systemd/nosocket: use capabilities

author Tomas Krizek <tomas.krizek@nic.cz>

Wed, 27 Nov 2019 11:55:06 +0000 (12:55 +0100)

committer Tomas Krizek <tomas.krizek@nic.cz>

Tue, 3 Dec 2019 11:13:12 +0000 (12:13 +0100)
author Tomas Krizek <tomas.krizek@nic.cz>
Wed, 27 Nov 2019 11:55:06 +0000 (12:55 +0100)
committer Tomas Krizek <tomas.krizek@nic.cz>
Tue, 3 Dec 2019 11:13:12 +0000 (12:13 +0100)
diff --git a/etc/config/meson.build b/etc/config/meson.build

index 918835a3f0303646c82fd6a4097787db3a35e96c..7e5723d7367b406e8c34ce82a2b1c72c2ba2e4b7 100644 (file)
--- a/etc/config/meson.build
+++ b/etc/config/meson.build
@@ -16,10 +16,7 @@ net.listen('::1', 853, { kind = 'tls' })
  -- net.listen('127.0.0.1', 44353, { kind = 'doh' })
  -- net.listen('::1', 44353, { kind = 'doh' })
  -- net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
--- net.listen('::1', 8453, { kind = 'webmgmt' })
-
--- Drop root privileges
-user('@0@', '@1@')'''.format(user, group)
+-- net.listen('::1', 8453, { kind = 'webmgmt' })'''
  endif
  
  
diff --git a/systemd/nosocket/kresd@.service.in b/systemd/nosocket/kresd@.service.in

index 03ea340c39e07a46dd526a34d5f75a39bbfc0063..e0efcfca44ad8c7ad5a3cbcc169d18a0878e9722 100644 (file)
--- a/systemd/nosocket/kresd@.service.in
+++ b/systemd/nosocket/kresd@.service.in
@@ -11,6 +11,10 @@ After=network-online.target
  Type=notify
  WorkingDirectory=@systemd_work_dir@
  ExecStart=@sbin_dir@/kresd --config=@etc_dir@/kresd.conf --forks=1
+User=@user@
+Group=@group@
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETPCAP
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETPCAP
  TimeoutStopSec=10s
  WatchdogSec=10s
  Restart=on-abnormal
author	Tomas Krizek <tomas.krizek@nic.cz>
	Wed, 27 Nov 2019 11:55:06 +0000 (12:55 +0100)
committer	Tomas Krizek <tomas.krizek@nic.cz>
	Tue, 3 Dec 2019 11:13:12 +0000 (12:13 +0100)
etc/config/meson.build		patch \| blob \| blame \| history
systemd/nosocket/kresd@.service.in		patch \| blob \| blame \| history