Error with Priviliges - SystemD Debian #822

Closed
computerlyrik opened this Issue May 14, 2016 · 2 comments

Comments

2 participants
@computerlyrik

If you are filing a bug report, please answer these questions. If your issue is not a bug report, you do not need to use this template. Either way, please consider donating if we've helped you. Thanks!

1. What version of Caddy are you running (caddy -version)?

0.8.3

2. What are you trying to do?

Running as service.

4. How did you run Caddy (give the full command and describe the execution environment)?

Debian 8, SystemD,
with provided SystemD Script https://github.com/mholt/caddy/blob/master/dist/init/linux-systemd/caddy.service
setcap cap_net_bind_service=+ep /usr/bin/caddy

5. What did you expect to see?

running caddy server

6. What did you see instead (give full error messages and/or log)?

caddy[7200]: Activating privacy features...2016/05/14 14:54:49 [INFO][] acme: Obtaining bundled SAN certificate
caddy[7200]: 2016/05/14 14:54:49 [INFO][] acme: Trying to solve HTTP-01
caddy[7200]: 2016/05/14 14:54:49 [] failed to get certificate: [] error presenting token: Could not start HTTP server for challenge -> listen tcp xx.xx.xx.xx:80: bind: permission denied
systemd[1]: caddy.service: main process exited, code=exited, status=1/FAILURE

8. Is there a quickfix?

Works for me as soon as i remove the line NoNewPrivileges=true

@computerlyrik computerlyrik referenced this issue in antoiner77/caddy-ansible May 14, 2016

Closed

use service files from caddy repo #18

@wmark

This comment has been minimized.

Show comment
Hide comment
@wmark

wmark May 14, 2016

Contributor

Again, those files are exemplary (modify them to your liking) and we ask that you not file tickets for them.

That said, you don't need setcap cap_net_bind_service… with the suggested systemd unit file. I am using the file myself without issues.

If the error were caused by systemd/the unit file as suspected, then you would get a Main process exited, code=exited, status=218/CAPABILITIES.

Contributor

wmark commented May 14, 2016

Again, those files are exemplary (modify them to your liking) and we ask that you not file tickets for them.

That said, you don't need setcap cap_net_bind_service… with the suggested systemd unit file. I am using the file myself without issues.

If the error were caused by systemd/the unit file as suspected, then you would get a Main process exited, code=exited, status=218/CAPABILITIES.

@wmark wmark closed this May 14, 2016

@wmark

This comment has been minimized.

Show comment
Hide comment
@wmark

wmark May 14, 2016

Contributor

I got to the bottom of this:

Debian Jessie ships systemd version 215 (which is quite… old!). The logs read: Unknown lvalue 'AmbientCapabilities' in section 'Service', because said directive has been added in version 229.

So you're right, with that obsolete version you need to use setcap… and strip NoNewPrivileges. This, or just update your systemd—which I highly recommend.

Contributor

wmark commented May 14, 2016

I got to the bottom of this:

Debian Jessie ships systemd version 215 (which is quite… old!). The logs read: Unknown lvalue 'AmbientCapabilities' in section 'Service', because said directive has been added in version 229.

So you're right, with that obsolete version you need to use setcap… and strip NoNewPrivileges. This, or just update your systemd—which I highly recommend.

wmark added a commit that referenced this issue May 20, 2016

systemd, README: highlight version requirement, and how to display logs
We have had three reports within a few days which ran into the same cause
and had not been able to figure out what went wrong.

Addresses #833, #822

wmark added a commit that referenced this issue May 20, 2016

systemd, README: highlight version requirement, and how to display logs
We have had three reports within a few days which ran into the same cause
and had not been able to figure out what went wrong.

Addresses #833, #822

wmark added a commit that referenced this issue May 20, 2016

systemd, README: needs to be version 229 or later, and how to display…
… logs

We have had three operators within a few days which ran into the same cause
and had not been able to figure out what went wrong.

addresses #833, #822

wmark added a commit that referenced this issue May 20, 2016

systemd, README: needs to be version 229 or later, and how to display…
… logs

We have had three operators within a few days which ran into the same cause
and had not been able to figure out what went wrong.

addresses #833, #822

wmark added a commit that referenced this issue May 20, 2016

systemd, README: needs to be version 229 or later, and how to display…
… logs

We have had three operators within a few days which ran into the same cause
and had not been able to figure out what went wrong.

addresses #833, #822
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment