From 7da513073589b9f9abde729e3fa247568bf7a182 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 23 Nov 2019 21:03:11 +0200
Subject: [PATCH] Use file capabilities instead of a higher port for LAM.

Run as a limited user and bind to the regular HTTP port using file
capabilities.
---
 docker-compose.yml              |  2 +-
 ldap-account-manager/Dockerfile |  4 +++-
 ldap-account-manager/patch.diff | 19 -------------------
 3 files changed, 4 insertions(+), 21 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 1062033..5aab814 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -50,7 +50,7 @@ services:
       LDAP_BASE_DN: *base_dn
     image: adarnimrod/ldap-account-manager
     ports:
-      - 80:8080
+      - 80:80
     restart: always
     volumes:
       - _run_slapd:/run/slapd
diff --git a/ldap-account-manager/Dockerfile b/ldap-account-manager/Dockerfile
index c7d257e..ea9a02c 100644
--- a/ldap-account-manager/Dockerfile
+++ b/ldap-account-manager/Dockerfile
@@ -5,9 +5,11 @@ RUN apt-get update && \
         ca-certificates \
         gettext-base \
         ldap-account-manager \
+        libcap2-bin \
         patch \
         wget \
     && \
+    setcap CAP_NET_BIND_SERVICE=+ep /usr/sbin/apache2 && \
     install -d -m 750 -o root -g www-data /var/log/apache2 && \
     install -d -m 755 -o www-data -g root /run/apache2 && \
     a2enmod status && \
@@ -28,7 +30,7 @@ RUN patch --strip 0 --verbose --directory / --input /root/patch.diff && \
     apache2 -t
 ENV LDAP_URI=ldapi:/// \
     LAM_PASSWORD=lam
-EXPOSE 8080
+EXPOSE 80
 USER "www-data"
 WORKDIR /var/www
 ENTRYPOINT [ "entrypoint" ]
diff --git a/ldap-account-manager/patch.diff b/ldap-account-manager/patch.diff
index 360dca4..d39c2fb 100644
--- a/ldap-account-manager/patch.diff
+++ b/ldap-account-manager/patch.diff
@@ -69,25 +69,6 @@
  types: attr_group: #cn;#gidNumber;#memberUID;#description
  types: modules_group: posixGroup
  
---- /etc/apache2/ports.conf	2019-11-09 19:58:29.052813201 +0200
-+++ /etc/apache2/ports.conf	2019-11-02 14:40:08.000000000 +0200
-@@ -2,7 +2,7 @@
- # have to change the VirtualHost statement in
- # /etc/apache2/sites-enabled/000-default.conf
- 
--Listen 80
-+Listen 8080
- 
- <IfModule ssl_module>
- 	Listen 443
---- /etc/apache2/sites-available/000-default.conf	2019-04-03 00:13:44.000000000 +0300
-+++ /etc/apache2/sites-available/000-default.conf	2019-11-09 20:00:01.459226750 +0200
-@@ -1,4 +1,4 @@
--<VirtualHost *:80>
-+<VirtualHost *:8080>
- 	# The ServerName directive sets the request scheme, hostname and port that
- 	# the server uses to identify itself. This is used when creating
- 	# redirection URLs. In the context of virtual hosts, the ServerName
 --- /etc/apache2/mods-available/status.conf	2019-04-03 00:13:44.000000000 +0300
 +++ /etc/apache2/mods-available/status.conf	2019-11-09 19:59:09.642896703 +0200
 @@ -5,7 +5,7 @@
-- 
GitLab