FS#70444 - [bird] Doesn't have privileges to work

Attached to Project: Arch Linux
Opened by Mantas Mikulėnas (grawity) - Wednesday, 14 April 2021, 18:03 GMT
Last edited by Sébastien Luttringer (seblu) - Thursday, 15 April 2021, 16:03 GMT
Task Type Bug Report
Category Packages: Testing
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

testing/bird 2.0.8-2 switched bird.service to use a non-root account, but didn't provide any means for the daemon to actually gain the capabilities that it needs to work.

The `CapabilityBoundingSet=` option only *limits* available capabilities -- it does not *grant* any.

bird.service should have `AmbientCapabilities=` to achieve the latter.

Additionally, the CAP_NET_BIND_SERVICE and CAP_NET_RAW capabilities are also required (the former for BGP listeners, the latter for OSPF raw sockets), they are *not* automatically implied by CAP_NET_ADMIN.

---

Apr 14 20:59:46 land bird[484821]: bfd1: Socket error: SO_PRIORITY: Operation not permitted
Apr 14 20:59:46 land bird[484821]: bfd1: Socket error: SO_PRIORITY: Operation not permitted
Apr 14 20:59:46 land bird[484821]: ospf6: Socket error: socket: Operation not permitted
Apr 14 20:59:46 land bird[484821]: ospf6: Cannot open virtual link socket
Apr 14 20:59:46 land bird[484821]: Started
Apr 14 20:59:46 land bird[484821]: int_star: Socket error: bind: Permission denied
Apr 14 20:59:46 land bird[484821]: int_star: Cannot open listening socket
Apr 14 20:59:46 land bird[484821]: Netlink: Operation not permitted
Apr 14 20:59:46 land bird[484821]: ospf6: Socket error: socket: Operation not permitted
[...]
This task depends upon

This task blocks these from closing
 FS#64874 - [bird] run bird as a normal user 
Closed by  Sébastien Luttringer (seblu)
Thursday, 15 April 2021, 16:03 GMT
Reason for closing:  Fixed
Additional comments about closing:  bird-2.0.8-3

Loading...