From 8d462544d036ef2ada156a1eaab97d857ea0e656 Mon Sep 17 00:00:00 2001 From: outlook84 <96007761+outlook84@users.noreply.github.com> Date: Sun, 17 Aug 2025 19:45:27 +0800 Subject: [PATCH] feat(install): Add CAP_DAC_READ_SEARCH capability for root user When the service is configured to run as the root user (UID 0), the `CAP_DAC_READ_SEARCH` capability is now added to the `CapabilityBoundingSet` and `AmbientCapabilities`. This ensures that Xray has the necessary read permissions to avoid breaking change when running as root. --- install-release.sh | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/install-release.sh b/install-release.sh index d4c34ab..b94665c 100755 --- a/install-release.sh +++ b/install-release.sh @@ -527,6 +527,12 @@ install_xray() { install_startup_service_file() { mkdir -p '/etc/systemd/system/xray.service.d' mkdir -p '/etc/systemd/system/xray@.service.d/' + local temp_CapabilityBoundingSet="CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE" + local temp_AmbientCapabilities="AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE" + if [[ "$INSTALL_USER_UID" -eq '0' ]]; then + temp_CapabilityBoundingSet="CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH" + temp_AmbientCapabilities="AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_DAC_READ_SEARCH" + fi cat >/etc/systemd/system/xray.service <