From 711e1084613febb1cdfc219d0376501e62b0d7f6 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 23 Nov 2019 22:16:39 +0200
Subject: [PATCH] Use file capabilities to run as a limited user.

Instead of binding to a higher port, grant the apache2
CAP_NET_BIND_SERVICE to bind to port 80.
---
 Dockerfile         |  2 ++
 README.md          |  4 ++--
 docker-compose.yml |  2 +-
 patch.diff         | 19 -------------------
 4 files changed, 5 insertions(+), 22 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 0d77049..326d728 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,11 +5,13 @@ RUN apt-get update && \
         apache2 \
         cgit \
         groff-base \
+        libcap2-bin \
         patch \
         python3-docutils \
         python3-markdown \
         python3-pygments \
     && \
+    setcap CAP_NET_BIND_SERVICE=+ep /usr/sbin/apache2 && \
     a2enmod cgid && \
     a2enconf cgit && \
     a2enmod status && \
diff --git a/README.md b/README.md
index 7f0d570..ed2c2cb 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 ## Usage
 
 This container runs Apache that is configured with cgit at `/cgit`. It exposes
-port 8080 and serves the repositories under `/srv/git`. The container runs as
+port 80 and serves the repositories under `/srv/git`. The container runs as
 a limited user (`www-data`), so make sure to have the content of `/srv/git`
 readble by it. Also, if you wish to persist the cache, the location is
 `/var/cache/cgit`.
@@ -13,7 +13,7 @@ readble by it. Also, if you wish to persist the cache, the location is
 ## Example usage
 
 ```
-docker -v '/srv/git:/srv/git:ro' -p '80:8080' adarnimrod/cgit
+docker -v '/srv/git:/srv/git:ro' -p '80:80' adarnimrod/cgit
 ```
 
 There's also a `docker-compose.yml` as further example.
diff --git a/docker-compose.yml b/docker-compose.yml
index fe7700b..87a972a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,7 +9,7 @@ services:
         - adarnimrod/cgit
     image: adarnimrod/cgit
     ports:
-      - 80:8080
+      - 80:80
     volumes:
       - git:/srv/git:ro
 
diff --git a/patch.diff b/patch.diff
index 684b354..7b9e2f8 100644
--- a/patch.diff
+++ b/patch.diff
@@ -1,22 +1,3 @@
---- ports.conf	2019-11-09 19:58:29.052813201 +0200
-+++ ports.conf	2019-11-02 14:40:08.000000000 +0200
-@@ -2,7 +2,7 @@
- # have to change the VirtualHost statement in
- # /etc/apache2/sites-enabled/000-default.conf
- 
--Listen 80
-+Listen 8080
- 
- <IfModule ssl_module>
- 	Listen 443
---- sites-available/000-default.conf	2019-04-03 00:13:44.000000000 +0300
-+++ sites-available/000-default.conf	2019-11-09 20:00:01.459226750 +0200
-@@ -1,4 +1,4 @@
--<VirtualHost *:80>
-+<VirtualHost *:8080>
- 	# The ServerName directive sets the request scheme, hostname and port that
- 	# the server uses to identify itself. This is used when creating
- 	# redirection URLs. In the context of virtual hosts, the ServerName
 --- mods-available/status.conf	2019-04-03 00:13:44.000000000 +0300
 +++ mods-available/status.conf	2019-11-09 19:59:09.642896703 +0200
 @@ -5,7 +5,7 @@
-- 
GitLab