Please read this before reporting a bug:
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
http://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#70620 - [sslh] CAP_NET_ADMIN capability missing
Attached to Project:
Community Packages
Opened by Mathieu Pasquet (mathieui) - Tuesday, 27 April 2021, 21:51 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 28 April 2021, 18:01 GMT
Opened by Mathieu Pasquet (mathieui) - Tuesday, 27 April 2021, 21:51 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 28 April 2021, 18:01 GMT
|
DetailsDescription:
The sslh package is shipped with a restricted set of privileges as part of the systemd service file, which is a good thing. However, the unit file limits the capabilities without allowing CAP_NET_ADMIN in AmbientCapabilities and CapabilityBoundSet, which makes sslh crash when trying to use transparent mode (at least with sslh-fork). It fails with the following error: common.c:799:cap_set_proc: Operation not permitted Additional info: * package version: 1.21c-1 Steps to reproduce: * Put transparent: true in the config * systemctl start sslh-fork * service crash |
This task depends upon
FS#41285.With a fake transparent setup, using CAP_NET_RAW remove the errors and is less permissive than CAP_NET_ADMIN.
Could you let me known if using CAP_NET_RAW works for you?