From d5d28580f91bc90b02e8d020da4c022a856a25c9 Mon Sep 17 00:00:00 2001 From: edsgerlin Date: Sat, 15 Sep 2018 01:39:49 +0900 Subject: [PATCH 1/2] Add `CAP_NET_BIND_SERVICE` to `shadowsocks-libev.service` It ensures process have permission to bind to port <=1000. Other systemd config files already have it except this one. --- debian/shadowsocks-libev.service | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/shadowsocks-libev.service b/debian/shadowsocks-libev.service index 08bf8274..c4489d53 100644 --- a/debian/shadowsocks-libev.service +++ b/debian/shadowsocks-libev.service @@ -15,6 +15,7 @@ After=network.target [Service] Type=simple +CapabilityBoundingSet=CAP_NET_BIND_SERVICE EnvironmentFile=/etc/default/shadowsocks-libev User=nobody Group=nogroup From 04964163879c22403f3b9ca85f59b8f63ebe07eb Mon Sep 17 00:00:00 2001 From: edsgerlin Date: Sat, 15 Sep 2018 17:20:57 +0900 Subject: [PATCH 2/2] Add AmbientCapabilities for all. --- debian/shadowsocks-libev-local@.service | 1 + debian/shadowsocks-libev-redir@.service | 1 + debian/shadowsocks-libev-server@.service | 1 + debian/shadowsocks-libev-tunnel@.service | 1 + debian/shadowsocks-libev.service | 1 + 5 files changed, 5 insertions(+) diff --git a/debian/shadowsocks-libev-local@.service b/debian/shadowsocks-libev-local@.service index 3595f6c8..05d78cff 100644 --- a/debian/shadowsocks-libev-local@.service +++ b/debian/shadowsocks-libev-local@.service @@ -17,6 +17,7 @@ After=network.target [Service] Type=simple CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE ExecStart=/usr/bin/ss-local -c /etc/shadowsocks-libev/%i.json [Install] diff --git a/debian/shadowsocks-libev-redir@.service b/debian/shadowsocks-libev-redir@.service index 420f1946..3fc2c8a6 100644 --- a/debian/shadowsocks-libev-redir@.service +++ b/debian/shadowsocks-libev-redir@.service @@ -17,6 +17,7 @@ After=network.target [Service] Type=simple CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE ExecStart=/usr/bin/ss-redir -c /etc/shadowsocks-libev/%i.json [Install] diff --git a/debian/shadowsocks-libev-server@.service b/debian/shadowsocks-libev-server@.service index b6469951..bf13c100 100644 --- a/debian/shadowsocks-libev-server@.service +++ b/debian/shadowsocks-libev-server@.service @@ -17,6 +17,7 @@ After=network.target [Service] Type=simple CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE ExecStart=/usr/bin/ss-server -c /etc/shadowsocks-libev/%i.json [Install] diff --git a/debian/shadowsocks-libev-tunnel@.service b/debian/shadowsocks-libev-tunnel@.service index 3f9f8aef..1cdd56ba 100644 --- a/debian/shadowsocks-libev-tunnel@.service +++ b/debian/shadowsocks-libev-tunnel@.service @@ -17,6 +17,7 @@ After=network.target [Service] Type=simple CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE ExecStart=/usr/bin/ss-tunnel -c /etc/shadowsocks-libev/%i.json [Install] diff --git a/debian/shadowsocks-libev.service b/debian/shadowsocks-libev.service index c4489d53..1e0ffe47 100644 --- a/debian/shadowsocks-libev.service +++ b/debian/shadowsocks-libev.service @@ -16,6 +16,7 @@ After=network.target [Service] Type=simple CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE EnvironmentFile=/etc/default/shadowsocks-libev User=nobody Group=nogroup