authbind

缘起

重启 Shadowsocks 服务报了下面这段错误,显示 simple-obfs 组件绑定端口出错,想着大概是权限问题,试着换了高于 1023 的端口再没有出现错误,Google 一番之后才找到问题原因。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
● shadowsocks-libev.service - Shadowsocks-libev Default Server Service
Loaded: loaded (/lib/systemd/system/shadowsocks-libev.service; enabled)
Active: failed (Result: exit-code) since Sun 2018-04-15 21:39:41 CST; 1s ago
Docs: man:shadowsocks-libev(8)
Process: 612 ExecStart=/usr/bin/ss-server -c $CONFFILE $DAEMON_ARGS (code=exited, status=255)
Main PID: 612 (code=exited, status=255)

Apr 15 21:39:41 localhost ss-server[612]: 2018-04-15 21:39:41 [simple-obfs] ERROR: Could not bind
Apr 15 21:39:41 localhost ss-server[612]: 2018-04-15 21:39:41 [simple-obfs] ERROR: bind() error
Apr 15 21:39:41 localhost systemd[1]: shadowsocks-libev.service: main process exited, code=exited, status=255/n/a
Apr 15 21:39:41 localhost ss-server[612]: 2018-04-15 21:39:41 ERROR: plugin service exit unexpectedly
Apr 15 21:39:41 localhost ss-server[612]: 2018-04-15 21:39:41 INFO: plugin "/usr/bin/obfs-server" enabled
Apr 15 21:39:41 localhost ss-server[612]: 2018-04-15 21:39:41 INFO: UDP relay enabled
Apr 15 21:39:41 localhost ss-server[612]: 2018-04-15 21:39:41 INFO: initializing ciphers... chacha20-ietf-poly1305
Apr 15 21:39:41 localhost ss-server[612]: 2018-04-15 21:39:41 INFO: tcp server listening at 127.0.0.1:34822
Apr 15 21:39:41 localhost ss-server[612]: 2018-04-15 21:39:41 INFO: udp server listening at 0.0.0.0:443
Apr 15 21:39:41 localhost systemd[1]: Unit shadowsocks-libev.service entered failed state.

问题

由于 Shadowsocks 用 443 端口,低于 1024 的端口属于特权端口,普通用户一般没有权限使用这些端口。

解决

使用 anthbind 授权普通用户打开特权端口。

1
# setcap cap_net_bind_service+ep /usr/bin/obfs-server

后记

authbind 是由自由软件作者和 Debian 开发者 Ian Jackson 编写的开源系统工具。authbind 允许普通用户访问低于 1024 端口的特权网络服务,authbind 通过定义加载 libauthbind 库的 LD_PRELOAD 环境变量来实现。

参考