Add option to enable auto-upgrade on Linux/Unix despite CAP_NET_BIND_SERVICE capability · AdguardTeam/AdGuardHome#1944

(5 comments) (2 reactions) (0 assignees)Go (34,000 stars) (2,333 forks)batch import

feature requesthelp wanted

Description

Problem Description

The if statement linked below rightly describes the issue with setting CAP_NET_BIND_SERVICE on binary files in Linux but doesn't account for setting this option using systemd's AmbientCapabilities directive instead, which doesn't require setting the capability on the binary itself.

https://github.com/AdguardTeam/AdGuardHome/blob/b4aa79151315035f0e839d9a710fe4051595acb5/home/control_update.go#L101-L111

Proposed Solution

Modify the if statement logic to allow users to override the behavior, perhaps with a command line flag like --allow-auto-update? When combined with the AmbientCapabilities systemd directive, this would allow users to auto upgrade the binary even when running AdGuardHome without root permissions.

Systemd Service File Example

AmbientCapabilities=CAP_NET_BIND_SERVICE

Alternatives Considered

Script the upgrade myself or fork the code, but a native solution would be much easier and a benefit for other Linux users. Thanks for the great application!

Additional Information

Contributor guide

Tech stack: go
Domain: backend
Issue type: feature
Difficulty: 3
Estimated time: half day
Activity status: stale
Clarity: clear
Prerequisites: Go programmingLinux capabilitiessystemd service configuration
Newbie friendliness: 40
Research direction: Investigate the existing command line flag implementation in the AdGuardHome codebase to determine the best approach for adding a new flag. Review the function around home/control update.go lines 87-117 to understand the current logic. Consider using a flag like ' allow auto update' and ensure it integrates with the systemd AmbientCapabilities directive. Also examine the code for any similar overrides to maintain consistency.