From 649fab71ad69b439bbdb36e4ec6df7fbccefa243 Mon Sep 17 00:00:00 2001
From: Nick Porter <nick@portercomputing.co.uk>
Date: Fri, 8 Nov 2024 08:11:30 +0000
Subject: [PATCH] Correct debian systemd service file to grant capabilities

AmbientCapablilites grants capabilities
CapablilityBoudingSet limits, but does not grant
---
 debian/freeradius.service | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/debian/freeradius.service b/debian/freeradius.service
index d62b4f89854..8886fc894bb 100644
--- a/debian/freeradius.service
+++ b/debian/freeradius.service
@@ -47,7 +47,13 @@ RestartSec=5
 NoNewPrivileges=true
 
 # Allow binding to secure ports, broadcast addresses, and raw interfaces.
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
+#
+# As the process starts as an unprivileged user, we need to assign all capabilities that
+# the process may need.
+#
+# If FreeRADIUS needs to be run as root, AmbientCapabilities should be swapped from
+# CapabilityBoundingSet to limit the capabilities the process is given.
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE
 
 # Private /tmp that isn't shared by other processes
 PrivateTmp=true
-- 
2.47.3