FS#70444 - [bird] Doesn't have privileges to work
Attached to Project:
Arch Linux
Opened by Mantas Mikulėnas (grawity) - Wednesday, 14 April 2021, 18:03 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 15 April 2021, 16:03 GMT
Opened by Mantas Mikulėnas (grawity) - Wednesday, 14 April 2021, 18:03 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 15 April 2021, 16:03 GMT
|
Details
testing/bird 2.0.8-2 switched bird.service to use a non-root
account, but didn't provide any means for the daemon to
actually gain the capabilities that it needs to work.
The `CapabilityBoundingSet=` option only *limits* available capabilities -- it does not *grant* any. bird.service should have `AmbientCapabilities=` to achieve the latter. Additionally, the CAP_NET_BIND_SERVICE and CAP_NET_RAW capabilities are also required (the former for BGP listeners, the latter for OSPF raw sockets), they are *not* automatically implied by CAP_NET_ADMIN. --- Apr 14 20:59:46 land bird[484821]: bfd1: Socket error: SO_PRIORITY: Operation not permitted Apr 14 20:59:46 land bird[484821]: bfd1: Socket error: SO_PRIORITY: Operation not permitted Apr 14 20:59:46 land bird[484821]: ospf6: Socket error: socket: Operation not permitted Apr 14 20:59:46 land bird[484821]: ospf6: Cannot open virtual link socket Apr 14 20:59:46 land bird[484821]: Started Apr 14 20:59:46 land bird[484821]: int_star: Socket error: bind: Permission denied Apr 14 20:59:46 land bird[484821]: int_star: Cannot open listening socket Apr 14 20:59:46 land bird[484821]: Netlink: Operation not permitted Apr 14 20:59:46 land bird[484821]: ospf6: Socket error: socket: Operation not permitted [...] |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Thursday, 15 April 2021, 16:03 GMT
Reason for closing: Fixed
Additional comments about closing: bird-2.0.8-3
Thursday, 15 April 2021, 16:03 GMT
Reason for closing: Fixed
Additional comments about closing: bird-2.0.8-3