Add .drone.yml

Add privileged ports post
Add guide tag
2021-04-01 01:32:03 -05:00 · 2021-03-28 21:29:52 -05:00 · 2021-03-27 18:39:12 -05:00 · 2021-03-27 18:38:29 -05:00
5 changed files with 96 additions and 4 deletions
--- a/.drone.yml
+++ b/.drone.yml
@ -0,0 +1,24 @@
+---
+kind: pipeline
+type: docker
+name: Deploy to bbaovanc.com
+
+steps:
+    - name: Build site
+      image: mapitman/docker-hugo
+      commands:
+          - hugo version
+          - hugo --minify
+
+    - name: Upload files
+      image: appleboy/drone-scp
+      aettings:
+          host: bbaovanc.com
+          port: 2222
+          username: droneci
+          key:
+              from_secret: SSH_KEY
+          target: /var/www/bbaovanc/blog
+          rm: true
+          source:
+              - public/*
--- a/content/posts/allow-non-root-processes-to-bind-to-privileged-ports.md
+++ b/content/posts/allow-non-root-processes-to-bind-to-privileged-ports.md
@ -0,0 +1,68 @@
+++
+title = "Allow Non Root Processes to Bind to Privileged Ports"
+date = "2021-03-28T20:03:16-05:00"
+author = "bbaovanc"
+tags = ["guide", "linux", "systemd"]
+keywords = ["linux", "privileged", "ports", "tutorial", "guide", "gitea",
+"systemd"]
+
+description = """
+In Linux, processes cannot bind to privileged ports (<=1024) unless they are
+running as root. Here's how to allow any process to bind to privileged ports.
+"""
+
+showFullContent = false
+toc = true
+++
+
+## Introduction
+
+In Linux, processes cannot bind to privileged ports (<=1024) unless they are
+running as root. I learned about this when I was trying to add SSH cloning to my
+[Gitea](https://gitea.io) instance. This can be bypassed by giving
+`CAP_NET_BIND_SERVICE` capabilities to either the systemd service, or the
+executable itself.
+
+## Giving `CAP_NET_BIND_SERVICE` capabilities
+
+### Using systemd (preferred)
+
+The best way is to tell systemd to give `CAP_NET_BIND_SERVICE`
+capabilities to the service. In fact, the Gitea systemd service has two
+lines[^1] that are commented out:
+
+```systemd
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+```
+
+Uncommenting these two lines was all I had to do for Gitea.
+
+### Using `setcap`
+
+You can add `CAP_NET_BIND_SERVICE` to the executable directly using `setcap`,
+allowing it to bind to any port. Run the following command[^2]:
+
+```bash
+setcap 'cap_net_bind_service=+ep' /path/to/program
+```
+
+Note that this means that anyone with permission to run this program will be
+able to run it and bind to any privileged ports.
+
+Other caveats[^2]:
+
+> 1. You will need at least a 2.6.24 kernel
+> 2. This won't work if your file is a script. (ie, uses a #! line to launch an
+>    interpreter). In this case, as far I as understand, you'd have to apply the
+>    capability to the interpreter executable itself, which of course is a
+>    security nightmare, since any program using that interpreter will have the
+>    capability. I wasn't able to find any clean, easy way to work around this
+>    problem.
+> 3. Linux will disable LD\_LIBRARY\_PATH on any program that has elevated
+>    privileges like setcap or suid. So if your program uses its own .../lib/,
+>    you might have to look into another option like port forwarding.
+
+[^1]: https://github.com/go-gitea/gitea/blob/3416e2a82586fca4cd452b93237b979300f55d62/contrib/systemd/gitea.service#L69
+      and https://stackoverflow.com/a/47065825
+[^2]: https://stackoverflow.com/a/414258
--- a/content/posts/checkra1n-gui-on-other-distros.md
+++ b/content/posts/checkra1n-gui-on-other-distros.md
@ -3,7 +3,7 @@ title = "Checkra1n GUI on Other Distros"
 date = "2021-03-25T21:19:51-05:00"
 author = "bbaovanc"
 cover = "/blog/media/checkra1n-gui-on-arch-linux.png"
-tags = ["linux", "archlinux", "jailbreak", "checkra1n"]
+tags = ["guide", "linux", "archlinux", "jailbreak", "checkra1n"]
 keywords = ["checkra1n", "gui", "linux", "arch linux"]

 description = """
--- a/content/posts/edited-in-middle-of-message-discord.md
+++ b/content/posts/edited-in-middle-of-message-discord.md
@ -3,7 +3,7 @@ title = "Put (edited) in the middle of a message in Discord"
 date = "2021-03-25T18:48:34-05:00"
 author = "bbaovanc"
 cover = "media/discord-tricks/edited-in-middle-of-message.png"
-tags = ["discord", "discord-tricks"]
+tags = ["tutorial", "discord", "discord-tricks"]
 keywords = ["discord", "edited"]

 description = """
--- a/content/posts/sed-text-substitution-in-discord.md
+++ b/content/posts/sed-text-substitution-in-discord.md
@ -2,7 +2,7 @@
 title = "Text Substitution in Discord using `sed`"
 date = "2021-03-25T18:48:15-05:00"
 author = "bbaovanc"
-tags = ["discord", "discord-tricks"]
+tags = ["tutorial", "discord", "discord-tricks"]
 keywords = ["discord", "sed", "text", "replacement"]

 description = """
@ -12,7 +12,7 @@ Discord has (very primitive) support for text replacement using `sed` syntax.
 showFullContent = false
 +++

-## How-to
+## Tutorial

 [Example Video](/blog/media/discord-tricks/sed-text-replacement.mov)
Author	SHA1	Message	Date
BBaoVanC	5df308d140	Add .drone.yml Some checks failed continuous-integration/drone/push Build is failing Details	2021-04-01 01:32:03 -05:00
BBaoVanC	66833ca13d	Add privileged ports post	2021-03-28 21:29:52 -05:00
BBaoVanC	9378412a09	Add guide tag	2021-03-27 18:39:12 -05:00
BBaoVanC	ef2274521e	Add tutorial tag	2021-03-27 18:38:29 -05:00