deb/rpm packages: attempt to set the cap_net_bind_service
capability
so the service can bind to privileged ports without running as root us Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
parent
b65dae89e8
commit
8a6c2265a4
5 changed files with 10 additions and 1 deletions
|
@ -373,6 +373,8 @@ $ getcap /usr/bin/sftpgo
|
||||||
|
|
||||||
Now you can use privileged ports such as 21, 22, 443 etc.. without running the SFTPGo service as root user. You have to set the `cap_net_bind_service` capability each time you update the `sftpgo` binary.
|
Now you can use privileged ports such as 21, 22, 443 etc.. without running the SFTPGo service as root user. You have to set the `cap_net_bind_service` capability each time you update the `sftpgo` binary.
|
||||||
|
|
||||||
|
The "official" deb/rpm packages attempt to set the `cap_net_bind_service` capability in their `postinstall` scripts.
|
||||||
|
|
||||||
An alternative method is to use `iptables`, for example you run the SFTP service on port `2022` and redirect traffic from port `22` to port `2022`:
|
An alternative method is to use `iptables`, for example you run the SFTP service on port `2022` and redirect traffic from port `22` to port `2022`:
|
||||||
|
|
||||||
```shell
|
```shell
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
||||||
NFPM_VERSION=2.11.3
|
NFPM_VERSION=2.14.0
|
||||||
NFPM_ARCH=${NFPM_ARCH:-amd64}
|
NFPM_ARCH=${NFPM_ARCH:-amd64}
|
||||||
if [ -z ${SFTPGO_VERSION} ]
|
if [ -z ${SFTPGO_VERSION} ]
|
||||||
then
|
then
|
||||||
|
|
|
@ -35,6 +35,8 @@ if [ "$1" = "configure" ]; then
|
||||||
chmod 750 /srv/sftpgo
|
chmod 750 /srv/sftpgo
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# set the cap_net_bind_service capability so the service can bind to privileged ports
|
||||||
|
setcap cap_net_bind_service=+ep /usr/bin/sftpgo || true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
#DEBHELPER#
|
#DEBHELPER#
|
||||||
|
|
|
@ -35,6 +35,8 @@ if [ "$1" = "configure" ]; then
|
||||||
chmod 750 /srv/sftpgo
|
chmod 750 /srv/sftpgo
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# set the cap_net_bind_service capability so the service can bind to privileged ports
|
||||||
|
setcap cap_net_bind_service=+ep /usr/bin/sftpgo || true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
|
if [ "$1" = "configure" ] || [ "$1" = "abort-upgrade" ] || [ "$1" = "abort-deconfigure" ] || [ "$1" = "abort-remove" ] ; then
|
||||||
|
|
|
@ -32,5 +32,8 @@ if [ -d /var/lib/sftpgo ]; then
|
||||||
/usr/bin/chmod 750 /var/lib/sftpgo
|
/usr/bin/chmod 750 /var/lib/sftpgo
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# set the cap_net_bind_service capability so the service can bind to privileged ports
|
||||||
|
setcap cap_net_bind_service=+ep /usr/bin/sftpgo || :
|
||||||
|
|
||||||
# reload to pick up any changes to systemd files
|
# reload to pick up any changes to systemd files
|
||||||
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
|
||||||
|
|
Loading…
Reference in a new issue