Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#76215 - [kea] Add capabilities to allow running as non-root
Attached to Project:
Community Packages
Opened by - (matoro) - Saturday, 15 October 2022, 17:33 GMT
Last edited by Toolybird (Toolybird) - Saturday, 15 October 2022, 20:38 GMT
Opened by - (matoro) - Saturday, 15 October 2022, 17:33 GMT
Last edited by Toolybird (Toolybird) - Saturday, 15 October 2022, 20:38 GMT
|
DetailsDescription: The kea documentation suggests using the following capabilities on the /usr/bin/kea-dhcp{4,6} binaries in order to allow then to run without root privileges:
setcap 'cap_net_bind_service,cap_net_raw=+ep' /opt/kea/sbin/kea-dhcp4 setcap 'cap_net_bind_service=+ep' /opt/kea/sbin/kea-dhcp6 I'm currently accomplishing this with the following pacman hook: [Trigger] Operation = Install Operation = Upgrade Type = Package Target = kea [Action] Description = Grant capabilities Depends = libcap When = PostTransaction Exec = /usr/bin/env bash -c "/usr/bin/setcap 'cap_net_bind_service,cap_net_raw=+ep' /usr/bin/kea-dhcp4 && /usr/bin/setcap 'cap_net_bind_service=+ep' /usr/bin/kea-dhcp6" Would appreciate if this were added to the official package in order to help increase security by reducing the number of daemons running as root which don't need to be! |
This task depends upon
LogsDirectory and LogsDirectoryMode not added as Arch with the default config logs to /var/log.
Edit:
@matoro are the changes apart from file capabilities similar to what you are using?
[1] https://sources.debian.org/src/isc-kea/2.2.0-1/
I have tested that kea-dhcp4.service kea-dhcp6.service and kea-dhcp-ddns.service with a custom low port. All access restricted ports and for kea-dhcp4 kea-dhcp6 raw ports without issue.
What are your thoughts on other hardening options?
I would also wait for feedback from matoro.
[1] https://kea.readthedocs.io/en/kea-2.2.0/arm/logging.html#logging-during-startup