Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package freeradius [ Reason ] Misleading comment in systemd service file about how to get capabilities for privileged ports: #985967. [ Impact ] Users could have a hard time how to use freeradius. [ Tests ] To test manually: $ sudo apt install freeradius-dhcp $ sed 's/port = 6700/port = 67/' /etc/freeradius/3.0/sites-available/dhcp > /etc/freeradius/3.0/sites-enabled/dhcp $ systemctl restart freeradius [ Risks ] This only changes a commented line in a service file, I don't see a risk. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] Send upstream as https://github.com/FreeRADIUS/freeradius-server/pull/4150 unblock freeradius/3.0.21+dfsg-2.1
diff -Nru freeradius-3.0.21+dfsg/debian/changelog freeradius-3.0.21+dfsg/debian/changelog --- freeradius-3.0.21+dfsg/debian/changelog 2020-08-24 10:46:49.000000000 +0200 +++ freeradius-3.0.21+dfsg/debian/changelog 2021-07-23 13:19:03.000000000 +0200 @@ -1,3 +1,13 @@ +freeradius (3.0.21+dfsg-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * Fix capabilities in service file. + As freeradius is not run as root we need to request extra capabilities + wiht AmbientCapabilities instead of limiting the set with + CapabilityBoundingSet. (Closes: #985967) + + -- Jochen Sprickerhof <jspri...@debian.org> Fri, 23 Jul 2021 13:19:03 +0200 + freeradius (3.0.21+dfsg-2) unstable; urgency=medium * Cherry-Pick upstream fixes to build with Python3.8 (Closes: #966860) diff -Nru freeradius-3.0.21+dfsg/debian/freeradius.service freeradius-3.0.21+dfsg/debian/freeradius.service --- freeradius-3.0.21+dfsg/debian/freeradius.service 2020-08-24 10:46:49.000000000 +0200 +++ freeradius-3.0.21+dfsg/debian/freeradius.service 2021-07-23 13:13:11.000000000 +0200 @@ -41,7 +41,7 @@ NoNewPrivileges=true # Allow binding to secure ports, broadcast addresses, and raw interfaces. -#CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE +#AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_CHOWN CAP_DAC_OVERRIDE # Private /tmp that isn't shared by other processes PrivateTmp=true