Skip to content

CanAutoUpdate should not decide by util.HaveAdminRights #2231

@ihipop

Description

@ihipop

if runtime.GOOS != "windows" &&
((tlsConf.Enabled && (tlsConf.PortHTTPS < 1024 ||
tlsConf.PortDNSOverTLS < 1024 ||
tlsConf.PortDNSOverQUIC < 1024)) ||
config.BindPort < 1024 ||
config.DNS.Port < 1024) {
// On UNIX, if we're running under a regular user,
// but with CAP_NET_BIND_SERVICE set on a binary file,
// and we're listening on ports <1024,
// we won't be able to restart after we replace the binary file,
// because we'll lose CAP_NET_BIND_SERVICE capability.
canUpdate, _ = util.HaveAdminRights()
}
ret["can_autoupdate"] = canUpdate

if we run AdGuardHome by systemd like this

[Unit]
Description=Adguard Home
Requires=network.target
After=network.target

[Service]
Type=simple
####ExecStartPre=-/sbin/setcap cap_net_bind_service=+ep /config/ihipop/AdGuardHome/AdGuardHome
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/config/ihipop/AdGuardHome/AdGuardHome
Restart=always
RestartSec=2s
User=dnsmasq
PermissionsStartOnly=true
LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target

The CAP_NET_BIND_SERVICE capability is grant by systemd and not exists in filesystem
AmbientCapabilities doc https://www.freedesktop.org/software/systemd/man/systemd.exec.html#AmbientCapabilities=
It's safe to upgrade then

Metadata

Metadata

Assignees

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions