Use CAP_NET_BIND_SERVICE (#281)

moubctez · web-flow · commit 447db8b4e890 · 2026-04-22T19:18:21.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -215,9 +215,7 @@ jobs:
             --version ${{ env.VERSION }}
             --package defguard-proxy-${{ env.VERSION }}_x86_64-unknown-freebsd.pkg
             --freebsd-osversion '*'
-            --depends openssl
-            --before-install freebsd/preinst
-            --after-remove freebsd/postrm"
+            --depends openssl"
 
       - name: Upload Linux x86_64 archive
         uses: shogo82148/actions-upload-release-asset@v1
diff --git a/docs/header.png b/docs/header.png
diff --git a/freebsd/postrm b/freebsd/postrm
diff --git a/freebsd/preinst b/freebsd/preinst
diff --git a/linux/defguard-proxy.service b/linux/defguard-proxy.service
@@ -7,6 +7,8 @@ After=network-online.target
 [Service]
 User=defguard
 Group=defguard
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 ExecReload=/bin/kill -HUP $MAINPID
 ExecStart=/usr/bin/defguard-proxy --config /etc/defguard/proxy.toml
 KillMode=process
diff --git a/linux/postinst b/linux/postinst
@@ -14,8 +14,8 @@ case "${1}" in
 abort-upgrade | abort-remove | abort-deconfigure)
 	if [ -x /usr/bin/systemctl ]; then
 		/usr/bin/systemctl daemon-reload
-		if /usr/bin/systemctl is-enabled ${SERVICE_NAME} >/dev/null 2>&1; then
-			/usr/bin/systemctl start ${SERVICE_NAME} || true
+		if /usr/bin/systemctl is-enabled --quiet ${SERVICE_NAME}; then
+			/usr/bin/systemctl --no-block restart ${SERVICE_NAME}
 		fi
 	fi
 	;;
diff --git a/linux/postrm b/linux/postrm
@@ -4,10 +4,9 @@ set -e
 USERNAME=defguard
 
 if [ -x /usr/bin/systemctl ]; then
-	/usr/bin/systemctl daemon-reload >/dev/null 2>&1 || true
+	/usr/bin/systemctl --quiet daemon-reload || true
 fi
 
-if id -u ${USERNAME} >/dev/null 2>&1
-then
-    echo "If no longer needed, remove ${USERNAME} manually: userdel ${USERNAME}"
+if id -u ${USERNAME} >/dev/null 2>&1; then
+	echo "If no longer needed, remove ${USERNAME} manually: userdel ${USERNAME}"
 fi
diff --git a/linux/preinst b/linux/preinst
@@ -8,5 +8,5 @@ if ! id -u ${USERNAME} >/dev/null 2>&1; then
 fi
 
 mkdir -p /etc/defguard
-chown ${USERNAME}:${USERNAME} /etc/defguard
+chown -R ${USERNAME}:${USERNAME} /etc/defguard
 chmod 750 /etc/defguard
diff --git a/linux/prerm b/linux/prerm
@@ -4,5 +4,5 @@ set -e
 SERVICE_NAME='defguard-proxy'
 
 if [ -x /usr/bin/systemctl ]; then
-	/usr/bin/systemctl --no-block stop ${SERVICE_NAME} >/dev/null 2>&1 || true
+	/usr/bin/systemctl --no-block --quiet stop ${SERVICE_NAME} || true
 fi
