From: Pieter Lexis Date: Wed, 6 Jan 2016 15:24:58 +0000 (+0100) Subject: Add notes about ProtectSystem X-Git-Tag: auth-4.0.0-alpha2~45^2~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c50b1f547d98aeed2b0e7caab9c8a7c53c9085f3;p=thirdparty%2Fpdns.git Add notes about ProtectSystem Closes #3111 --- diff --git a/contrib/systemd-pdns.service b/contrib/systemd-pdns.service index d1cbb022ba..0daa776fd1 100644 --- a/contrib/systemd-pdns.service +++ b/contrib/systemd-pdns.service @@ -13,6 +13,8 @@ PrivateTmp=true PrivateDevices=true CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID NoNewPrivileges=true +# ProtectSystem=full will disallow write access to /etc and /usr, possibly +# not being able to write slaved-zones into sqlite3 or zonefiles. ProtectSystem=full ProtectHome=true RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 diff --git a/docs/markdown/authoritative/modes-of-operation.md b/docs/markdown/authoritative/modes-of-operation.md index 976d1e2a7f..9ba708b35f 100644 --- a/docs/markdown/authoritative/modes-of-operation.md +++ b/docs/markdown/authoritative/modes-of-operation.md @@ -34,6 +34,7 @@ This is truly an override and sends a notification to an arbitrary IP address. C On launch, PDNS requests from all backends a list of domains which have not been checked recently for changes. This should happen every '**refresh**' seconds, as specified in the SOA record. All domains that are unfresh are then checked for changes over at their master. If the [SOA](../types.md#soa) serial number there is higher, the domain is retrieved and inserted into the database. In any case, after the check the domain is declared 'fresh', and will only be checked again after '**refresh**' seconds have passed. **Warning**: Slave support is OFF by default, turn it on by adding [`slave`](settings.md#slave) to the configuration. +**Note**: When running PowerDNS via the provided systemd service file, [`ProtectSystem`](http://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem=) is set to `full`, this means PowerDNS is unable to write to e.g. `/etc` and `/home`, possibly being unable to write AXFR's zones. PDNS also reacts to notifies by immediately checking if the zone has updated and if so, retransfering it.