systemd: add CapabilityBoundingSet settings in service file so that glider can listen on port below 1024 with none-root user

README.md

@@ -30,15 +30,15 @@ General:
 - Rule proxy based on destionation: [Config Examples](examples)
 
 TODO:
-- Specify different remote dns server in rule file (DONE)
+- [x] Specify different remote dns server in rule file
-- Improve DNS forwarder to resolve domain name and add ip to proxy rules (DONE)
+- [x] Improve DNS forwarder to resolve domain name and add ip to proxy rules
-- IPSet management
+- [ ] IPSet management
-- Improve DNS forwarder to resolve domain name and add ip to ipset
+- [ ] Improve DNS forwarder to resolve domain name and add ip to ipset
-- UDP Tunnel & UDP Relay
+- [ ] UDP Tunnel & UDP Relay
-- TUN/TAP device support
+- [ ] TUN/TAP device support
-- Code refactoring: support proxy registering so it can be pluggable
+- [ ] Code refactoring: support proxy registering so it can be pluggable
-- Conditional compilation so we can abandon needless proxy type and get a smaller binary size
+- [ ] Conditional compilation so we can abandon needless proxy type and get a smaller binary size
-- SSH tunnel support
+- [ ] SSH tunnel support
 
 ## Install
 Binary: 

conf.go

@@ -66,6 +66,7 @@ func confInit() {
 		conf.rules = append(conf.rules, rule)
 	}
 
+	// TODO: allow to use relative dir to the config file
 	ruleFolderFiles, _ := listDir(conf.RulesDir, ".rule")
 	for _, ruleFile := range ruleFolderFiles {
 		rule, err := NewRuleConfFromFile(ruleFile)

systemd/glider@.service

@@ -6,7 +6,14 @@ After=network.target
 Type=simple
 User=nobody
 Restart=always
+
+# NOTE: change to your glider path
 ExecStart=/usr/bin/glider -config /etc/glider/%i.conf
 
+# work with systemd v229 or later, so glider can listen on port below 1024 with none-root user
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+
 [Install]
 WantedBy=multi-user.target