Community Packages

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#70620 - [sslh] CAP_NET_ADMIN capability missing

Attached to Project: Community Packages
Opened by Mathieu Pasquet (mathieui) - Tuesday, 27 April 2021, 21:51 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 28 April 2021, 18:01 GMT
Task Type Bug Report
Category Packages
Status Assigned
Assigned To S├ębastien Luttringer (seblu)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No



The sslh package is shipped with a restricted set of privileges as part of the systemd service file, which is a good thing.
However, the unit file limits the capabilities without allowing CAP_NET_ADMIN in AmbientCapabilities and CapabilityBoundSet, which makes sslh crash when trying to use transparent mode (at least with sslh-fork).

It fails with the following error: common.c:799:cap_set_proc: Operation not permitted

Additional info:
* package version: 1.21c-1

Steps to reproduce:

* Put transparent: true in the config
* systemctl start sslh-fork
* service crash
This task depends upon

Comment by S├ębastien Luttringer (seblu) - Thursday, 01 July 2021, 01:06 GMT
This is related to  FS#41285 .

With a fake transparent setup, using CAP_NET_RAW remove the errors and is less permissive than CAP_NET_ADMIN.
Could you let me known if using CAP_NET_RAW works for you?
Comment by Jan Hoffmann (janh) - Sunday, 14 November 2021, 19:07 GMT
I am not the original reporter, but adding CAP_NET_RAW to AmbientCapabilities and CapabilityBoundSet works for me.