Hello,
On Thu, Dec 28, 2017 at 4:18 PM, Andrew Smalley <[email protected]> wrote: > > Hi Lukas > > Thank you for the correction. I didn't even think about using CAP_SYS_ADMIN > to give a standard user more privs. > > Out of interest would CAP_NET_BIND_SERVICE not be a better choice than > giving haproxy full admin rights > , just allow it to bind to ports <1024 Like I said binding to ports below <1024 is not an issue at all, you don't have to assign any additional privileges as it works out of the box, when you start haproxy as root as the privilege downgrade happens after the bind. We are talking about setting a backend socket to a specific namespace, and that scenario requires CAP_SYS_ADMIN as per the documentation I've linked. If your issue is that you want to start haproxy with non-privileged users on privileged ports, then of course CAP_NET_BIND_SERVICE suffices. cheers, lukas
