From: Tomas Krizek <tomas.krizek@nic.cz>
Date: Wed, 27 Nov 2019 11:55:06 +0000 (+0100)
Subject: systemd/nosocket: use capabilities
X-Git-Tag: v4.3.0~3^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7de6568ec2f00dd3591110521b9fce5b23225fa8;p=thirdparty%2Fknot-resolver.git

systemd/nosocket: use capabilities
---

diff --git a/etc/config/meson.build b/etc/config/meson.build
index 918835a3f..7e5723d73 100644
--- a/etc/config/meson.build
+++ b/etc/config/meson.build
@@ -16,10 +16,7 @@ net.listen('::1', 853, { kind = 'tls' })
 -- net.listen('127.0.0.1', 44353, { kind = 'doh' })
 -- net.listen('::1', 44353, { kind = 'doh' })
 -- net.listen('127.0.0.1', 8453, { kind = 'webmgmt' })
--- net.listen('::1', 8453, { kind = 'webmgmt' })
-
--- Drop root privileges
-user('@0@', '@1@')'''.format(user, group)
+-- net.listen('::1', 8453, { kind = 'webmgmt' })'''
 endif
 
 
diff --git a/systemd/nosocket/kresd@.service.in b/systemd/nosocket/kresd@.service.in
index 03ea340c3..e0efcfca4 100644
--- a/systemd/nosocket/kresd@.service.in
+++ b/systemd/nosocket/kresd@.service.in
@@ -11,6 +11,10 @@ After=network-online.target
 Type=notify
 WorkingDirectory=@systemd_work_dir@
 ExecStart=@sbin_dir@/kresd --config=@etc_dir@/kresd.conf --forks=1
+User=@user@
+Group=@group@
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETPCAP
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETPCAP
 TimeoutStopSec=10s
 WatchdogSec=10s
 Restart=on-abnormal