You are not logged in.
https://aur.archlinux.org/packages/adguardhome/
Initial question is whether or not /opt/adguardhome/ the right place for this. I chose it based on the behavior of the compiled binary which creates its preference file under this rootdir as well as a data directory. It might be possible to modify this behavior, but I haven't yet dug into the docs.
A second question is whether or not to make an unprivileged user rather than running as root. There is mention in upstream docs about using setcap to achieve this, but when I tried their suggestion, on a test file, it did not work.
# touch foo
# setcap CAP_NET_BIND_SERVICE=+eip ./foo
unable to set CAP_SETFCAP effective capability: Operation not permitted
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
That setcap command does work here on an ext4 filesystem .
What filesystem / folder location are you running it on ?
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
(A works at time B) && (time C > time B ) ≠ (A works at time C)
Online
fakeroot does not support setcap so it would need to be executed in a .install file https://git.archlinux.org/svntogit/pack … es/iputils
Offline
@loqs - Nice find, thanks!
Does you guys agree with me regarding the creation of an unprivilliged user for this thing (assuming the setcap in readme.install works)? I'm thinking to give it a homedir of /var/lib/adguardhome/ and due to the behavior of creating the config and data directory, placing the executable under that as well (ie abandoning the /opt/ choice). Thoughts?
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
fakeroot does not support setcap so it would need to be executed in a .install file https://git.archlinux.org/svntogit/pack … es/iputils
This has nothing to do with fakeroot. makepkg/pacman doesn't support tar'ing up and extracting setcap attributes.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
loqs wrote:fakeroot does not support setcap so it would need to be executed in a .install file https://git.archlinux.org/svntogit/pack … es/iputils
This has nothing to do with fakeroot. makepkg/pacman doesn't support tar'ing up and extracting setcap attributes.
Thank you for the correction.
Edit:
If the only intended use of the executable is through the service then what if you added to the service file:
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
Last edited by loqs (2019-12-23 01:56:32)
Offline
@loqs - I didn't see that you replied until now (sorry for the delay). I tried modifying the service to include your suggestion but systemd does not seem to behave with it. The service fails and the log indicates a permission failure:
2020/05/18 12:37:49 [fatal] listen tcp 0.0.0.0:80: bind: permission denied
I am in over my head here, but when I look into /usr/lib/systemd/system/systemd-networkd.service I see several entries:
[Unit]
ConditionCapability=CAP_NET_ADMIN
[Service]
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
Seems that both lines are needed. I am unsure about security implications of both. I will search man pages but wanted to ask here as well.
For reference:
[Unit]
Description=AdGuard Home: Network-level blocker
ConditionFileIsExecutable=/var/lib/adguardhome/AdGuardHome
After=syslog.target network-online.target
[Service]
User=adguardhome
Group=adguardhome
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/var/lib/adguardhome/AdGuardHome "-s" "run"
WorkingDirectory=/var/lib/adguardhome
StandardOutput=file:/var/lib/adguardhome/AdGuardHome.out
StandardError=file:/var/lib/adguardhome/AdGuardHome.err
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
Last edited by graysky (2020-05-18 16:56:12)
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline
If you compile the following C test program run it as an unpriviledged user it should fail with:
./a.out: bind call failed: Permission denied
If you then grant it CAP_NET_BIND_SERVICE
setcap CAP_NET_BIND_SERVICE=+eip ./a.out
It should then exit without producing any output and a return code of 0.
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>
#include <error.h>
#include <errno.h>
int main(void)
{
int opt=1,fd;
struct sockaddr_in address;
fd = socket(AF_INET, SOCK_STREAM, 0);
if (fd == -1)
{
error(0,errno,"socket call failed");
return -1;
}
/* allow address to be reused */
if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR | SO_REUSEPORT, &opt,
sizeof(opt)) == -1)
{
error(0,errno,"setsockopt call failed");
close(fd);
return -1;
}
address.sin_family = AF_INET;
address.sin_addr.s_addr = INADDR_ANY;
address.sin_port = htons( 80 );
if (bind(fd, (struct sockaddr *)&address, sizeof(address)) == -1)
{
error(0,errno,"bind call failed");
close(fd);
return -1;
}
close(fd);
return 0;
}
Edit:
It is hard coded to port 80 if that port is in use, change it to any unused restricted port.
Last edited by loqs (2020-05-18 22:16:14)
Offline
Thanks loqs!
CPU-optimized Linux-ck packages @ Repo-ck • AUR packages • Zsh and other configs
Offline