User and file permission configuration in Docker containers (docker-compose version 3)

Question: Are there still security risks if the files and directories are owned by root but the running process is owned by a non-root user, like www-data?

Not really. You might just need to make sure that php-fpm has read permission to these files.

You are copying the contents of /var/www/html into the image and setting ownership/permissions at build time (Dockerfile). This is OK. That's the usual use case for creating images.

But your docker-compose.yml mounts data_volume into the running container, replacing the /var/www/html from the image. So, whatever you had in that directory will be hidden. You will see the contents of the mounted volume, instead.

You might want to choose what strategy you need to persist container data. Populating /var/www/html at build time is probably OK for most of the time. But, if your application writes data somewhere in that directory, then you might consider changing that path. When the container is destroyed, any data written to outisde mounted volumes will be lost. So, make sure yoru app writes to a directory that is mounted as a volume from docker-compose.yml.

Named volumes in docker are initialized to the contents of the image at their mount point. After that, unless the volume is completely empty, that initialization step is never run again to avoid data loss.

So when you first created data_volume pointing to /var/www/html, it got a copy of that directory, including the file permissions. But unless you delete or empty the data_volume, any changes you make to the Dockerfile will only update the image and the volume will overlay that directory with the contents of the volume.

If you don't need the contents of data_volume, you can docker-compose down -v to both remove the container and the volumes. Then when you run docker-compose up -d again, the volume will be created with the files with the new permissions.

If you do need the contents of data_volume to be preserved, then you can mount the volume and run the commands on the volume itself:

docker run -it --rm -v $(basename $(pwd))_data_volume:/var/www/html busybox

The above assumes you are in the same folder as your docker-compose.yml and the directory is all lower case characters. Otherwise, replace $(basename $(pwd))_data_volume with the volume name shown in docker volume ls. From inside the above container, you can run your find commands to update ownership and permissions.