You are not logged in.

#1 2019-12-22 11:11:52

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

PKGBUILD review request for adguardhome

https://aur.archlinux.org/packages/adguardhome/

Initial question is whether or not /opt/adguardhome/ the right place for this.  I chose it based on the behavior of the compiled binary which creates its preference file under this rootdir as well as a data directory.  It might be possible to modify this behavior, but I haven't yet dug into the docs.

A second question is whether or not to make an unprivileged user rather than running as root.  There is mention in upstream docs about using setcap to achieve this, but when I tried their suggestion, on a test file, it did not work.

# touch foo
# setcap CAP_NET_BIND_SERVICE=+eip ./foo 
unable to set CAP_SETFCAP effective capability: Operation not permitted

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#2 2019-12-22 13:12:31

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,868

Re: PKGBUILD review request for adguardhome

That setcap command does work here on an ext4 filesystem .

What filesystem / folder location are you running it on ?


Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#3 2019-12-22 13:20:26

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: PKGBUILD review request for adguardhome

fakeroot does not support setcap so it would need to be executed in a .install file https://git.archlinux.org/svntogit/pack … es/iputils

Offline

#4 2019-12-22 13:52:27

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: PKGBUILD review request for adguardhome

@loqs - Nice find, thanks!

Does you guys agree with me regarding the creation of an unprivilliged user for this thing (assuming the setcap in readme.install works)?  I'm thinking to give it a homedir of /var/lib/adguardhome/ and due to the behavior of creating the config and data directory, placing the executable under that as well (ie abandoning the /opt/ choice).  Thoughts?


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#5 2019-12-22 16:10:42

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: PKGBUILD review request for adguardhome

loqs wrote:

fakeroot does not support setcap so it would need to be executed in a .install file https://git.archlinux.org/svntogit/pack … es/iputils

This has nothing to do with fakeroot. makepkg/pacman doesn't support tar'ing up and extracting setcap attributes.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#6 2019-12-22 16:17:40

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: PKGBUILD review request for adguardhome

eschwartz wrote:
loqs wrote:

fakeroot does not support setcap so it would need to be executed in a .install file https://git.archlinux.org/svntogit/pack … es/iputils

This has nothing to do with fakeroot. makepkg/pacman doesn't support tar'ing up and extracting setcap attributes.

Thank you for the correction.
Edit:
If the only intended use of the executable is through the service then what if you added to the service file:

CapabilityBoundingSet=CAP_NET_BIND_SERVICE

Last edited by loqs (2019-12-23 01:56:32)

Offline

#7 2020-05-18 16:44:17

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: PKGBUILD review request for adguardhome

@loqs - I didn't see that you replied until now (sorry for the delay).  I tried modifying the service to include your suggestion but systemd does not seem to behave with it.  The service fails and the log indicates a permission failure:

2020/05/18 12:37:49 [fatal] listen tcp 0.0.0.0:80: bind: permission denied

I am in over my head here, but when I look into /usr/lib/systemd/system/systemd-networkd.service I see several entries:

[Unit]
ConditionCapability=CAP_NET_ADMIN

[Service]
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW

Seems that both lines are needed.  I am unsure about security implications of both.  I will search man pages but wanted to ask here as well.

For reference:

[Unit]
Description=AdGuard Home: Network-level blocker
ConditionFileIsExecutable=/var/lib/adguardhome/AdGuardHome
After=syslog.target network-online.target

[Service]
User=adguardhome
Group=adguardhome
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

StartLimitInterval=5
StartLimitBurst=10
ExecStart=/var/lib/adguardhome/AdGuardHome "-s" "run"

WorkingDirectory=/var/lib/adguardhome
StandardOutput=file:/var/lib/adguardhome/AdGuardHome.out
StandardError=file:/var/lib/adguardhome/AdGuardHome.err
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

Last edited by graysky (2020-05-18 16:56:12)


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#8 2020-05-18 22:13:03

loqs
Member
Registered: 2014-03-06
Posts: 17,192

Re: PKGBUILD review request for adguardhome

If you compile the following C test program run it as an unpriviledged user it should fail with:

./a.out: bind call failed: Permission denied

If you then grant it CAP_NET_BIND_SERVICE

setcap CAP_NET_BIND_SERVICE=+eip ./a.out

It should then exit without producing any output and a return code of 0.

#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <error.h>
#include <errno.h>

int main(void)
{
  int opt=1,fd;
  struct sockaddr_in address; 

  fd = socket(AF_INET, SOCK_STREAM, 0);
  if (fd == -1)
  {
    error(0,errno,"socket call failed");
    return -1;
  }

  /* allow address to be reused */
  if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR | SO_REUSEPORT, &opt,
    sizeof(opt)) == -1) 
  { 
    error(0,errno,"setsockopt call failed");
    close(fd);
    return -1;
  }

  address.sin_family = AF_INET; 
  address.sin_addr.s_addr = INADDR_ANY; 
  address.sin_port = htons( 80 );
  if (bind(fd, (struct sockaddr *)&address, sizeof(address)) == -1)
  {
    error(0,errno,"bind call failed");
    close(fd);
    return -1;
  }

  close(fd);
  return 0;
}

Edit:
It is hard coded to port 80 if that port is in use,  change it to any unused restricted port.

Last edited by loqs (2020-05-18 22:16:14)

Offline

#9 2020-05-19 12:34:39

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 10,595
Website

Re: PKGBUILD review request for adguardhome

Thanks loqs!


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

Board footer

Powered by FluxBB