Add notes on CAP_NET_BIND_SERVICE

7 years ago · 642d57f1f7
parent 62cf5388d0
commit 642d57f1f7
1 changed files with 10 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -17,3 +17,13 @@ Same as OpenSSH authorized_keys format.
 The options field contains the ports that are allowed to be forwarded, colon separated::

    ports=3333:4444 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPWEWu85yECrbmtL38wlFua3tBSqxTekCX/aU+dku+w COMMENTHERE
+
+Running as non-root user
+========================
+
+You should not run this program as root. Due to the way Go is implemented,
+setuid is non-trivial, so instead you need to set the CAP_NET_BIND_SERVICE
+capability on the resulting binary:
+
+    setcap 'cap_net_bind_service=+ep' go-sshd
+