FS#65927 - [v2ray] should run as nobody
Attached to Project:
Community Packages
Opened by Xinkai Chen (Xinkai) - Sunday, 22 March 2020, 07:41 GMT
Last edited by Toolybird (Toolybird) - Monday, 01 May 2023, 22:35 GMT
Opened by Xinkai Chen (Xinkai) - Sunday, 22 March 2020, 07:41 GMT
Last edited by Toolybird (Toolybird) - Monday, 01 May 2023, 22:35 GMT
|
Details
Description:
V2ray should not run as root. It should run as nobody with CAP_NET_BIND_SERVICE capability granted, just like how shadowsocks-libev is handled. This may be a breaking change for users who have previously used a certificate from a root-exclusive location. But I think overall dropping root when it's not necessary brings greater good. ============================ [Service] User=nobody CapabilityBoundingSet=CAP_NET_BIND_SERVICE |
This task depends upon
Closed by Toolybird (Toolybird)
Monday, 01 May 2023, 22:35 GMT
Reason for closing: Fixed
Additional comments about closing: Was fixed by upstream providing service files. But see also FS#71989
Monday, 01 May 2023, 22:35 GMT
Reason for closing: Fixed
Additional comments about closing: Was fixed by upstream providing service files. But see also
https://github.com/v2ray/v2ray-core/issues/1011
It appears `AmbientCapabilities=CAP_NET_BIND_SERVICE` is also needed.