From 56a2924a3360f4a5ecdc60c603f091e8848e23ca Mon Sep 17 00:00:00 2001
From: DL6ER <dl6er@dl6er.de>
Date: Sun, 25 Feb 2018 23:38:34 +0100
Subject: [PATCH] Unprivileged processes are subject to full permission
 checking based on the process's credentials, we have to explicitly allow
 pihole-FTL to bind to ports < 1024 (port 53 for DNS) and for various advanced
 network-related operations (to allow for handling DHCP requests)

Signed-off-by: DL6ER <dl6er@dl6er.de>
---
 advanced/pihole-FTL.service | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/advanced/pihole-FTL.service b/advanced/pihole-FTL.service
index 5499cbe0..70d0b9d0 100644
--- a/advanced/pihole-FTL.service
+++ b/advanced/pihole-FTL.service
@@ -34,7 +34,7 @@ start() {
     chown pihole:pihole /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port
     chown pihole:pihole /etc/pihole /etc/pihole/dhcp.leases /var/log/pihole.log
     chmod 0644 /var/log/pihole-FTL.log /run/pihole-FTL.pid /run/pihole-FTL.port /var/log/pihole.log
-    setcap CAP_NET_BIND_SERVICE=+eip "$(which pihole-FTL)"
+    setcap CAP_NET_BIND_SERVICE,CAP_NET_ADMIN+eip "$(which pihole-FTL)"
     echo "nameserver 127.0.0.1" | /sbin/resolvconf -a lo.piholeFTL
     su -s /bin/sh -c "/usr/bin/pihole-FTL" "$FTLUSER"
     echo