third-party-mirrors/sslh
1
0
Fork 0
mirror of https://github.com/yrutschle/sslh.git synced 2025-04-18 17:57:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/yrutschle/sslh

Browse Source
This commit is contained in:
yrutschle 2021-08-01 21:25:39 +02:00
commit 2196146224
3 changed files with 6 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
doc/config.md
View File

@ -84,22 +84,18 @@ processes.
Alternatively, you may use filesystem capabilities instead Alternatively, you may use filesystem capabilities instead
of starting sslh as root and asking it to drop privileges. of starting sslh as root and asking it to drop privileges.
You will need `CAP_NET_BIND_SERVICE` for listening on port 443 You will need `CAP_NET_BIND_SERVICE` for listening on port 443
and `CAP_NET_ADMIN` for transparent proxying (see and `CAP_NET_RAW` for transparent proxying (see
`capabilities(7)`). `capabilities(7)`).
You can use the `setcap(8)` utility to give these capabilities You can use the `setcap(8)` utility to give these capabilities
to the executable: to the executable:
sudo setcap cap_net_bind_service,cap_net_admin+pe sslh-select sudo setcap cap_net_bind_service,cap_net_raw+pe sslh-select
Then you can run sslh-select as an unpriviledged user, e.g.: Then you can run sslh-select as an unpriviledged user, e.g.:
sslh-select -p myname:443 --ssh localhost:22 --ssl localhost:443 sslh-select -p myname:443 --ssh localhost:22 --ssl localhost:443
Caveat: `CAP_NET_ADMIN` does give sslh too many rights, e.g.
configuring the interface. If you're not going to use
transparent proxying, just don't use it (or use the libcap method).
Transparent proxy support Transparent proxy support
------------------------- -------------------------
@ -126,7 +122,7 @@ but to the network setup that surrounds it.
Linux: Linux:
`sslh` needs extended rights to perform this: you'll need to `sslh` needs extended rights to perform this: you'll need to
give it `CAP_NET_ADMIN` capabilities (see appropriate chapter) give it `CAP_NET_RAW` capabilities (see appropriate chapter)
or run it as root (but don't do that). or run it as root (but don't do that).
The firewalling tables also need to be adjusted as follows. The firewalling tables also need to be adjusted as follows.
@ -286,7 +282,7 @@ Example service unit:
[Service] [Service]
ExecStart=/usr/sbin/sslh -v -f --ssh 127.0.0.1:22 --ssl 127.0.0.1:443 ExecStart=/usr/sbin/sslh -v -f --ssh 127.0.0.1:22 --ssl 127.0.0.1:443
KillMode=process KillMode=process
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN CAP_SETGID CAP_SETUID CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
PrivateTmp=true PrivateTmp=true
PrivateDevices=true PrivateDevices=true
ProtectSystem=full ProtectSystem=full

2
scripts/etc.sysconfig.sslh
View File

@ -9,7 +9,7 @@
# is needed in order to run as sslh user # is needed in order to run as sslh user
# #
#SSLH_USER=sslh #SSLH_USER=sslh
#setcap cap_net_bind_service,cap_net_admin=+ep $SSLH #setcap cap_net_bind_service,cap_net_raw=+ep $SSLH
# #
# Configuration file for sslh # Configuration file for sslh

2
scripts/systemd.sslh.service
View File

@ -8,7 +8,7 @@ ExecStart=/usr/sbin/sslh --foreground $DAEMON_OPTS
KillMode=process KillMode=process
#Hardening #Hardening
PrivateTmp=true PrivateTmp=true
CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE
SecureBits=noroot-locked SecureBits=noroot-locked
ProtectSystem=strict ProtectSystem=strict