Use file capabilities instead of a higher port for LAM.

Run as a limited user and bind to the regular HTTP port using file capabilities.

Use file capabilities instead of a higher port for LAM.
7da51307 · nimrod · bfa237e3 · 7da51307 · 7da51307 · 7da51307
Commit 7da51307 authored 5 years ago by nimrod
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -50,7 +50,7 @@ services:
      LDAP_BASE_DN: *base_dn
    image: adarnimrod/ldap-account-manager
    ports:
-      - 80:8080
+      - 80:80
    restart: always
    volumes:
      - _run_slapd:/run/slapd

--- a/ldap-account-manager/Dockerfile
+++ b/ldap-account-manager/Dockerfile
@@ -5,9 +5,11 @@ RUN apt-get update && \
        ca-certificates \
        gettext-base \
        ldap-account-manager \
+        libcap2-bin \
        patch \
        wget \
    && \
+    setcap CAP_NET_BIND_SERVICE=+ep /usr/sbin/apache2 && \
    install -d -m 750 -o root -g www-data /var/log/apache2 && \
    install -d -m 755 -o www-data -g root /run/apache2 && \
    a2enmod status && \
@@ -28,7 +30,7 @@ RUN patch --strip 0 --verbose --directory / --input /root/patch.diff && \
    apache2 -t
 ENV LDAP_URI=ldapi:/// \
    LAM_PASSWORD=lam
-EXPOSE 8080
+EXPOSE 80
 USER "www-data"
 WORKDIR /var/www
 ENTRYPOINT [ "entrypoint" ]

--- a/ldap-account-manager/patch.diff
+++ b/ldap-account-manager/patch.diff
@@ -69,25 +69,6 @@
 types: attr_group: #cn;#gidNumber;#memberUID;#description
 types: modules_group: posixGroup
 
--- /etc/apache2/ports.conf	2019-11-09 19:58:29.052813201 +0200
-+++ /etc/apache2/ports.conf	2019-11-02 14:40:08.000000000 +0200
-@@ -2,7 +2,7 @@
- # have to change the VirtualHost statement in
- # /etc/apache2/sites-enabled/000-default.conf
- 
-Listen 80
-+Listen 8080
- 
- <IfModule ssl_module>
- 	Listen 443
--- /etc/apache2/sites-available/000-default.conf	2019-04-03 00:13:44.000000000 +0300
-+++ /etc/apache2/sites-available/000-default.conf	2019-11-09 20:00:01.459226750 +0200
-@@ -1,4 +1,4 @@
-<VirtualHost *:80>
-+<VirtualHost *:8080>
- 	# The ServerName directive sets the request scheme, hostname and port that
- 	# the server uses to identify itself. This is used when creating
- 	# redirection URLs. In the context of virtual hosts, the ServerName
 --- /etc/apache2/mods-available/status.conf	2019-04-03 00:13:44.000000000 +0300
 +++ /etc/apache2/mods-available/status.conf	2019-11-09 19:59:09.642896703 +0200
 @@ -5,7 +5,7 @@