FS#70620 - [sslh] CAP_NET_ADMIN capability missing

Attached to Project: Community Packages
Opened by Mathieu Pasquet (mathieui) - Tuesday, 27 April 2021, 21:51 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 04 September 2022, 14:51 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

The sslh package is shipped with a restricted set of privileges as part of the systemd service file, which is a good thing.
However, the unit file limits the capabilities without allowing CAP_NET_ADMIN in AmbientCapabilities and CapabilityBoundSet, which makes sslh crash when trying to use transparent mode (at least with sslh-fork).

It fails with the following error: common.c:799:cap_set_proc: Operation not permitted

Additional info:
* package version: 1.21c-1


Steps to reproduce:

* Put transparent: true in the config
* systemctl start sslh-fork
* service crash
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Sunday, 04 September 2022, 14:51 GMT
Reason for closing:  Fixed
Additional comments about closing:  sslh 1.22.c-2
Comment by Sébastien Luttringer (seblu) - Thursday, 01 July 2021, 01:06 GMT
This is related to  FS#41285 .

With a fake transparent setup, using CAP_NET_RAW remove the errors and is less permissive than CAP_NET_ADMIN.
Could you let me known if using CAP_NET_RAW works for you?
Comment by Jan Hoffmann (janh) - Sunday, 14 November 2021, 19:07 GMT
I am not the original reporter, but adding CAP_NET_RAW to AmbientCapabilities and CapabilityBoundSet works for me.

Loading...