From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Thu, 6 Jun 2019 10:32:30 +0000 (+0200)
Subject: rec: create service file with User/Group
X-Git-Tag: dnsdist-1.4.0-rc1~110^2~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e6d27b7bb5bb1bee492b741d885d5d7a4fe856e;p=thirdparty%2Fpdns.git

rec: create service file with User/Group
---

diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am
index 12d93f680f..7e31711f4b 100644
--- a/pdns/recursordist/Makefile.am
+++ b/pdns/recursordist/Makefile.am
@@ -493,7 +493,7 @@ endif
 
 if HAVE_SYSTEMD
 pdns-recursor.service: pdns-recursor.service.in
-	$(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' < $< > $@
+	$(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' -e 's![@]service_user[@]!$(service_user)!' -e 's![@]service_group[@]!$(service_group)!' < $< > $@
 if !HAVE_SYSTEMD_LOCK_PERSONALITY
 	$(AM_V_GEN)perl -ni -e 'print unless /^LockPersonality/' $@
 endif
diff --git a/pdns/recursordist/configure.ac b/pdns/recursordist/configure.ac
index 3d2b20f555..7cc54f1de7 100644
--- a/pdns/recursordist/configure.ac
+++ b/pdns/recursordist/configure.ac
@@ -173,6 +173,7 @@ PDNS_ENABLE_VALGRIND
 AX_AVAILABLE_SYSTEMD
 AX_CHECK_SYSTEMD_FEATURES
 AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
+PDNS_WITH_SERVICE_USER([pdns-recursor])
 PDNS_CHECK_VIRTUALENV
 
 AC_SUBST(LIBS)
diff --git a/pdns/recursordist/m4/pdns_with_service_user.m4 b/pdns/recursordist/m4/pdns_with_service_user.m4
new file mode 120000
index 0000000000..bc72a6e129
--- /dev/null
+++ b/pdns/recursordist/m4/pdns_with_service_user.m4
@@ -0,0 +1 @@
+../../../m4/pdns_with_service_user.m4
\ No newline at end of file
diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in
index 357af43290..ce9472c767 100644
--- a/pdns/recursordist/pdns-recursor.service.in
+++ b/pdns/recursordist/pdns-recursor.service.in
@@ -8,6 +8,8 @@ After=network-online.target
 
 [Service]
 ExecStart=@sbindir@/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no
+User=@service_user@
+Group=@service_group@
 Type=notify
 Restart=on-failure
 StartLimitInterval=0
@@ -16,7 +18,8 @@ StartLimitInterval=0
 LimitNOFILE=16384
 
 # Sandboxing
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
 LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=true