Add option to bypass root check#39
Conversation
Background: A process, especially a long-running process that has contact with the outside world, should not have to start with privileged access. With the help of the capabilities system, it is possible to assign individual required permissions to the process and thus also dispense with root privileges (example `CapabilityBoundingSet/AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW` in systemd). Signed-off-by: Marek Küthe <m.k@mk16.de>
troglobit
left a comment
There was a problem hiding this comment.
I don't agree with this PR. Instead of adding more undocumented options we should remove bad behavior. Have you researched what mrouted or pimd does? Can we remove the root check entirely instead? If not what's blocking us?
If that's okay with you :-)
Theoretically, I should know, but in practice, I lack both experience and practice. If you have any further links/documentation on this, I would be grateful.
I would say yes. If you start it via systemd with the appropriate privileges, as I do, it (apparently) works that way too. |
|
If it's okay for me to ask another question: Is it possible to configure pim6sd to use a specific routing table for RPF calculation? Not all of my peers are multicast-capable, so I would create a second routing table for multicast if necessary. |
Well ... I added a caveat to my request ...
In practice, I'm the maintainer for mrouted, pimd, as well as pimd-dense, and it's not that difficult to just google it? I'm not here to teach you stuff or be your errand boy, you're the one who wants to merge a change, so the onus is on you.
"It works for me" ... great, thanks for the help. So, I asked because I didn't remember what decision I made in the other projects, and now I've checked myself since you were too lazy to bother, the conclusion is -- all the other projects have the same check. One of the many reasons for this is that all of these multicast routing daemons run on all UNIX systems out there with the MROUTING kernel stack, not just Linux. So I'm going to have to ask you to take that into account when reworking this patch. |
It's extremely difficult to keep track of as a maintainer, so I've forked-off your question as a separate issue. See #41 |
Hello,
I am trying to create a systemd unit for pim6sd, but it does not work optimally when I have to start it as root. Therefore, it would be nice to have an option to skip the root check.
Background: A process, especially a long-running process that has contact with the outside world, should not have to start with privileged access. With the help of the capabilities system, it is possible to assign individual required permissions to the process and thus also dispense with root privileges (example
CapabilityBoundingSet/AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAWin systemd).