From 67f9976eeccfe29c04ec32144706985498759b19 Mon Sep 17 00:00:00 2001
From: domwhewell-sage <122788350+domwhewell-sage@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:25:21 +0000
Subject: [PATCH 1/3] Added nmap binary to local docker containers. runs as
 root so does not require privileges

---
 compose/local/django/Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/compose/local/django/Dockerfile b/compose/local/django/Dockerfile
index 1393d07cf..8593264be 100644
--- a/compose/local/django/Dockerfile
+++ b/compose/local/django/Dockerfile
@@ -21,6 +21,8 @@ RUN apk --no-cache add build-base curl \
     # Rust and Cargo required by the ``cryptography`` Python package
     && apk --no-cache add rust \
     && apk --no-cache add cargo \
+    # Nmap required by the ``python-nmap`` Python package.
+    && apk --no-cache add nmap \
     && pip install --no-cache-dir -U setuptools pip
 
 COPY ./requirements /requirements

From c4a42903a2cac962e71a828c49425205bf3e39a4 Mon Sep 17 00:00:00 2001
From: domwhewell-sage <122788350+domwhewell-sage@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:25:43 +0000
Subject: [PATCH 2/3] Added nmap and libcap to production docker

---
 compose/production/django/Dockerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/compose/production/django/Dockerfile b/compose/production/django/Dockerfile
index 1d3411b4a..bb06adbed 100644
--- a/compose/production/django/Dockerfile
+++ b/compose/production/django/Dockerfile
@@ -17,6 +17,8 @@ RUN apk --no-cache add build-base curl \
     # Rust and Cargo required by the ``cryptography`` Python package
     && apk --no-cache add rust \
     && apk --no-cache add cargo \
+    # Nmap required by the ``python-nmap`` Python package. libcap used to set the capabilities of nmap so root is not required
+    && apk --no-cache add nmap libcap \
     && addgroup -S django \
     && adduser -S -G django django \
     && pip install --no-cache-dir -U setuptools pip
@@ -46,6 +48,11 @@ RUN sed -i 's/\r//' /start-queue \
     && chmod +x /start-queue \
     && chown django /start-queue
 
+RUN chown django:django /usr/bin/nmap \
+    && chmod 750 /usr/bin/nmap
+
+RUN setcap cap_net_raw,cap_net_bind_service+eip /usr/bin/nmap
+
 COPY ./compose/production/django/seed_data /seed_data
 
 RUN sed -i 's/\r$//g' /seed_data \

From a2a42dc2518192004ff7029ff58df9bb809318db Mon Sep 17 00:00:00 2001
From: domwhewell-sage <122788350+domwhewell-sage@users.noreply.github.com>
Date: Thu, 9 Nov 2023 12:26:50 +0000
Subject: [PATCH 3/3] Set capabilities to allow non privileged user django to
 run nmap, and added NMAP_PRIVILEGED env variable

---
 production.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/production.yml b/production.yml
index fb2a8e1d6..3d22459b3 100644
--- a/production.yml
+++ b/production.yml
@@ -53,6 +53,7 @@ services:
       - POSTGRES_USER=${POSTGRES_USER}
       - REDIS_URL=redis://${REDIS_HOST}:${REDIS_PORT}/0
       - WEB_CONCURRENCY=${DJANGO_WEB_CONCURRENCY}
+      - NMAP_PRIVILEGED=""
     healthcheck:
       test: curl --insecure --fail https://nginx/status/simple/ || exit 1
       interval: ${HEALTHCHECK_INTERVAL}