From 85a5689dbb79c3c0bead61586c294cfd1585a1d1 Mon Sep 17 00:00:00 2001
From: AJ ONeal <aj@therootcompany.com>
Date: Sun, 21 Nov 2021 05:32:10 +0000
Subject: [PATCH] refactor(setcap-netbind): update bash to style, update docs

---
 setcap-netbind/README.md         | 57 +++++++++++++++++++++++++++-----
 setcap-netbind/install.sh        | 20 +++++++----
 setcap-netbind/setcap-netbind.sh | 37 +++++++++++++--------
 3 files changed, 86 insertions(+), 28 deletions(-)

diff --git a/setcap-netbind/README.md b/setcap-netbind/README.md
index 47431ab..6169094 100644
--- a/setcap-netbind/README.md
+++ b/setcap-netbind/README.md
@@ -1,23 +1,64 @@
 ---
 title: setcap-netbind
-homepage: https://github.com/webinstall/webi-installers/setcap-netbind/README.md
+homepage: https://github.com/webinstall/webi-installers/setcap-netbind/
 tagline: |
   setcap-netbind: Give a binary the ability to bind to privileged ports.
 ---
 
-setcap-netbind will grant the specified program the ability to listen on
+## Cheat Sheet
+
+> Because no one can ever remember `setcap 'cap_net_bind_service=+ep'`.
+> Everybody has to look it up. Every. Time.
+>
+> Well... not anymore.
+>
+> `setcap-netbind` does that ^^, plus it follows links - which is nice.
+
+Gives a command permission to run on privileged ports (80, 443, etc).
+
+```txt
+Usage:
+    sudo setcap-netbind <COMMAND>
+
+Example:
+    sudo setcap-netbind node
+```
+
+`setcap-netbind` will grant the specified program the ability to listen on
 privileged ports, such as 80 (http) and 443 (https) without root privileges or
-sudo. It seeks out the specified binary in your path and reads down symlinks to
-make usage as painless as possible.
+`sudo`. It seeks out the specified binary in your path and reads down symlinks
+to make usage as painless as possible.
 
-## Cheat Sheet
+**_Note_**: Capability binding is specific to a particular binary file. You'll
+need to rerun `setcap-netbind <COMMAND>` each time you upgrade or reinstall a
+command.
+
+# How to use plain setcap
+
+These two commands are equivalent:
 
 ```bash
 sudo setcap-netbind node
 ```
 
-This is the same as running the full command:
-
 ```bash
-sudo setcap 'cap_net_bind_service=+ep' $(readlink -f $(which node))
+sudo setcap 'cap_net_bind_service=+ep' "$(readlink -f "$(command -v node)")"
 ```
+
+The benefit of `setcap-netbind` is simply that it's easier to remember (and will
+auto-complete with tab), and it will follow symbolic links. \
+(`setcap` will not work on symlinks - probably as a security measure)
+
+<!--
+
+# Security
+
+This is intended for use on single-user Desktops, single-user VPS systems,
+ephemeral cloud instances, etc.
+
+(note to self: not sure how to say this because it won't matter to most people
+and could sound scary - yet their alternative solution is probably much worse,
+so... probably best to let them use this and be _more_ secure than scare them
+with the nuance details - if you know, you know... y'know?)
+
+-->
diff --git a/setcap-netbind/install.sh b/setcap-netbind/install.sh
index b30f73b..e232fb1 100644
--- a/setcap-netbind/install.sh
+++ b/setcap-netbind/install.sh
@@ -1,10 +1,18 @@
 #!/bin/bash
+set -e
+set -u
 
-{
-    set -e
-    set -u
+function __install_setcap_netbind() {
+    # remove prior version, if exists
+    rm -f ~/.local/bin/setcap-netbind
 
-    rm -f "$HOME/.local/bin/setcap-netbind"
-    webi_download "$WEBI_HOST/packages/setcap-netbind/setcap-netbind.sh" "$HOME/.local/bin/setcap-netbind"
-    chmod a+x "$HOME/.local/bin/setcap-netbind"
+    # download latest version, directly to ~/.local/bin
+    webi_download \
+        "$WEBI_HOST/packages/setcap-netbind/setcap-netbind.sh" \
+        ~/.local/bin/setcap-netbind
+
+    # make executable
+    chmod a+x ~/.local/bin/setcap-netbind
 }
+
+__install_setcap_netbind
diff --git a/setcap-netbind/setcap-netbind.sh b/setcap-netbind/setcap-netbind.sh
index 08f1fea..97620b5 100644
--- a/setcap-netbind/setcap-netbind.sh
+++ b/setcap-netbind/setcap-netbind.sh
@@ -1,17 +1,26 @@
 #!/bin/bash
+set -e
+set -u
 
-{
-    set -e
-    set -u
+my_bin="${1}"
+# ex: node
+if [ -z "$(command -v "${my_bin}")" ]; then
+    echo "setcap-netbind: '${my_bin}' not found"
+    exit 1
+fi
 
-    my_bin="$1"
-    if [ -z "$(which $my_bin)" ]; then
-        echo "'$my_bin' not found"
-        exit 1
-    fi
-    my_sudo=""
-    if [ -n "$(command -v sudo)" ]; then
-        my_sudo=sudo
-    fi
-    $my_sudo setcap 'cap_net_bind_service=+ep' $(readlink -f $(which $my_bin))
-}
+my_sudo=""
+if [ -n "$(command -v sudo)" ]; then
+    my_sudo=sudo
+fi
+
+# get full path
+# ex: ~/.local/opt/node/bin/node
+my_bin="$(command -v "${my_bin}")"
+
+# get canonical full path
+# ex: ~/.local/opt/node-v16.13.0/bin/node
+my_bin="$(readlink -f "${my_bin}")"
+
+# ex: sudo setcap 'cap_net_bind_service=+ep' ~/.local/opt/node-v16.13.0/bin/node"
+"${my_sudo}" setcap 'cap_net_bind_service=+ep' "${my_bin}"
-- 
2.25.1