From 161972574eebe53d8b210e8ab948fb4647a6398f Mon Sep 17 00:00:00 2001
From: Jameson Graef Rollins <jameson.rollins@ligo.org>
Date: Wed, 22 Apr 2020 13:31:18 -0700
Subject: [PATCH] allow awgtpman to run as unprivileged user

The awgtpman process is run as root only because it wants to bind to a
privileged port.  This is not necessary as capabilities exist to allow
running it as a unprivileged user:

* remove an unnecessary check in the awgtpman binary on the superuser
  status of the user

* set CAP_NET_BIND_SERVICE in the systemd service to allow it to bind
  to privileged port

This should allow the service to run as a non-privileged user, which we
set here to be advligorts.

closes #93
---
 src/gds/awgtpman.c                    | 7 +------
 support/systemd/rts-awgtpman@.service | 2 ++
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/gds/awgtpman.c b/src/gds/awgtpman.c
index ce123f306..fb31fc899 100644
--- a/src/gds/awgtpman.c
+++ b/src/gds/awgtpman.c
@@ -175,12 +175,7 @@ CDS_HARDWARE cdsPciModules;
       initReflectiveMemory();
 #endif
       if (run_awg) {
-        if (geteuid() != 0) {
-	  printf ("Must be a superuser to run awgtpman\n");
-	  return 1;
-        } else {
-	  nice(-20);
-        }
+        nice(-20);
       }
 /*
                                 if ($::site =~ /^M/) {
diff --git a/support/systemd/rts-awgtpman@.service b/support/systemd/rts-awgtpman@.service
index a6b3be20d..6c0b26967 100644
--- a/support/systemd/rts-awgtpman@.service
+++ b/support/systemd/rts-awgtpman@.service
@@ -5,5 +5,7 @@ Wants=rts-module@%i.service
 PartOf=rts@%i.target
 
 [Service]
+User=advligorts
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 ExecStart=/usr/bin/rts_awgtpman_exec %i
 Restart=always
-- 
GitLab