Skip to content
Snippets Groups Projects
Commit 61116271 authored by nimrod's avatar nimrod
Browse files

Run as a limited user for ldap-account-manager.

- Use port 8080 (http-alt) instead of port 80 (a priviliged port).
- Run Apache with the www-data user.
- Enable the Apache status module.
parent 2f63c9d2
No related branches found
No related tags found
No related merge requests found
......@@ -50,7 +50,7 @@ services:
LDAP_BASE_DN: *base_dn
image: adarnimrod/ldap-account-manager
ports:
- 80:80
- 80:8080
restart: always
volumes:
- _run_slapd:/run/slapd
......
......@@ -8,7 +8,9 @@ RUN apt-get update && \
patch \
wget \
&& \
chmod 755 /var/log/apache2 && \
install -d -m 750 -o root -g www-data /var/log/apache2 && \
install -d -m 755 -o www-data -g root /run/apache2 && \
a2enmod status && \
ln -sf /dev/stdout /var/log/apache2/access.log && \
ln -sf /dev/stderr /var/log/apache2/error.log && \
ln -sf /dev/stdout /var/log/apache2/lam.log && \
......@@ -20,13 +22,15 @@ ENV APACHE_RUN_DIR=/run/apache2 \
APACHE_RUN_GROUP=www-data \
APACHE_PID_FILE=/run/apache2/apache2.pid
COPY --chown=root:root patch.diff /root/
COPY --chown=root:root entrypoint /entrypoint
COPY --chown=root:root lam-setpass /usr/local/sbin/
COPY --chown=root:root entrypoint /usr/local/bin/
COPY --chown=root:root lam-setpass /usr/local/bin/
RUN patch --strip 0 --verbose --directory / --input /root/patch.diff && \
apache2 -t
ENV LDAP_URI=ldapi:/// \
LAM_PASSWORD=lam
EXPOSE 80
ENTRYPOINT [ "/entrypoint" ]
EXPOSE 8080
USER "www-data"
WORKDIR /var/www
ENTRYPOINT [ "entrypoint" ]
CMD [ "apache2", "-DFOREGROUND" ]
HEALTHCHECK CMD wget --spider --quiet http://localhost/lam/ --user-agent 'Healthcheck' || exit 1
......@@ -8,7 +8,7 @@ cat "$tempfile" > /var/lib/ldap-account-manager/config/lam.conf
rm "$tempfile"
# Set the password and unset the variable from memory.
chroot --userspec=www-data / /usr/local/sbin/lam-setpass "$LAM_PASSWORD"
lam-setpass "$LAM_PASSWORD"
unset LAM_PASSWORD
# Start the process.
......
......@@ -69,3 +69,33 @@
types: attr_group: #cn;#gidNumber;#memberUID;#description
types: modules_group: posixGroup
--- /etc/apache2/ports.conf 2019-11-09 19:58:29.052813201 +0200
+++ /etc/apache2/ports.conf 2019-11-02 14:40:08.000000000 +0200
@@ -2,7 +2,7 @@
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default.conf
-Listen 80
+Listen 8080
<IfModule ssl_module>
Listen 443
--- /etc/apache2/sites-available/000-default.conf 2019-04-03 00:13:44.000000000 +0300
+++ /etc/apache2/sites-available/000-default.conf 2019-11-09 20:00:01.459226750 +0200
@@ -1,4 +1,4 @@
-<VirtualHost *:80>
+<VirtualHost *:8080>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
--- /etc/apache2/mods-available/status.conf 2019-04-03 00:13:44.000000000 +0300
+++ /etc/apache2/mods-available/status.conf 2019-11-09 19:59:09.642896703 +0200
@@ -5,7 +5,7 @@
<Location /server-status>
SetHandler server-status
- Require local
+ #Require local
#Require ip 192.0.2.0/24
</Location>
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment