starred/AdGuardHome

Fork 0

mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00

Run app from unprivileged user #4221

New issue

Closed

opened 2026-03-04 04:52:19 -05:00 by deekerman · 6 comments

deekerman commented

2026-03-04 04:52:19 -05:00

Owner

Originally created by @ammnt on GitHub (Feb 4, 2023).

Prerequisites

I have checked the Wiki and Discussions and found no answer
I have searched other issues and found no duplicates
I want to report a bug and not ask a question

Operating system type

Linux, Other (please mention the version in the description)

CPU architecture

AMD64

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

0.107.23

Description

No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
Linux dns.msftcnsi.com 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux

I'm trying to run the app from unprivileged user. What I exactly do:

added system user (Debian) adguard with system group adguard
make 'setcap -r 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' ./AdGuardHome' from root user
chown app directory to adguard user: chown -R adguard:adguard /opt/AdGuardHome
change user and group fields in the .yaml config file to adguard (also tried UID and GID after that)

Still no success because:
[fatal] listen tcp 0.0.0.0:80: bind: permission denied

The verbose log is attached. Anyone tried it before?

Thank you.
Best regards!

Originally created by @ammnt on GitHub (Feb 4, 2023). ### Prerequisites - [X] I have checked the [Wiki](https://github.com/AdguardTeam/AdGuardHome/wiki) and [Discussions](https://github.com/AdguardTeam/AdGuardHome/discussions) and found no answer - [X] I have searched other issues and found no duplicates - [X] I want to report a bug and not ask a question ### Operating system type Linux, Other (please mention the version in the description) ### CPU architecture AMD64 ### Installation GitHub releases or script from README ### Setup On one machine ### AdGuard Home version 0.107.23 ### Description No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 11 (bullseye) Release: 11 Codename: bullseye Linux dns.msftcnsi.com 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux I'm trying to run the app from unprivileged user. What I exactly do: - added system user (Debian) `adguard` with system group `adguard` - make 'setcap -r 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' ./AdGuardHome' from `root` user - chown app directory to `adguard` user: `chown -R adguard:adguard /opt/AdGuardHome` - change `user` and `group` fields in the .yaml config file to `adguard` (also tried UID and GID after that) Still no success because: `[fatal] listen tcp 0.0.0.0:80: bind: permission denied` The verbose [log](https://github.com/AdguardTeam/AdGuardHome/files/10609065/log.txt) is attached. Anyone tried it before? Thank you. Best regards!

deekerman

2026-03-04 04:52:19 -05:00

closed this issue
added the
question
label

deekerman commented

2026-03-04 04:52:26 -05:00

Author

Owner

@ammnt commented on GitHub (Feb 4, 2023):

@ammnt commented on GitHub (Feb 4, 2023): ![2023-02-04_19-16-57](https://user-images.githubusercontent.com/45385632/216778692-397115d9-ae58-4434-b6cd-7758f285ed75.png)

deekerman commented

2026-03-04 04:52:26 -05:00

Author

Owner

@ainar-g commented on GitHub (Feb 5, 2023):

make 'setcap -r 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' ./AdGuardHome' from root user

Perhaps the Debian setcap is different from the Ubuntu one, but doesn't -r remove capabilities? What I do is:

sudo setcap 'cap_net_bind_service+ep cap_net_raw+ep' ./AdGuardHome

@ainar-g commented on GitHub (Feb 5, 2023): > make 'setcap -r 'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip' ./AdGuardHome' from `root` user Perhaps the Debian `setcap` is different from the Ubuntu one, but doesn't `-r` remove capabilities? What I do is: ```sh sudo setcap 'cap_net_bind_service+ep cap_net_raw+ep' ./AdGuardHome ```

deekerman commented

2026-03-04 04:52:26 -05:00

Author

Owner

@ammnt commented on GitHub (Feb 5, 2023):

@ainar-g, unfortunately I have the same result with these flags:

@ammnt commented on GitHub (Feb 5, 2023): @ainar-g, unfortunately I have the same result with these flags: ![image](https://user-images.githubusercontent.com/45385632/216819035-03b9f517-a4c5-482f-9843-b18d1b21356c.png)

deekerman commented

2026-03-04 04:52:26 -05:00

Author

Owner

@ainar-g commented on GitHub (Feb 5, 2023):

Sorry, I'm not sure what it could be then. Other than if you run it as a service, systemd might interfere with that somehow (systemctl daemon-reload?).

@ainar-g commented on GitHub (Feb 5, 2023): Sorry, I'm not sure what it could be then. Other than if you run it as a service, systemd might interfere with that somehow (`systemctl daemon-reload`?).

deekerman commented

2026-03-04 04:52:26 -05:00

Author

Owner

@ammnt commented on GitHub (Feb 5, 2023):

@ainar-g, nope. Nothing changed☹️

@ammnt commented on GitHub (Feb 5, 2023): @ainar-g, nope. Nothing changed☹️

deekerman commented

2026-03-04 04:52:26 -05:00

Author

Owner

@ainar-g commented on GitHub (Feb 5, 2023):

I'll move this to discussions then, if you don't mind, as I don't think that it's an AdGuard Home issue.

@ainar-g commented on GitHub (Feb 5, 2023): I'll move this to discussions then, if you don't mind, as I don't think that it's an AdGuard Home issue.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AdGuardHome#4221

No description provided.

Rows
Columns