From 9dd560493abab52260924d891efefa53e4741a77 Mon Sep 17 00:00:00 2001
From: Olliver Schinagl <oliver@schinagl.nl>
Date: Mon, 5 Jun 2023 22:44:42 +0200
Subject: [PATCH] container: Drop privileges

A container is best served with the least amount of privileges. This
also ensures we don't have to drop anything later.

This does require running the container with elevated capabilities.

Note, that if for whatever reason, 'root' access within the container is
needed, this can easily be accomplished by running the container with
`docker run --user root:root sslh` for example.

Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
---
 Dockerfile | 2 ++
 README.md  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 1cda8a0..f5e08bc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,3 +22,5 @@ RUN apk --no-cache add libconfig pcre2
 
 COPY "./container-entrypoint.sh" "/init"
 ENTRYPOINT [ "/init" ]
+
+USER nobody:nogroup
diff --git a/README.md b/README.md
index 97186e5..8611b9a 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,8 @@ How to use
 
 ```bash
 docker run \
+  --cap-add CAP_NET_RAW \
+  --cap-add CAP_NET_BIND_SERVICES \
   --rm \
   -it \
   ghcr.io/yrutschle/sslh:latest \