Comments (3)
ml-
commented on August 15, 2024
2
I agree that this would be a good addition for users running a minimal linux.
This specific use-case however can also be solved with capabilities.
For example using systemd, you can add the following to your service file:
User=nobody
Group=nobody
AmbientCapabilities=CAP_NET_BIND_SERVICEYou will have to set PrivateUsers to false in case you're using the included systemd service file. That's the tradeoff. There are a lot more isolation shenanigans you can do with systemd though.
from endlessh.
skeeto
commented on August 15, 2024
I had looked into dropping privileges, but it seemed messy and not worth
it so I dropped the idea. As @ml- pointed out, today there are better
ways for systems to impose the policy they want on services.
However, if it's pretty straightforward I'll accept a PR to do it. I
imagine it being a new configuration option that indicates the final
user and group (separate options for each?). This option should default
to null/empty/disabled/etc. so it only happens when requested.
from endlessh.
algernon
commented on August 15, 2024
Truth be told, I am using systemd, but completely forgot about it being able to do the privdrop for me. As such, I'll be using that instead of implementing it for Endlessh. Thanks for the instructions!
Closing this issue, 'cos there are better ways to accomplish the same thing.
from endlessh.
Related Issues (20)
- Log in local timezone HOT 3
- InaccessiblePaths=/run /var makes systemd service not start on Raspberry pi HOT 1
- Is it possible to run it on Debian 9?
- (code=exited, status=1/FAILURE) HOT 19
- no config after installing with apt HOT 5
- CentOS 8, not possible to autostart enablessh HOT 3
- [announcement] Multi-arch docker image by linuxserver.io released HOT 1
- can't start endlessh service "Failed at step NAMESPACE" HOT 3
- Logging - where? HOT 2
- Random message delay?
- Why not set a non-privileged user in systemd unit file? HOT 5
- Request for Pacstall Support HOT 1
- TCP v4 is not default HOT 2
- need way to define IP to bind/listen to. Port= is not sufficent HOT 2
- USR1 should output stats regardless of LogLevel
- setcap 'cap_net_bind_service=+ep' does not work HOT 1
- [Feature]: Add option to upload IP addresses to aggregators like AbuseIPDB
- i have a proble in pmta
- Allow specifying legitimate looking Headers
- Can't start endlessh service "Failed at step NAMESPACE", "status=1/FAILURE", "too many arguments" HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from endlessh.