FS#65921 - [dnscrypt-proxy] PrivateUsers=true breaks CAP_NET_BIND_SERVICE
Attached to Project:
Community Packages
Opened by Oleksandr Natalenko (post-factum) - Saturday, 21 March 2020, 16:07 GMT
Last edited by David Runge (dvzrv) - Saturday, 21 March 2020, 16:43 GMT
Opened by Oleksandr Natalenko (post-factum) - Saturday, 21 March 2020, 16:07 GMT
Last edited by David Runge (dvzrv) - Saturday, 21 March 2020, 16:43 GMT
|
Details
Description:
With the latest update and having PrivateUsers=true set the CAP_NET_BIND_SERVICE capability is not effective anymore. As per the manual: If this mode is enabled, all unit processes are run without privileges in the host user namespace (regardless if the unit's own user/group is "root" or not). Specifically this means that the process will have zero process capabilities on the host's user namespace, but full capabilities within the service's user namespace. Settings such as CapabilityBoundingSet= will affect only the latter, and there's no way to acquire additional capabilities in the host's user namespace. In order to bind to ports <1024, dnscrypt-proxy needs CAP_NET_BIND_SERVICE, which it seems is not achievable with PrivateUsers=true. Thus, it seems, PrivateUsers must be set to false. Additional info: * package version(s) dnscrypt-proxy 2.0.40-1 * config and/or log files etc. [FATAL] listen udp 127.0.0.1:53: bind: permission denied * link to upstream bug report, if any N/A Steps to reproduce: Start dnscrypt-proxy with default port in the options. |
This task depends upon
Closed by David Runge (dvzrv)
Saturday, 21 March 2020, 16:43 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with dnscrypt-proxy 2.0.40-2
Saturday, 21 March 2020, 16:43 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed with dnscrypt-proxy 2.0.40-2