Use file capabilities to run as a limited user.

Instead of binding to a higher port, grant the apache2 CAP_NET_BIND_SERVICE to bind to port 80.

Use file capabilities to run as a limited user.
711e1084 · nimrod · e86ea159 · 711e1084 · 711e1084 · 711e1084
Commit 711e1084 authored 5 years ago by nimrod
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,11 +5,13 @@ RUN apt-get update && \
        apache2 \
        cgit \
        groff-base \
+        libcap2-bin \
        patch \
        python3-docutils \
        python3-markdown \
        python3-pygments \
    && \
+    setcap CAP_NET_BIND_SERVICE=+ep /usr/sbin/apache2 && \
    a2enmod cgid && \
    a2enconf cgit && \
    a2enmod status && \

--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 ## Usage

 This container runs Apache that is configured with cgit at `/cgit`. It exposes
-port 8080 and serves the repositories under `/srv/git`. The container runs as
+port 80 and serves the repositories under `/srv/git`. The container runs as
 a limited user (`www-data`), so make sure to have the content of `/srv/git`
 readble by it. Also, if you wish to persist the cache, the location is
 `/var/cache/cgit`.
@@ -13,7 +13,7 @@ readble by it. Also, if you wish to persist the cache, the location is
 ## Example usage

 ```
-docker -v '/srv/git:/srv/git:ro' -p '80:8080' adarnimrod/cgit
+docker -v '/srv/git:/srv/git:ro' -p '80:80' adarnimrod/cgit
 ```

 There's also a `docker-compose.yml` as further example.

--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,7 +9,7 @@ services:
        - adarnimrod/cgit
    image: adarnimrod/cgit
    ports:
-      - 80:8080
+      - 80:80
    volumes:
      - git:/srv/git:ro


--- a/patch.diff
+++ b/patch.diff
--- ports.conf	2019-11-09 19:58:29.052813201 +0200
-+++ ports.conf	2019-11-02 14:40:08.000000000 +0200
-@@ -2,7 +2,7 @@
- # have to change the VirtualHost statement in
- # /etc/apache2/sites-enabled/000-default.conf
- 
-Listen 80
-+Listen 8080
- 
- <IfModule ssl_module>
- 	Listen 443
--- sites-available/000-default.conf	2019-04-03 00:13:44.000000000 +0300
-+++ sites-available/000-default.conf	2019-11-09 20:00:01.459226750 +0200
-@@ -1,4 +1,4 @@
-<VirtualHost *:80>
-+<VirtualHost *:8080>
- 	# The ServerName directive sets the request scheme, hostname and port that
- 	# the server uses to identify itself. This is used when creating
- 	# redirection URLs. In the context of virtual hosts, the ServerName
 --- mods-available/status.conf	2019-04-03 00:13:44.000000000 +0300
 +++ mods-available/status.conf	2019-11-09 19:59:09.642896703 +0200
 @@ -5,7 +5,7 @@