FS#70620 - [sslh] CAP_NET_ADMIN capability missing
Attached to Project:
Community Packages
Opened by Mathieu Pasquet (mathieui) - Tuesday, 27 April 2021, 21:51 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 04 September 2022, 14:51 GMT
Opened by Mathieu Pasquet (mathieui) - Tuesday, 27 April 2021, 21:51 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 04 September 2022, 14:51 GMT
|
Details
Description:
The sslh package is shipped with a restricted set of privileges as part of the systemd service file, which is a good thing. However, the unit file limits the capabilities without allowing CAP_NET_ADMIN in AmbientCapabilities and CapabilityBoundSet, which makes sslh crash when trying to use transparent mode (at least with sslh-fork). It fails with the following error: common.c:799:cap_set_proc: Operation not permitted Additional info: * package version: 1.21c-1 Steps to reproduce: * Put transparent: true in the config * systemctl start sslh-fork * service crash |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Sunday, 04 September 2022, 14:51 GMT
Reason for closing: Fixed
Additional comments about closing: sslh 1.22.c-2
Sunday, 04 September 2022, 14:51 GMT
Reason for closing: Fixed
Additional comments about closing: sslh 1.22.c-2
FS#41285.With a fake transparent setup, using CAP_NET_RAW remove the errors and is less permissive than CAP_NET_ADMIN.
Could you let me known if using CAP_NET_RAW works for you?