From: Nick Porter <nick@portercomputing.co.uk>
Date: Fri, 8 Nov 2024 08:11:30 +0000 (+0000)
Subject: Correct debian systemd service file to grant capabilities
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=649fab71ad69b439bbdb36e4ec6df7fbccefa243;p=thirdparty%2Ffreeradius-server.git

Correct debian systemd service file to grant capabilities

AmbientCapablilites grants capabilities
CapablilityBoudingSet limits, but does not grant
---

diff --git a/debian/freeradius.service b/debian/freeradius.service
index d62b4f89854..8886fc894bb 100644
--- a/debian/freeradius.service
+++ b/debian/freeradius.service
@@ -47,7 +47,13 @@ RestartSec=5
 NoNewPrivileges=true
 
 # Allow binding to secure ports, broadcast addresses, and raw interfaces.
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
+#
+# As the process starts as an unprivileged user, we need to assign all capabilities that
+# the process may need.
+#
+# If FreeRADIUS needs to be run as root, AmbientCapabilities should be swapped from
+# CapabilityBoundingSet to limit the capabilities the process is given.
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
 
 # Private /tmp that isn't shared by other processes
 PrivateTmp=true