From 5910351159c2995a9a1c911d7879de6ff598d905 Mon Sep 17 00:00:00 2001 From: otbutz Date: Tue, 30 May 2023 17:35:56 +0200 Subject: [PATCH] Enable CAP_NET_ADMIN (#98) * Add CAP_NET_ADMIN * Update readme --- init/README.md | 2 +- init/caddy-api.service | 2 +- init/caddy.service | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/init/README.md b/init/README.md index 1c843d0..d26328b 100644 --- a/init/README.md +++ b/init/README.md @@ -65,4 +65,4 @@ To keep our unit files tidy, we haven't littered them with comments. So here we - **`LimitNPROC=512`** raises the number of threads caddy is allowed to have (`ulimit -u`). Obviously, setting this too low for a highly concurrent server is a bad idea. - **`PrivateTmp=true`** keeps /tmp and /var/tmp private, which are discarded after caddy stops. - **`ProtectSystem=full`** allows writing to /var, which is crucial so that it can store certificates and other data for your site. -- **`AmbientCapabilities=CAP_NET_BIND_SERVICE`** allows caddy to bind to low ports (< 1024) without running as root. +- **`AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE`** allows caddy to modify socket options and bind to low ports (< 1024) without running as root. diff --git a/init/caddy-api.service b/init/caddy-api.service index 2510106..89dc043 100644 --- a/init/caddy-api.service +++ b/init/caddy-api.service @@ -23,7 +23,7 @@ LimitNOFILE=1048576 LimitNPROC=512 PrivateTmp=true ProtectSystem=full -AmbientCapabilities=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target diff --git a/init/caddy.service b/init/caddy.service index db0710e..541d65e 100644 --- a/init/caddy.service +++ b/init/caddy.service @@ -30,7 +30,7 @@ LimitNOFILE=1048576 LimitNPROC=512 PrivateTmp=true ProtectSystem=full -AmbientCapabilities=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target