From 9fdf946fc07600db0c8d580ac7cf83fd553306ec Mon Sep 17 00:00:00 2001 From: Mordy Ovits Date: Mon, 31 Dec 2018 12:08:10 -0500 Subject: [PATCH] Update README with instructions for setcap non-root use On Linux you can run it listening on port 53 without root privs. This is the best option: clients still send on port 53 (no wonky configs) and AdGuard doesn't run as root (!). --- README.md | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 245ba1b9..bf76f641 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,21 @@ Now open the browser and navigate to http://localhost:3000/ to control your AdGu ### Running without superuser -You can run AdGuard Home without superuser privileges, but you need to instruct it to use a different port rather than 53. You can do that by editing `AdGuardHome.yaml` and finding these two lines: +You can run AdGuard Home without superuser privileges, but you need to either grant the binary a capability (on Linux) or instruct it to use a different port (all platforms). + +#### Granting the CAP_NET_BIND_SERVICE capability (on Linux) + +To allow AdGuard Home running on Linux to listen on port 53 without superuser privileges, run: + +```bash +sudo setcap CAP_NET_BIND_SERVICE=+eip ./AdGuardHome +``` + +Then run `./AdGuardHome` as a unprivileged user. + +#### Changing the DNS listen port + +To configure AdGuard Home to listen on a port that does not require superuser privileges, edit `AdGuardHome.yaml` and find these two lines: ```yaml dns: