You are not logged in.

#1 2019-12-22 11:11:52

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 9,903
Website

PKGBUILD review request for adguardhome

https://aur.archlinux.org/packages/adguardhome/

Initial question is whether or not /opt/adguardhome/ the right place for this.  I chose it based on the behavior of the compiled binary which creates its preference file under this rootdir as well as a data directory.  It might be possible to modify this behavior, but I haven't yet dug into the docs.

A second question is whether or not to make an unprivileged user rather than running as root.  There is mention in upstream docs about using setcap to achieve this, but when I tried their suggestion, on a test file, it did not work.

# touch foo
# setcap CAP_NET_BIND_SERVICE=+eip ./foo 
unable to set CAP_SETFCAP effective capability: Operation not permitted

CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#2 2019-12-22 13:12:31

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 7,640

Re: PKGBUILD review request for adguardhome

That setcap command does work here on an ext4 filesystem .

What filesystem / folder location are you running it on ?


Multi-init booting with apg Openrc and systemd coexisting
Automounting : not needed, i prefer pmount
Aur helpers : makepkg + my own local repo === rarely need them

Offline

#3 2019-12-22 13:20:26

loqs
Member
Registered: 2014-03-06
Posts: 9,607

Re: PKGBUILD review request for adguardhome

fakeroot does not support setcap so it would need to be executed in a .install file https://git.archlinux.org/svntogit/pack … es/iputils

Offline

#4 2019-12-22 13:52:27

graysky
Wiki Maintainer
From: :wq
Registered: 2008-12-01
Posts: 9,903
Website

Re: PKGBUILD review request for adguardhome

@loqs - Nice find, thanks!

Does you guys agree with me regarding the creation of an unprivilliged user for this thing (assuming the setcap in readme.install works)?  I'm thinking to give it a homedir of /var/lib/adguardhome/ and due to the behavior of creating the config and data directory, placing the executable under that as well (ie abandoning the /opt/ choice).  Thoughts?


CPU-optimized Linux-ck packages @ Repo-ck  • AUR packagesZsh and other configs

Offline

#5 2019-12-22 16:10:42

eschwartz
Trusted User/Bug Wrangler
Registered: 2014-08-08
Posts: 2,970

Re: PKGBUILD review request for adguardhome

loqs wrote:

fakeroot does not support setcap so it would need to be executed in a .install file https://git.archlinux.org/svntogit/pack … es/iputils

This has nothing to do with fakeroot. makepkg/pacman doesn't support tar'ing up and extracting setcap attributes.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#6 2019-12-22 16:17:40

loqs
Member
Registered: 2014-03-06
Posts: 9,607

Re: PKGBUILD review request for adguardhome

eschwartz wrote:
loqs wrote:

fakeroot does not support setcap so it would need to be executed in a .install file https://git.archlinux.org/svntogit/pack … es/iputils

This has nothing to do with fakeroot. makepkg/pacman doesn't support tar'ing up and extracting setcap attributes.

Thank you for the correction.
Edit:
If the only intended use of the executable is through the service then what if you added to the service file:

CapabilityBoundingSet=CAP_NET_BIND_SERVICE

Last edited by loqs (2019-12-23 01:56:32)

Offline

Board footer

Powered by FluxBB