Run app from unprivileged user

[ammnt]

Prerequisites

• I have checked the Wiki and Discussions and found no answer

• I have searched other issues and found no duplicates

• I want to report a bug and not ask a question

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

AMD64

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

0.107.23

Description

No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
Linux dns.msftcnsi.com 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux

I'm trying to run the app from unprivileged user. What I exactly do:

• added system user (Debian) adguard with system group adguard
• make 'setcap -r 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' ./AdGuardHome' from root user
• chown app directory to adguard user: chown -R adguard:adguard /opt/AdGuardHome
• change user and group fields in the .yaml config file to adguard (also tried UID and GID after that)

Still no success because:
[fatal] listen tcp 0.0.0.0:80: bind: permission denied

The verbose log is attached. Anyone tried it before?

Thank you.
Best regards!

[ammnt]

[ainar-g]

make 'setcap -r 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' ./AdGuardHome' from root user

Perhaps the Debian setcap is different from the Ubuntu one, but doesn't -r remove capabilities? What I do is:

sudo setcap 'cap_net_bind_service+ep cap_net_raw+ep' ./AdGuardHome

[ammnt]

@ainar-g, unfortunately I have the same result with these flags:

[ainar-g]

Sorry, I'm not sure what it could be then. Other than if you run it as a service, systemd might interfere with that somehow (systemctl daemon-reload?).

[ammnt]

@ainar-g, nope. Nothing changed☹️

[ainar-g]

I'll move this to discussions then, if you don't mind, as I don't think that it's an AdGuard Home issue.