02_flush_project_history b/server-ce/init_preshutdown_scripts/02_flush_project_history
index f8ac51600c..2844379ceb 100755
--- a/server-ce/init_preshutdown_scripts/02_flush_project_history
+++ b/server-ce/init_preshutdown_scripts/02_flush_project_history
@@ -3,7 +3,7 @@
 . /etc/container_environment.sh
 . /etc/overleaf/env.sh
 
-cd /overleaf/services/project-history && node scripts/flush_all.js >> /var/log/overleaf/project-history.log 2>&1
+cd /overleaf/services/project-history && /sbin/setuser www-data node scripts/flush_all.js >> /var/log/overleaf/project-history.log 2>&1
 
 EXIT_CODE="$?"
 if [ $EXIT_CODE -ne 0 ]
diff --git a/server-ce/init_scripts/500_check_db_access.sh b/server-ce/init_scripts/500_check_db_access.sh
index bbf2b9ec26..f71acc8e01 100755
--- a/server-ce/init_scripts/500_check_db_access.sh
+++ b/server-ce/init_scripts/500_check_db_access.sh
@@ -3,6 +3,6 @@ set -e
 
 echo "Checking can connect to mongo and redis"
 cd /overleaf/services/web
-node modules/server-ce-scripts/scripts/check-mongodb.mjs
-node modules/server-ce-scripts/scripts/check-redis.mjs
+/sbin/setuser www-data node modules/server-ce-scripts/scripts/check-mongodb.mjs
+/sbin/setuser www-data node modules/server-ce-scripts/scripts/check-redis.mjs
 echo "All checks passed"
diff --git a/server-ce/init_scripts/900_run_web_migrations.sh b/server-ce/init_scripts/900_run_web_migrations.sh
index 59b7d23ea0..cc206a528b 100755
--- a/server-ce/init_scripts/900_run_web_migrations.sh
+++ b/server-ce/init_scripts/900_run_web_migrations.sh
@@ -9,5 +9,5 @@ fi
 
 echo "Running migrations for $environment"
 cd /overleaf/services/web
-npm run migrations -- migrate -t "$environment"
+/sbin/setuser www-data npm run migrations -- migrate -t "$environment"
 echo "Finished migrations"
diff --git a/server-ce/init_scripts/910_check_texlive_images b/server-ce/init_scripts/910_check_texlive_images
index 90dec0061f..047dea5b60 100755
--- a/server-ce/init_scripts/910_check_texlive_images
+++ b/server-ce/init_scripts/910_check_texlive_images
@@ -3,4 +3,4 @@ set -e
 
 echo "Checking texlive images"
 cd /overleaf/services/web
-node modules/server-ce-scripts/scripts/check-texlive-images.mjs
+/sbin/setuser www-data node modules/server-ce-scripts/scripts/check-texlive-images.mjs
diff --git a/server-ce/init_scripts/910_initiate_doc_version_recovery b/server-ce/init_scripts/910_initiate_doc_version_recovery
index 1daecd3c2f..0602e19872 100755
--- a/server-ce/init_scripts/910_initiate_doc_version_recovery
+++ b/server-ce/init_scripts/910_initiate_doc_version_recovery
@@ -10,7 +10,7 @@ RESYNCS_NEEDED_FILE=/var/lib/overleaf/data/history/doc-version-recovery-resyncs-
 
 echo "Checking for doc version recovery. This can take a while if needed. Logs are in $LOG_FILE"
 cd /overleaf/services/history-v1
-LOG_LEVEL=info DOC_VERSION_RECOVERY_RESYNCS_NEEDED_FILE="$RESYNCS_NEEDED_FILE" node storage/scripts/recover_doc_versions.js 2>&1 | tee -a "$LOG_FILE"
+LOG_LEVEL=info DOC_VERSION_RECOVERY_RESYNCS_NEEDED_FILE="$RESYNCS_NEEDED_FILE" /sbin/setuser www-data node storage/scripts/recover_doc_versions.js 2>&1 | tee -a "$LOG_FILE"
 
 function resyncAllProjectsInBackground() {
   waitForService docstore 3016
diff --git a/server-ce/test/host-admin.js b/server-ce/test/host-admin.js
index 799c83b6bb..4bdc01bce6 100644
--- a/server-ce/test/host-admin.js
+++ b/server-ce/test/host-admin.js
@@ -127,7 +127,7 @@ app.post(
         'sharelatex',
         'bash',
         '-c',
-        `source /etc/container_environment.sh && ${env} && node ${JSON.stringify(script)} ${args.map(a => JSON.stringify(a)).join(' ')}`,
+        `source /etc/container_environment.sh && ${env} && /sbin/setuser www-data node ${JSON.stringify(script)} ${args.map(a => JSON.stringify(a)).join(' ')}`,
       ],
       (error, stdout, stderr) => {
         res.json({
@@ -162,7 +162,7 @@ app.post(
         'sharelatex',
         'bash',
         '-c',
-        `source /etc/container_environment.sh && grunt ${JSON.stringify(task)} ${args.map(a => JSON.stringify(a)).join(' ')}`,
+        `source /etc/container_environment.sh && /sbin/setuser www-data grunt ${JSON.stringify(task)} ${args.map(a => JSON.stringify(a)).join(' ')}`,
       ],
       (error, stdout, stderr) => {
         res.json({