deb/rpm packages: attempt to set the cap_net_bind_service capability

so the service can bind to privileged ports without running as root user

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2022-02-26 10:10:51 +01:00
parent 92460f811f
commit 7fc5cb80d6
No known key found for this signature in database
GPG key ID: 2F1FB59433D5A8CB
5 changed files with 11 additions and 1 deletions

View file

@ -398,6 +398,8 @@ $ getcap /usr/bin/sftpgo
Now you can use privileged ports such as 21, 22, 443 etc.. without running the SFTPGo service as root user. You have to set the `cap_net_bind_service` capability each time you update the `sftpgo` binary. Now you can use privileged ports such as 21, 22, 443 etc.. without running the SFTPGo service as root user. You have to set the `cap_net_bind_service` capability each time you update the `sftpgo` binary.
The "official" deb/rpm packages attempt to set the `cap_net_bind_service` capability in their `postinstall` scripts.
An alternative method is to use `iptables`, for example you run the SFTP service on port `2022` and redirect traffic from port `22` to port `2022`: An alternative method is to use `iptables`, for example you run the SFTP service on port `2022` and redirect traffic from port `22` to port `2022`:
```shell ```shell

View file

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
NFPM_VERSION=2.13.0 NFPM_VERSION=2.14.0
NFPM_ARCH=${NFPM_ARCH:-amd64} NFPM_ARCH=${NFPM_ARCH:-amd64}
if [ -z ${SFTPGO_VERSION} ] if [ -z ${SFTPGO_VERSION} ]
then then

View file

@ -35,6 +35,8 @@ if [ "$1" = "configure" ]; then
chmod 750 /srv/sftpgo chmod 750 /srv/sftpgo
fi fi
# set the cap_net_bind_service capability so the service can bind to privileged ports
setcap cap_net_bind_service=+ep /usr/bin/sftpgo || true
fi fi
#DEBHELPER# #DEBHELPER#

View file

@ -35,6 +35,9 @@ if [ "$1" = "configure" ]; then
chmod 750 /srv/sftpgo chmod 750 /srv/sftpgo
fi fi
# set the cap_net_bind_service capability so the service can bind to privileged ports
setcap cap_net_bind_service=+ep /usr/bin/sftpgo || true
fi fi
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then

View file

@ -32,5 +32,8 @@ if [ -d /var/lib/sftpgo ]; then
/usr/bin/chmod 750 /var/lib/sftpgo /usr/bin/chmod 750 /var/lib/sftpgo
fi fi
# set the cap_net_bind_service capability so the service can bind to privileged ports
setcap cap_net_bind_service=+ep /usr/bin/sftpgo || :
# reload to pick up any changes to systemd files # reload to pick up any changes to systemd files
/bin/systemctl daemon-reload >/dev/null 2>&1 || : /bin/systemctl daemon-reload >/dev/null 2>&1 || :