Commit 61116271 authored by nimrod's avatar nimrod
Browse files

Run as a limited user for ldap-account-manager.

- Use port 8080 (http-alt) instead of port 80 (a priviliged port).
- Run Apache with the www-data user.
- Enable the Apache status module.
parent 2f63c9d2
Loading
Loading
Loading
Loading
+1 −1
Original line number Diff line number Diff line
@@ -50,7 +50,7 @@ services:
      LDAP_BASE_DN: *base_dn
    image: adarnimrod/ldap-account-manager
    ports:
      - 80:80
      - 80:8080
    restart: always
    volumes:
      - _run_slapd:/run/slapd
+9 −5
Original line number Diff line number Diff line
@@ -8,7 +8,9 @@ RUN apt-get update && \
        patch \
        wget \
    && \
    chmod 755 /var/log/apache2 && \
    install -d -m 750 -o root -g www-data /var/log/apache2 && \
    install -d -m 755 -o www-data -g root /run/apache2 && \
    a2enmod status && \
    ln -sf /dev/stdout /var/log/apache2/access.log && \
    ln -sf /dev/stderr /var/log/apache2/error.log && \
    ln -sf /dev/stdout /var/log/apache2/lam.log && \
@@ -20,13 +22,15 @@ ENV APACHE_RUN_DIR=/run/apache2 \
    APACHE_RUN_GROUP=www-data \
    APACHE_PID_FILE=/run/apache2/apache2.pid
COPY --chown=root:root patch.diff /root/
COPY --chown=root:root entrypoint /entrypoint
COPY --chown=root:root lam-setpass /usr/local/sbin/
COPY --chown=root:root entrypoint /usr/local/bin/
COPY --chown=root:root lam-setpass /usr/local/bin/
RUN patch --strip 0 --verbose --directory / --input /root/patch.diff && \
    apache2 -t
ENV LDAP_URI=ldapi:/// \
    LAM_PASSWORD=lam
EXPOSE 80
ENTRYPOINT [ "/entrypoint" ]
EXPOSE 8080
USER "www-data"
WORKDIR /var/www
ENTRYPOINT [ "entrypoint" ]
CMD [ "apache2", "-DFOREGROUND" ]
HEALTHCHECK CMD wget --spider --quiet http://localhost/lam/ --user-agent 'Healthcheck' || exit 1
+1 −1
Original line number Diff line number Diff line
@@ -8,7 +8,7 @@ cat "$tempfile" > /var/lib/ldap-account-manager/config/lam.conf
rm "$tempfile"

# Set the password and unset the variable from memory.
chroot --userspec=www-data / /usr/local/sbin/lam-setpass "$LAM_PASSWORD"
lam-setpass "$LAM_PASSWORD"
unset LAM_PASSWORD

# Start the process.
+30 −0
Original line number Diff line number Diff line
@@ -69,3 +69,33 @@
 types: attr_group: #cn;#gidNumber;#memberUID;#description
 types: modules_group: posixGroup
 
--- /etc/apache2/ports.conf	2019-11-09 19:58:29.052813201 +0200
+++ /etc/apache2/ports.conf	2019-11-02 14:40:08.000000000 +0200
@@ -2,7 +2,7 @@
 # have to change the VirtualHost statement in
 # /etc/apache2/sites-enabled/000-default.conf
 
-Listen 80
+Listen 8080
 
 <IfModule ssl_module>
 	Listen 443
--- /etc/apache2/sites-available/000-default.conf	2019-04-03 00:13:44.000000000 +0300
+++ /etc/apache2/sites-available/000-default.conf	2019-11-09 20:00:01.459226750 +0200
@@ -1,4 +1,4 @@
-<VirtualHost *:80>
+<VirtualHost *:8080>
 	# The ServerName directive sets the request scheme, hostname and port that
 	# the server uses to identify itself. This is used when creating
 	# redirection URLs. In the context of virtual hosts, the ServerName
--- /etc/apache2/mods-available/status.conf	2019-04-03 00:13:44.000000000 +0300
+++ /etc/apache2/mods-available/status.conf	2019-11-09 19:59:09.642896703 +0200
@@ -5,7 +5,7 @@
 
 	<Location /server-status>
 		SetHandler server-status
-		Require local
+		#Require local
 		#Require ip 192.0.2.0/24
 	</Location>