From 711e1084613febb1cdfc219d0376501e62b0d7f6 Mon Sep 17 00:00:00 2001 From: Adar Nimrod <nimrod@shore.co.il> Date: Sat, 23 Nov 2019 22:16:39 +0200 Subject: [PATCH] Use file capabilities to run as a limited user. Instead of binding to a higher port, grant the apache2 CAP_NET_BIND_SERVICE to bind to port 80. --- Dockerfile | 2 ++ README.md | 4 ++-- docker-compose.yml | 2 +- patch.diff | 19 ------------------- 4 files changed, 5 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0d77049..326d728 100644 --- a/Dockerfile +++ b/Dockerfile @@ -5,11 +5,13 @@ RUN apt-get update && \ apache2 \ cgit \ groff-base \ + libcap2-bin \ patch \ python3-docutils \ python3-markdown \ python3-pygments \ && \ + setcap CAP_NET_BIND_SERVICE=+ep /usr/sbin/apache2 && \ a2enmod cgid && \ a2enconf cgit && \ a2enmod status && \ diff --git a/README.md b/README.md index 7f0d570..ed2c2cb 100644 --- a/README.md +++ b/README.md @@ -5,7 +5,7 @@ ## Usage This container runs Apache that is configured with cgit at `/cgit`. It exposes -port 8080 and serves the repositories under `/srv/git`. The container runs as +port 80 and serves the repositories under `/srv/git`. The container runs as a limited user (`www-data`), so make sure to have the content of `/srv/git` readble by it. Also, if you wish to persist the cache, the location is `/var/cache/cgit`. @@ -13,7 +13,7 @@ readble by it. Also, if you wish to persist the cache, the location is ## Example usage ``` -docker -v '/srv/git:/srv/git:ro' -p '80:8080' adarnimrod/cgit +docker -v '/srv/git:/srv/git:ro' -p '80:80' adarnimrod/cgit ``` There's also a `docker-compose.yml` as further example. diff --git a/docker-compose.yml b/docker-compose.yml index fe7700b..87a972a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -9,7 +9,7 @@ services: - adarnimrod/cgit image: adarnimrod/cgit ports: - - 80:8080 + - 80:80 volumes: - git:/srv/git:ro diff --git a/patch.diff b/patch.diff index 684b354..7b9e2f8 100644 --- a/patch.diff +++ b/patch.diff @@ -1,22 +1,3 @@ ---- ports.conf 2019-11-09 19:58:29.052813201 +0200 -+++ ports.conf 2019-11-02 14:40:08.000000000 +0200 -@@ -2,7 +2,7 @@ - # have to change the VirtualHost statement in - # /etc/apache2/sites-enabled/000-default.conf - --Listen 80 -+Listen 8080 - - <IfModule ssl_module> - Listen 443 ---- sites-available/000-default.conf 2019-04-03 00:13:44.000000000 +0300 -+++ sites-available/000-default.conf 2019-11-09 20:00:01.459226750 +0200 -@@ -1,4 +1,4 @@ --<VirtualHost *:80> -+<VirtualHost *:8080> - # The ServerName directive sets the request scheme, hostname and port that - # the server uses to identify itself. This is used when creating - # redirection URLs. In the context of virtual hosts, the ServerName --- mods-available/status.conf 2019-04-03 00:13:44.000000000 +0300 +++ mods-available/status.conf 2019-11-09 19:59:09.642896703 +0200 @@ -5,7 +5,7 @@ -- GitLab