Icecast on port 80

danisanti · 2021-05-19 06:03:57

I want to have my Icecast server on port 80.
I want to do this, mantaining the most amount of security as I possibly can.
Besides changing the /etc/icecast.xml to listen to port 80 and, on /etc/icecast.xml, changing the owner to icecast local system user, I am having trouble configuring the /etc/systemd/system/icecast.service.

Right now this file is as follows:

[Unit]
Description=Icecast Network Audio Streaming Server
After=network.target

[Service]
CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_KILL CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM CAP_SYS_NICE CAP_SYS_RESOURCE CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
ExecStart=/usr/bin/icecast -c /etc/icecast.xml
ExecReload=/usr/bin/kill -HUP $MAINPID
Group=icecast
IPAccounting=yes
LogsDirectory=icecast
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
PrivateUsers=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadOnlyPaths=/etc/icecast.xml
RemoveIPC=true
RestrictAddressFamilies=~AF_AX25 AF_IPX AF_APPLETALK AF_X25 AF_DECnet AF_KEY AF_NETLINK AF_PACKET AF_RDS AF_PPPOX AF_LLC AF_IB AF_MPLS AF_CAN AF_TIPC AF_BLUETOOTH AF_ALG AF_VSOCK AF_KCM AF_XDP AF_UNIX
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
RuntimeDirectory=icecast
StateDirectory=icecast
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
Type=exec
UMask=177
User=icecast

[Install]
WantedBy=multi-user.target

How should this file become in order to achieve a root running icecast, with maximum security?

Last edited by danisanti (2021-05-19 06:06:07)

jasonwryan · 2021-05-19 06:08:50

danisanti wrote:

How should this file become in order to achieve a root running icecast, with maximum security?

Icecast runs as its own user, why do you want to run it as root?

danisanti wrote:

User=icecast

seth · 2021-05-19 06:27:31

https://www.google.com/search?q=systemd … leged+port

danisanti · 2021-05-19 07:45:34

jasonwryan wrote:

danisanti wrote:
How should this file become in order to achieve a root running icecast, with maximum security?
Icecast runs as its own user, why do you want to run it as root?
danisanti wrote:
User=icecast

Because I want to run icecast server on port 80.
I know now that there is no need to run as root, to run icecast on port 80.

So, I would like to know which systemd file settings, I should use in order to be able to run icecast on port 80?

jasonwryan · 2021-05-19 07:49:40

The ones in the link seth provided...

danisanti · 2021-05-19 08:17:05

Thank you

Arch Linux

#1 2021-05-19 06:03:57

Icecast on port 80

#2 2021-05-19 06:08:50

Re: Icecast on port 80

#3 2021-05-19 06:27:31

Re: Icecast on port 80

#4 2021-05-19 07:45:34

Re: Icecast on port 80

#5 2021-05-19 07:49:40

Re: Icecast on port 80

#6 2021-05-19 08:17:05

Re: Icecast on port 80

Board footer