You are not logged in.
I am planning to create AUR package that binds on 53 port. As you know, only root user can bind on ports 0-1024.
It's https://github.com/0xERR0R/blocky (I would call it "blocky-bin" because it's for binaries only).
Should I use root user for starting "blocky.service", or should I use regular user, but then how do I bind on 53 port? Please advise what would be the best approach here.
SOLVED: See https://bbs.archlinux.org/viewtopic.php … 4#p1951754.
Last edited by definitellynotspammer (2021-01-23 23:26:50)
Offline
You should probably run it as a dedicated user and set the minimum capabilities like CAP_NET_BIND_SERVICE
Or patch it to accept sockets from systemd: https://www.freedesktop.org/software/sy … n_fds.html
(I would call it "blocky-bin" because it's for binaries only).
If you use the precompiled binaries, then it would be "blocky-bin". If you use the source code from a release and compile it in the PKGBUILD, then it is "blocky". If you use the newest source code directly from the git repository, then it is "blocky-git".
Last edited by progandy (2021-01-23 21:51:16)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
Classical daemons would drop privileges after startup operations such as opening ports et.c.. and switch to a separate unprivileged user.
If blocky supported systemd.socket that would achieve resticted port binding without root.
Another possibility is use a none root user and add CAP_NET_BIND_SERVICE to the CapabilityBoundingSet.
More capabilities may be needed depending on exactly what socket options blocky uses or anything else restricted to root. See man 7 capabilities for details on CAP_NET_BIND_SERVICE and man 5 systemd.exec for CapabilityBoundingSet.
Edit:
beaten by progandy.
Last edited by loqs (2021-01-23 21:52:12)
Offline
Thanks everyone. Adding "AmbientCapabilities=CAP_NET_BIND_SERVICE" was enough!
This is how it looks like in service file: https://aur.archlinux.org/cgit/aur.git/ … cky-bin#n9
Marking as solved.
Offline