-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to enable auto-upgrade on Linux/Unix despite CAP_NET_BIND_SERVICE capability #1944
Comments
I am not a fan of adding new flags because most people simply wouldn't know about it. Is there any way to detect this automatically? |
That's fair, this is admittedly a bit of an edge case though I'd argue it's the best way to set it up on Linux without root (at least with systemd). Would you consider a configuration file directive instead or is that just as bad/worse? As for how to detect it, I suspect you'd need to interact with systemd directly to check. I only know a little Go so here's how one could check from the shell.
If the output from step 2 includes |
#813 - automatic update. |
Well, we can run shell commands from Go, it's a perfectly viable solution. We will need to implement a method that will call your commands one by one, something like Something like this:
Marked as "help wanted" for now that means that we're looking for anyone who can contribute this change to AGH. |
That makes sense; thanks for the insight. I'm a bit of a novice with Go but I'll play with it and see if I can't get something working. |
Problem Description
The if statement linked below rightly describes the issue with setting
CAP_NET_BIND_SERVICE
on binary files in Linux but doesn't account for setting this option using systemd'sAmbientCapabilities
directive instead, which doesn't require setting the capability on the binary itself.AdGuardHome/home/control_update.go
Lines 101 to 111 in b4aa791
Proposed Solution
Modify the if statement logic to allow users to override the behavior, perhaps with a command line flag like
--allow-auto-update
? When combined with the AmbientCapabilities systemd directive, this would allow users to auto upgrade the binary even when running AdGuardHome without root permissions.Systemd Service File Example
AmbientCapabilities=CAP_NET_BIND_SERVICE
Alternatives Considered
Script the upgrade myself or fork the code, but a native solution would be much easier and a benefit for other Linux users. Thanks for the great application!
Additional Information
The text was updated successfully, but these errors were encountered: