diff options
author | crvv | 2016-12-04 13:39:26 +0000 |
---|---|---|
committer | crvv | 2016-12-04 13:39:26 +0000 |
commit | b2a7d45ad903de5b498cb38a3df04de2886333e7 (patch) | |
tree | d0db8f7eca5c032e0b91636b23243b546108bf92 | |
parent | e683ffba8050a650e7acaa4c73c41830f08df2b6 (diff) | |
download | aur-b2a7d45ad903de5b498cb38a3df04de2886333e7.tar.gz |
use systemd to setcap
-rw-r--r-- | .SRCINFO | 2 | ||||
-rw-r--r-- | PKGBUILD | 3 | ||||
-rw-r--r-- | caddy.install | 2 | ||||
-rw-r--r-- | setcap.patch | 15 |
4 files changed, 18 insertions, 4 deletions
@@ -1,7 +1,7 @@ pkgbase = caddy pkgdesc = A configurable, general-purpose HTTP/2 web server for any platform pkgver = 0.9.3 - pkgrel = 5 + pkgrel = 6 url = https://caddyserver.com install = caddy.install arch = i686 @@ -1,6 +1,6 @@ pkgname=caddy pkgver=0.9.3 -pkgrel=5 +pkgrel=6 pkgdesc='A configurable, general-purpose HTTP/2 web server for any platform' arch=('i686' 'x86_64' 'armv7h' 'aarch64') url='https://caddyserver.com' @@ -15,6 +15,7 @@ md5sums=('SKIP') prepare() { cd $srcdir + patch -Np1 < ../setcap.patch export GOPATH="$srcdir/build" rm -rf "$GOPATH/src/$gopkgname" mkdir -p "$GOPATH/src/$gopkgname" diff --git a/caddy.install b/caddy.install index d56cbe21244a..94fd46d64239 100644 --- a/caddy.install +++ b/caddy.install @@ -1,6 +1,4 @@ post_install() { - setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy - getent passwd www-data || useradd --system -s /usr/bin/nologin -d / -U www-data mkdir -p /etc/ssl/caddy diff --git a/setcap.patch b/setcap.patch new file mode 100644 index 000000000000..5f8f30e097d1 --- /dev/null +++ b/setcap.patch @@ -0,0 +1,15 @@ +--- a/caddy/dist/init/linux-systemd/caddy.service 2016-12-04 13:29:37.126666666 +0000 ++++ b/caddy/dist/init/linux-systemd/caddy.service 2016-12-04 13:30:25.119999999 +0000 +@@ -38,9 +38,9 @@ + ; The following additional security directives only work with systemd v229 or later. + ; They further retrict privileges that can be gained by caddy. Uncomment if you like. + ; Note that you may have to add capabilities required by any plugins in use. +-;CapabilityBoundingSet=CAP_NET_BIND_SERVICE +-;AmbientCapabilities=CAP_NET_BIND_SERVICE +-;NoNewPrivileges=true ++CapabilityBoundingSet=CAP_NET_BIND_SERVICE ++AmbientCapabilities=CAP_NET_BIND_SERVICE ++NoNewPrivileges=true + + [Install] + WantedBy=multi-user.target |