search for: cap_net_bind_service

I want my Windows application to be able to listen on any port, but by default only root can create servers on ports <1024. As far as I know authbind doesn't work with Wine (and never will), and I can't redirect packets to a higher port with a firewall rule, because the Windows application (uTorrent) "tells" the other peers which port is listening on. Making wineserver suid

...Restart=always > RestartSec=1 > Nice=19 > > PrivateTmp=yes > PrivateDevices=yes > ProtectKernelTunables=yes > ProtectKernelModules=yes > ProtectControlGroups=yes > MemoryDenyWriteExecute=yes > CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE > CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT > > SystemCallFilter=@system-service @network-io @privileged @resources > SystemCallFilter=~@debug @module @mount @reboot >

...pabilities (see below), should he still be able to delete other > users files in /tmp (and other directories with the t-bit applied)? > > Here is, what I did: remove a file owned by winni in /tmp and in > /home/winni. First succeeds, last gives a permission denied. > > # execcap CAP_NET_BIND_SERVICE=ip rm /tmp/winni.txt > rm: remove `/tmp/winni.txt', overriding mode 0664? y > # dir /tmp/winni.txt > ls: /tmp/winni.txt: No such file or directory > # execcap CAP_NET_BIND_SERVICE=ip rm ~winni/winni.txt > rm: remove `/home/winni/winni.txt', overriding mode 0664? y > rm: /h...

Hello I am using samba Version 4.11.2 compiled. To start the daemon I using /samba10/samba-4.11.2/bin/samba -s /etc/samba/smb.conf To stop correctly, what is recommended ? Actually I using kill -9 ... Regards.

...t Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: alukardd+openssh_mindrot at alukardd.org Created attachment 2880 --> https://bugzilla.mindrot.org/attachment.cgi?id=2880&action=edit Don't require a root if there is CAP_NET_BIND_SERVICE Hello. I think openssh-client should allow use port forwarding not only for root user. CAP_NET_BIND_SERVICE enought to use privileged ports. I did patch for myself, but I think, that you could improve it and apply to master. This patch requires one more build dependency: libcap-dev. Regards,...

...ind_unbound_socket(&new_addr)) { + found = true; + break; + } + } + + if (!found) + return -EADDRNOTAVAIL; + } else { + /* If port is in reserved range, ensure caller + * has necessary privileges. + */ + if (addr->svm_port <= LAST_RESERVED_PORT && + !capable(CAP_NET_BIND_SERVICE)) { + return -EACCES; + } + + if (__vsock_find_unbound_socket(&new_addr)) + return -EADDRINUSE; + } + + vsock_addr_init(&vsk->local_addr, new_addr.svm_cid, new_addr.svm_port); + + return 0; +} +EXPORT_SYMBOL_GPL(vsock_bind_dgram_generic); + static int __vsock_bind_dgram(struct vso...

...ExecStop=/usr/bin/doveadm stop PrivateTmp=true NonBlocking=yes # this will make /usr /boot /etc read only for dovecot ProtectSystem=full PrivateDevices=true # disable this if you want to use apparmor plugin #NoNewPrivileges=true CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK CAP_KILL CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_AUDIT_WRITE # You can add environment variables with e.g.: #Environment='CORE_OUTOFMEM=1' # If you have trouble with `Too many open files' you may set: #LimitNOFILE=8192 # If you want to allow the Dovecot services to produce cor...

...ft:~]$ cat /etc/systemd/system/smb.service [Unit] Description=Samba SMB Daemon [Service] Type=forking LimitNOFILE=32768 ExecStart=/usr/sbin/smbd -D Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT ReadOnlyDirectories=/etc ReadOnlyDirectories=/usr ReadOnlyDirectories=/var/lib ReadWriteDirectories=/var/lib/samba ReadWriteDirectories=/usr/local -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-sig...

...=/usr/bin/kill -HUP $MAINPID PermissionsStartOnly=true Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectControlGroups=yes MemoryDenyWriteExecute=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT SystemCallFilter=@system-service @network-io @privileged @resources SystemCallFilter=~@debug @module @mount @reboot

...ility.h> +#endif const char *process_names[PROCESS_TYPE_MAX] = { "unknown", @@ -36,6 +39,15 @@ "dict" }; +/* the capabilities that we *need* in order to operate */ +#ifdef HAVE_LIBCAP +cap_t caps; +cap_value_t suidcaps[] = { + CAP_SETUID, + CAP_NET_BIND_SERVICE +}; +#endif + static const char *configfile = SYSCONFDIR "/" PACKAGE ".conf"; static const char *env_tz; @@ -583,6 +595,18 @@ if (log_error) i_fatal("This is Dovecot's error log"); + i_info("test message, monkeys"); +...

> From: Reindl Harald > > besides that you did not provide the info "embedded system" - > when you > have systemd you also have "systemctl restart > whatever.service" and in > PHP it would be passthru('command') > > you don't know how you restart a service via CLI - seriously? I know how to do it through systemctl, but I was

Hello, Is anyone running Dovecot on either a Fedora 20 or 21 system? I'm having an issue, on a system reboot, which I admit does not happen often, Dovecot fails to start in the systemctl list, output is status failed. The issue seems to be Dovecot can not bind to the ipv6 address. Now later if I manually log in to the box and start dovecot it works just fine no problems. I've googled and

On 2018-04-05 06:33, Helmut K. C. Tessarek wrote: > On 2018-04-04 23:10, Kevin Cummings wrote: >> PAM audit_log_acct_message() failed: Operation not permitted >> imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): >> user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, >> session=<sessionid> > > Please look at my pull

...ame; +} capabilities[] = { + MAKE_CAP(CAP_CHOWN), + MAKE_CAP(CAP_DAC_OVERRIDE), + MAKE_CAP(CAP_DAC_READ_SEARCH), + MAKE_CAP(CAP_FOWNER), + MAKE_CAP(CAP_FSETID), + MAKE_CAP(CAP_KILL), + MAKE_CAP(CAP_SETGID), + MAKE_CAP(CAP_SETUID), + MAKE_CAP(CAP_SETPCAP), + MAKE_CAP(CAP_LINUX_IMMUTABLE), + MAKE_CAP(CAP_NET_BIND_SERVICE), + MAKE_CAP(CAP_NET_BROADCAST), + MAKE_CAP(CAP_NET_ADMIN), + MAKE_CAP(CAP_NET_RAW), + MAKE_CAP(CAP_IPC_LOCK), + MAKE_CAP(CAP_IPC_OWNER), + MAKE_CAP(CAP_SYS_MODULE), + MAKE_CAP(CAP_SYS_RAWIO), + MAKE_CAP(CAP_SYS_CHROOT), + MAKE_CAP(CAP_SYS_PTRACE), + MAKE_CAP(CAP_SYS_PACCT), + MAKE_CAP(CAP_SYS_ADMI...

Hello, Am 09.07.2016 um 09:14 schrieb Rowland penny: >> What is the purpose of the option >> * >> **--with-**systemd** >> ****Enable****systemd****integration* >> >> To configure Samba (build). >> > > It is there so that there is also the '--without-systemd' option. > > one turns on systemd integration, the other (thank your deity)

I?m in the process of upgrading an old server from Fedora 21 to something more modern. Now, Dovecot won?t let any client login to get their email. PAM audit_log_acct_message() failed: Operation not permitted imap-login: Disconnected (AUTH failed, 2 attempts in 10 secs): user=<username>, method=PLAIN, rip=192.168.1.94 lip=192.168.1.94, TLS, session=<sessionid> # 2.3.1 (8e2f634):

...ice [Unit] Description=Samba SMB Daemon [Service] Type=forking LimitNOFILE=32768 ExecStart=/usr/sbin/smbd -D ExecReload=/usr/bin/kill -HUP $MAINPID Restart=always RestartSec=1 Nice=19 PrivateTmp=yes PrivateDevices=yes CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK CAP_SYS_CHROOT SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime delete_module fanotify_init finit_module get_mempolicy init_module io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pa...

This patchset applies to klibc mainline. As is it will probably collide with Maximilian's recent patch to rename run-init to switch_root posted last week. To boot an untrusted environment with certain capabilities locked out, we'd like to be able to drop the capabilities up front from early userspace, before we actually transition onto the root volume. This patchset implements this by

...ind_unbound_socket(&new_addr)) { - found = true; - break; - } - } - - if (!found) - return -EADDRNOTAVAIL; - } else { - /* If port is in reserved range, ensure caller - * has necessary privileges. - */ - if (addr->svm_port <= LAST_RESERVED_PORT && - !capable(CAP_NET_BIND_SERVICE)) { - return -EACCES; - } - - if (__vsock_find_unbound_socket(&new_addr)) - return -EADDRINUSE; - } - - vsock_addr_init(&vsk->local_addr, new_addr.svm_cid, new_addr.svm_port); - - return 0; -} -EXPORT_SYMBOL_GPL(vsock_bind_dgram_generic); - static int __vsock_bind_dgram(struct vso...

...ind_unbound_socket(&new_addr)) { - found = true; - break; - } - } - - if (!found) - return -EADDRNOTAVAIL; - } else { - /* If port is in reserved range, ensure caller - * has necessary privileges. - */ - if (addr->svm_port <= LAST_RESERVED_PORT && - !capable(CAP_NET_BIND_SERVICE)) { - return -EACCES; - } - - if (__vsock_find_unbound_socket(&new_addr)) - return -EADDRINUSE; - } - - vsock_addr_init(&vsk->local_addr, new_addr.svm_cid, new_addr.svm_port); - - return 0; -} -EXPORT_SYMBOL_GPL(vsock_bind_dgram_generic); - static int __vsock_bind_dgram(struct vso...