From 7fc5cb80d67ce82315b6e6aee657d8efd16dd781 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Sat, 26 Feb 2022 10:10:51 +0100
Subject: [PATCH] deb/rpm packages: attempt to set the `cap_net_bind_service`
 capability

so the service can bind to privileged ports without running as root user

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
---
 docs/full-configuration.md      | 2 ++
 pkgs/build.sh                   | 2 +-
 pkgs/debian/postinst            | 2 ++
 pkgs/scripts/deb/postinstall.sh | 3 +++
 pkgs/scripts/rpm/postinstall    | 3 +++
 5 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/docs/full-configuration.md b/docs/full-configuration.md
index d266988e..f6e6e4a9 100644
--- a/docs/full-configuration.md
+++ b/docs/full-configuration.md
@@ -398,6 +398,8 @@ $ getcap /usr/bin/sftpgo
 
 Now you can use privileged ports such as 21, 22, 443 etc.. without running the SFTPGo service as root user. You have to set the `cap_net_bind_service` capability each time you update the `sftpgo` binary.
 
+The "official" deb/rpm packages attempt to set the `cap_net_bind_service` capability in their `postinstall` scripts.
+
 An alternative method is to use `iptables`, for example you run the SFTP service on port `2022` and redirect traffic from port `22` to port `2022`:
 
 ```shell
diff --git a/pkgs/build.sh b/pkgs/build.sh
index 06dcb618..135e879a 100755
--- a/pkgs/build.sh
+++ b/pkgs/build.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-NFPM_VERSION=2.13.0
+NFPM_VERSION=2.14.0
 NFPM_ARCH=${NFPM_ARCH:-amd64}
 if [ -z ${SFTPGO_VERSION} ]
 then
diff --git a/pkgs/debian/postinst b/pkgs/debian/postinst
index 84f16902..8c68cc23 100644
--- a/pkgs/debian/postinst
+++ b/pkgs/debian/postinst
@@ -35,6 +35,8 @@ if [ "$1" = "configure" ]; then
     chmod 750 /srv/sftpgo
   fi
 
+  # set the cap_net_bind_service capability so the service can bind to privileged ports
+  setcap cap_net_bind_service=+ep /usr/bin/sftpgo || true
 fi
 
 #DEBHELPER#
diff --git a/pkgs/scripts/deb/postinstall.sh b/pkgs/scripts/deb/postinstall.sh
index 0deb8a5f..b0e2d3d0 100644
--- a/pkgs/scripts/deb/postinstall.sh
+++ b/pkgs/scripts/deb/postinstall.sh
@@ -35,6 +35,9 @@ if [ "$1" = "configure" ]; then
     chmod 750 /srv/sftpgo
   fi
 
+  # set the cap_net_bind_service capability so the service can bind to privileged ports
+  setcap cap_net_bind_service=+ep /usr/bin/sftpgo || true
+
 fi
 
 if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
diff --git a/pkgs/scripts/rpm/postinstall b/pkgs/scripts/rpm/postinstall
index 74872e4a..85eef34e 100644
--- a/pkgs/scripts/rpm/postinstall
+++ b/pkgs/scripts/rpm/postinstall
@@ -32,5 +32,8 @@ if [ -d /var/lib/sftpgo ]; then
     /usr/bin/chmod 750 /var/lib/sftpgo
 fi
 
+# set the cap_net_bind_service capability so the service can bind to privileged ports
+setcap cap_net_bind_service=+ep /usr/bin/sftpgo || :
+
 # reload to pick up any changes to systemd files
 /bin/systemctl daemon-reload >/dev/null 2>&1 || :