Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
Next revisionBoth sides next revision
howto:linux_non-root [2020/03/23 18:53] – [setcap] Does not require libcap-dev2 digital manhowto:linux_non-root [2020/11/24 02:01] – [setcap] Add use of getcap to confirm success, use realpath to be sure we're pointing to the target of symlinks digital man
Line 1: Line 1:
-====== Linux Non-root ======+====== Start Synchronet on Linux as a Non-root user ======
  
 ===== setcap ===== ===== setcap =====
 ''setcap'' may be used to allow Synchronet (''sbbs'') for Linux to run completely as a **non-root** user by explicitly allowing the binary to bind low ports using the command-line: ''setcap'' may be used to allow Synchronet (''sbbs'') for Linux to run completely as a **non-root** user by explicitly allowing the binary to bind low ports using the command-line:
  
-<code>sudo /sbin/setcap 'cap_net_bind_service=+ep' /sbbs/exec/sbbs</code> +  $ sudo /sbin/setcap 'cap_net_bind_service=+ep' `realpath /sbbs/exec/sbbs`
- +
-This must be ran on the executable file itself (if ''/sbbs/exec/sbbs'' is a symlink, apply it to the target of the link instead). For example: +
-  sudo setcap 'cap_net_bind_service=+ep' ~/sbbs/src/sbbs3/gcc.linux.*.exe.*/sbbs+
  
 This will need to be re-ran any time the binary is rebuilt and can be automated by adding the ''setcap'' target to your ''make'' command-line executed in ''src/sbbs3'': This will need to be re-ran any time the binary is rebuilt and can be automated by adding the ''setcap'' target to your ''make'' command-line executed in ''src/sbbs3'':
-  make RELEASE=1 setcap symlinks+  make RELEASE=1 setcap symlinks 
 +   
 +To confirm the bind capabilities were set successfully, run: 
 +  $ sudo getcap `realpath /sbbs/exec/sbbs` 
 +  /path/to/sbbs = cap_net_bind_service+ep
 ===== authbind ===== ===== authbind =====
  
Line 19: Line 20:
 Configure it to grant access to the relevant ports, e.g. to allow 80, 21, 23,25, 110, etc 443 from all users and groups: Configure it to grant access to the relevant ports, e.g. to allow 80, 21, 23,25, 110, etc 443 from all users and groups:
  
-sudo touch /etc/authbind/byport/80+  sudo touch /etc/authbind/byport/80
  
-sudo touch /etc/authbind/byport/443+  sudo touch /etc/authbind/byport/443
  
 and so forth for all ports you are using below 1025 ... and so forth for all ports you are using below 1025 ...
  
-sudo chmod 777 /etc/authbind/byport/80+  sudo chmod 777 /etc/authbind/byport/80
  
-sudo chmod 777 /etc/authbind/byport/443+  sudo chmod 777 /etc/authbind/byport/443
  
 and so forth for all ports you are using below 1025 and so forth for all ports you are using below 1025
Line 33: Line 34:
 Now execute your command via authbind (optionally specifying --deep or other arguments, see the man page): Now execute your command via authbind (optionally specifying --deep or other arguments, see the man page):
  
-sudo authbind --deep /sbbs/exec/sbbs -d+  sudo authbind --deep /sbbs/exec/sbbs -d
  
  
howto/linux_non-root.txt · Last modified: 2023/03/09 10:40 by digital man
Back to top
CC Attribution 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0