FS#65921 - [dnscrypt-proxy] PrivateUsers=true breaks CAP_NET_BIND_SERVICE

Attached to Project: Community Packages
Opened by Oleksandr Natalenko (post-factum) - Saturday, 21 March 2020, 16:07 GMT
Last edited by David Runge (dvzrv) - Saturday, 21 March 2020, 16:43 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To David Runge (dvzrv)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:

With the latest update and having PrivateUsers=true set the CAP_NET_BIND_SERVICE capability is not effective anymore.

As per the manual:

If this mode is enabled, all unit processes are run without privileges in the host user namespace (regardless if the unit's own user/group is "root" or not). Specifically this means that the process will have zero process capabilities on the host's user namespace, but full capabilities within the service's user namespace. Settings such as CapabilityBoundingSet= will affect only the latter, and there's no way to acquire additional capabilities in the host's user namespace.

In order to bind to ports <1024, dnscrypt-proxy needs CAP_NET_BIND_SERVICE, which it seems is not achievable with PrivateUsers=true. Thus, it seems, PrivateUsers must be set to false.

Additional info:

* package version(s)

dnscrypt-proxy 2.0.40-1

* config and/or log files etc.

[FATAL] listen udp 127.0.0.1:53: bind: permission denied

* link to upstream bug report, if any

N/A

Steps to reproduce:

Start dnscrypt-proxy with default port in the options.
This task depends upon

Closed by  David Runge (dvzrv)
Saturday, 21 March 2020, 16:43 GMT
Reason for closing:  Fixed
Additional comments about closing:  Fixed with dnscrypt-proxy 2.0.40-2

Loading...