if HAVE_SYSTEMD
pdns-recursor.service: pdns-recursor.service.in
- $(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' < $< > $@
+ $(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' -e 's![@]service_user[@]!$(service_user)!' -e 's![@]service_group[@]!$(service_group)!' < $< > $@
if !HAVE_SYSTEMD_LOCK_PERSONALITY
$(AM_V_GEN)perl -ni -e 'print unless /^LockPersonality/' $@
endif
AX_AVAILABLE_SYSTEMD
AX_CHECK_SYSTEMD_FEATURES
AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
+PDNS_WITH_SERVICE_USER([pdns-recursor])
PDNS_CHECK_VIRTUALENV
AC_SUBST(LIBS)
--- /dev/null
+../../../m4/pdns_with_service_user.m4
\ No newline at end of file
[Service]
ExecStart=@sbindir@/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no
+User=@service_user@
+Group=@service_group@
Type=notify
Restart=on-failure
StartLimitInterval=0
LimitNOFILE=16384
# Sandboxing
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true