From 642d57f1f7041c7a36743c6d63db7dca5ca36709 Mon Sep 17 00:00:00 2001
From: "Merlijn B. W. Wajer" <merlijn@wizzup.org>
Date: Tue, 18 Apr 2017 13:01:17 +0200
Subject: [PATCH] Add notes on CAP_NET_BIND_SERVICE

---
 README.rst | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/README.rst b/README.rst
index b41c240..f591d7b 100644
--- a/README.rst
+++ b/README.rst
@@ -17,3 +17,13 @@ Same as OpenSSH authorized_keys format.
 The options field contains the ports that are allowed to be forwarded, colon separated::
 
     ports=3333:4444 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHPWEWu85yECrbmtL38wlFua3tBSqxTekCX/aU+dku+w COMMENTHERE
+
+Running as non-root user
+========================
+
+You should not run this program as root. Due to the way Go is implemented,
+setuid is non-trivial, so instead you need to set the CAP_NET_BIND_SERVICE
+capability on the resulting binary:
+
+    setcap 'cap_net_bind_service=+ep' go-sshd
+