adduser --force-badname --system --home /nonexistent --group \
--no-create-home --quiet _dnsdist || true
+
+ if [ "`stat -c '%U:%G' /etc/powerdns/dnsdist.conf`" = "root:root" ]; then
+ chown root:_dnsdist /etc/powerdns/dnsdist.conf
+ # Make sure that dnsdist can read it; the default used to be 0600
+ chmod g+r /etc/powerdns/dnsdist.conf
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
--with-ebpf \
--with-lua=luajit \
--with-protobuf \
+ --with-service-user='_dnsdist' \
+ --with-service-group='_dnsdist' \
$(CONFIGURE_ARGS)
override_dh_auto_build-arch:
override_dh_install:
dh_auto_install
- echo Patching uid and git into debian/dnsdist/lib/systemd/system/*.service
- perl -pi -e 's/(^ExecStart=.*)/$$1 -u _dnsdist -g _dnsdist/' debian/dnsdist/lib/systemd/system/*.service
ifeq ($(DEB_HOST_ARCH_BITS),32)
echo RestrictAddressFamilies is broken on 32bit, removing it from service file
perl -ni -e 'print unless /RestrictAddressFamilies/' debian/dnsdist/lib/systemd/system/*.service
override_dh_installinit:
# do nothing here. avoids referencing a non-existant init script.
+override_dh_fixperms:
+ dh_fixperms
+ # these files often contain passwords. 640 as it is chowned to root:_dnsdist
+ chmod 0640 debian/dnsdist/etc/dnsdist/dnsdist.conf
adduser --force-badname --system --home /nonexistent --group \
--no-create-home --quiet _dnsdist || true
+
+ if [ "`stat -c '%U:%G' /etc/powerdns/dnsdist.conf`" = "root:root" ]; then
+ chown root:_dnsdist /etc/powerdns/dnsdist.conf
+ # Make sure that dnsdist can read it; the default used to be 0600
+ chmod g+r /etc/powerdns/dnsdist.conf
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
--with-ebpf \
--with-lua=luajit \
--with-protobuf \
+ --with-service-user='_dnsdist' \
+ --with-service-group='_dnsdist' \
$(CONFIGURE_ARGS)
override_dh_auto_build-arch:
override_dh_install:
dh_install
- echo Patching uid and git into debian/dnsdist/lib/systemd/system/*.service
- perl -pi -e 's/(^ExecStart=.*)/$$1 -u _dnsdist -g _dnsdist/' debian/dnsdist/lib/systemd/system/*.service
ifeq ($(DEB_HOST_ARCH_BITS),32)
echo RestrictAddressFamilies is broken on 32bit, removing it from service file
perl -ni -e 'print unless /RestrictAddressFamilies/' debian/dnsdist/lib/systemd/system/*.service
override_dh_installinit:
dh_installinit
dh_systemd_start -pdnsdist --restart-after-upgrade dnsdist.service
+
+override_dh_fixperms:
+ dh_fixperms
+ # these files often contain passwords. 640 as it is chowned to root:_dnsdist
+ chmod 0640 debian/dnsdist/etc/dnsdist/dnsdist.conf
adduser --force-badname --system --home /nonexistent --group \
--no-create-home --quiet _dnsdist || true
+
+ if [ "`stat -c '%U:%G' /etc/powerdns/dnsdist.conf`" = "root:root" ]; then
+ chown root:_dnsdist /etc/powerdns/dnsdist.conf
+ # Make sure that dnsdist can read it; the default used to be 0600
+ chmod g+r /etc/powerdns/dnsdist.conf
+ fi
;;
abort-upgrade|abort-remove|abort-deconfigure)
--with-ebpf \
--with-lua=luajit \
--with-protobuf \
+ --with-service-user='_dnsdist' \
+ --with-service-group='_dnsdist' \
$(CONFIGURE_ARGS)
override_dh_auto_build-arch:
override_dh_install:
dh_auto_install
- echo Patching uid and git into debian/dnsdist/lib/systemd/system/*.service
- perl -pi -e 's/(^ExecStart=.*)/$$1 -u _dnsdist -g _dnsdist/' debian/dnsdist/lib/systemd/system/*.service
ifeq ($(DEB_HOST_ARCH_BITS),32)
echo RestrictAddressFamilies is broken on 32bit, removing it from service file
perl -ni -e 'print unless /RestrictAddressFamilies/' debian/dnsdist/lib/systemd/system/*.service
override_dh_installinit:
# do nothing here. avoids referencing a non-existant init script.
+override_dh_fixperms:
+ dh_fixperms
+ # these files often contain passwords. 640 as it is chowned to root:_dnsdist
+ chmod 0640 debian/dnsdist/etc/dnsdist/dnsdist.conf
#include <editline/readline.h>
#endif
+#include "dnsdist-systemd.hh"
#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
}
#endif
- uid_t newgid=0;
- gid_t newuid=0;
+ uid_t newgid=getegid();
+ gid_t newuid=geteuid();
if(!g_cmdLine.gid.empty())
newgid = strToGID(g_cmdLine.gid.c_str());
if(!g_cmdLine.uid.empty())
newuid = strToUID(g_cmdLine.uid.c_str());
- dropGroupPrivs(newgid);
- dropUserPrivs(newuid);
+ if (getegid() != newgid) {
+ if (running_in_service_mgr()) {
+ errlog("--gid/-g set on command-line, but dnsdist was started as a systemd service. Use the 'Group' setting in the systemd unit file to set the group to run as");
+ _exit(EXIT_FAILURE);
+ }
+ dropGroupPrivs(newgid);
+ }
+
+ if (geteuid() != newuid) {
+ if (running_in_service_mgr()) {
+ errlog("--uid/-u set on command-line, but dnsdist was started as a systemd service. Use the 'User' setting in the systemd unit file to set the user to run as");
+ _exit(EXIT_FAILURE);
+ }
+ dropUserPrivs(newuid);
+ }
+
try {
/* we might still have capabilities remaining,
for example if we have been started as root
dnsdist-rules.hh \
dnsdist-secpoll.cc dnsdist-secpoll.hh \
dnsdist-snmp.cc dnsdist-snmp.hh \
+ dnsdist-systemd.cc dnsdist-systemd.hh \
dnsdist-tcp.cc \
dnsdist-web.cc \
dnsdist-xpf.cc dnsdist-xpf.hh \
if HAVE_SYSTEMD
dnsdist.service: dnsdist.service.in
- $(AM_V_GEN)sed -e 's![@]bindir[@]!$(bindir)!' < $< > $@
+ $(AM_V_GEN)sed -e 's![@]bindir[@]!$(bindir)!' -e 's![@]service_user[@]!$(service_user)!' -e 's![@]service_group[@]!$(service_group)!' < $< > $@
if !HAVE_SYSTEMD_LOCK_PERSONALITY
$(AM_V_GEN)perl -ni -e 'print unless /^LockPersonality/' $@
endif
AX_AVAILABLE_SYSTEMD
AX_CHECK_SYSTEMD_FEATURES
AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
+PDNS_WITH_SERVICE_USER([dnsdist])
dnl the *_r functions are in posix so we can use them unconditionally, but the ext/yahttp code is
dnl using the defines.
--- /dev/null
+/*
+ * This file is part of PowerDNS or dnsdist.
+ * Copyright -- PowerDNS.COM B.V. and its contributors
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * In addition, for the avoidance of any doubt, permission is granted to
+ * link this program with OpenSSL and to (re)distribute the binaries
+ * produced as the result of such linking.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#include "config.h"
+#include "dnsdist-systemd.hh"
+#include <cstdlib>
+
+bool running_in_service_mgr() {
+#ifdef HAVE_SYSTEMD
+ char *c;
+ c = getenv("NOTIFY_SOCKET"); // XXX Ideally we'd check for INVOCATION_ID (systemd.exec(5)), but that was introduced in systemd 232, and Debian Jessie has 215
+ if (c != nullptr) {
+ return true;
+ }
+#endif
+ return false;
+}
--- /dev/null
+/*
+ * This file is part of PowerDNS or dnsdist.
+ * Copyright -- PowerDNS.COM B.V. and its contributors
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * In addition, for the avoidance of any doubt, permission is granted to
+ * link this program with OpenSSL and to (re)distribute the binaries
+ * produced as the result of such linking.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+#pragma once
+
+bool running_in_service_mgr();
ExecStartPre=@bindir@/dnsdist --check-config
# Note: when editing the ExecStart command, keep --supervised and --disable-syslog
ExecStart=@bindir@/dnsdist --supervised --disable-syslog
+User=@service_user@
+Group=@service_group@
Type=notify
Restart=on-failure
RestartSec=2
TasksMax=8192
# Sandboxing
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
--- /dev/null
+../../../m4/pdns_with_service_user.m4
\ No newline at end of file