-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid running AdGuardHome as Root #2364
Comments
|
I agree that always running the whole program
under |
@ihipop The default install script and even the first run require root. I know I can override the systemd service file, and do a chown on the folder but then the autoupdater will fail as you pointed out in your own issue. I have other application like syncthing (also a go app) that has no problem running with its user, have its config file generated at first run & autoupdate without ever needing root. @ainar-g You could implement a system where the app could drop root after it has initialized (if you really need to have root to start). Nginx does that by example. |
The the first run does not require root ,see Relative issue #1699 b43223d
|
There's a simple instruction on how to run AGH without root: |
@ihipop True enough about Nginx, but the workers are the one handling the request while the master is the one spawning/managing the workers. This mean there isn't any network request handled by a process running as root. @ameshkov For now it's not a solution until the autoupdate can run without root as said by @ihipop in #2231 After #2231 is fixed, I think this should be reopen to redo the installation script to not require root and set correctly a AdGuard user to run everything. ps: Btw, don't get me wrong, AdGuard is amazing and light years ahead of PiHole. Easy to setup, provide so much feature and can handle more than 2M daily request. I'm very happy with it. |
Problem Description
Currently, AdGuardHome is always running as root, which for a program that deal with network call is less than ideal.
Proposed Solution
It can be achieved with changing the systemd configuration to give the right capabilities to bind on the default ports (like 53,80,443).
Alternatives Considered
Running AdGuardHome in a docker to reduce the possible impact in case of security issue.
Additional Information
Don't think you'll never have security issue, it always happens especially with the number of libraries used by the project that deal with the network.
The text was updated successfully, but these errors were encountered: