From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 13 May 2019 15:43:20 +0000 (+0200)
Subject: dnsdist: create service file with User/Group
X-Git-Tag: auth-4.3.0-beta2~34^2~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f40f664db0c28c0bd1ecab00362780712ceaa6d6;p=thirdparty%2Fpdns.git

dnsdist: create service file with User/Group

Remove the setuid/setgid capabilities _and_ add CAP_NET_BIND_SERVICE to
the AmbientCapabilities.
---

diff --git a/pdns/dnsdistdist/Makefile.am b/pdns/dnsdistdist/Makefile.am
index 2112afa53e..36177aabbe 100644
--- a/pdns/dnsdistdist/Makefile.am
+++ b/pdns/dnsdistdist/Makefile.am
@@ -364,7 +364,7 @@ endif
 
 if HAVE_SYSTEMD
 dnsdist.service: dnsdist.service.in
-	$(AM_V_GEN)sed -e 's![@]bindir[@]!$(bindir)!' < $< > $@
+	$(AM_V_GEN)sed -e 's![@]bindir[@]!$(bindir)!' -e 's![@]service_user[@]!$(service_user)!' -e 's![@]service_group[@]!$(service_group)!' < $< > $@
 if !HAVE_SYSTEMD_LOCK_PERSONALITY
 	$(AM_V_GEN)perl -ni -e 'print unless /^LockPersonality/' $@
 endif
diff --git a/pdns/dnsdistdist/configure.ac b/pdns/dnsdistdist/configure.ac
index 83563abada..4daf7291f9 100644
--- a/pdns/dnsdistdist/configure.ac
+++ b/pdns/dnsdistdist/configure.ac
@@ -47,6 +47,7 @@ PDNS_WITH_LIBCAP
 AX_AVAILABLE_SYSTEMD
 AX_CHECK_SYSTEMD_FEATURES
 AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
+PDNS_WITH_SERVICE_USER([dnsdist])
 
 AC_SUBST([YAHTTP_CFLAGS], ['-I$(top_srcdir)/ext/yahttp'])
 AC_SUBST([YAHTTP_LIBS], ['$(top_builddir)/ext/yahttp/yahttp/libyahttp.la'])
diff --git a/pdns/dnsdistdist/dnsdist.service.in b/pdns/dnsdistdist/dnsdist.service.in
index 094ffe3ed4..3ad5e9c40a 100644
--- a/pdns/dnsdistdist/dnsdist.service.in
+++ b/pdns/dnsdistdist/dnsdist.service.in
@@ -9,6 +9,8 @@ After=network-online.target
 ExecStartPre=@bindir@/dnsdist --check-config
 # Note: when editing the ExecStart command, keep --supervised and --disable-syslog
 ExecStart=@bindir@/dnsdist --supervised --disable-syslog
+User=@service_user@
+Group=@service_group@
 Type=notify
 Restart=on-failure
 RestartSec=2
@@ -20,7 +22,8 @@ LimitNOFILE=16384
 TasksMax=8192
 
 # Sandboxing
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 LockPersonality=true
 NoNewPrivileges=true
 PrivateDevices=true
diff --git a/pdns/dnsdistdist/m4/pdns_with_service_user.m4 b/pdns/dnsdistdist/m4/pdns_with_service_user.m4
new file mode 120000
index 0000000000..bc72a6e129
--- /dev/null
+++ b/pdns/dnsdistdist/m4/pdns_with_service_user.m4
@@ -0,0 +1 @@
+../../../m4/pdns_with_service_user.m4
\ No newline at end of file