[sslh] capabilities downgrade

[Andrei Muresanu]

Hi,

just want to add that via FS capabilities it seem to work ok (running sslh
via 'sudo -u' from init script). Also, capabilities report ok:

capabilities: = cap_net_bind_service,cap_net_admin+ep.....both are needed :(

The problem seems to be the --user <username !=root> downgrade part...





On Mon, Jun 30, 2014 at 6:02 PM, Andrei Muresanu <andrei.muresanu at gmail.com>
wrote:

> Hi,
>
> 1.16 sources compiled with USELIBCAP=1:
> -------------------
> # ldd /usr/local/sbin/sslh
>         libconfig.so.9 => /usr/lib/arm-linux-gnueabi/libconfig.so.9
> (0xb6f58000)
>         libcap.so.2 => /lib/arm-linux-gnueabi/libcap.so.2 (0xb6f4c000)
>         libc.so.6 => /lib/arm-linux-gnueabi/libc.so.6 (0xb6e14000)
>         /lib/ld-linux.so.3 (0xb6f76000)
>         libattr.so.1 => /lib/arm-linux-gnueabi/libattr.so.1 (0xb6e07000)
> -------------------
> unfortunately, when running (x.x.x.x is a valid ip address):
> -------------------
> /usr/local/sbin/sslh --user nobody --pidfile /var/run/sslh.pid --listen
> x.x.x.x:443 --ssh x.x.x.x:22 --ssl x.x.x.x:9443 --openvpn x.x.x.x:1194
> --transparent -v
> -------------------
> i get:
> -------------------
> ssh addr: x.x.x.x:ssh. libwrap service: sshd family 2 2
> ssl addr: x.x.x.x:9443. libwrap service: (null) family 2 2
> openvpn addr: x.x.x.x:openvpn. libwrap service: (null) family 2 2
> listening on:
>         x.x.x.x:https
> timeout: 2
> on-timeout: ssh
> listening to 1 addresses
> root at hostname:~# turning into nobody
> capabilities: =
> -------------------
> notice the capabilities = "" (no capabilities)
> when running with --user root, i get (same as when running without --user)
> :
> -------------------
> capabilities: =ep
> -------------------
> ideas ?
> -------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rutschle.net/pipermail/sslh/attachments/20140630/4c26327a/attachment.html>