From: Maryse47 <41080948+Maryse47@users.noreply.github.com>
Date: Tue, 28 Jan 2020 17:47:21 +0000 (+0100)
Subject: unbound.service.in: don't write pidfile at start
X-Git-Tag: release-1.10.0rc1~31^2~2^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F151%2Fhead;p=thirdparty%2Funbound.git

unbound.service.in: don't write pidfile at start

Pidfiles aren't needed while running unbound through systemd.
The PID of the unbound daemon can still be obtained with:
'systemctl show --property MainPID --value unbound'.

While disabling pidfiles we can also drop CAP_CHOWN and writable
/run directory.
---

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index ec6b3ba28..8c51bcbbe 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -51,10 +51,10 @@ WantedBy=multi-user.target
 
 [Service]
 ExecReload=+/bin/kill -HUP $MAINPID
-ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
+ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
@@ -75,11 +75,6 @@ LockPersonality=yes
 RestrictSUIDSGID=yes
 ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
 
-# Below is needed when pidfile is stored directly under /run like /run/unbound.pid.
-# If pidfile is stored under subdirectory like /run/unbound/unbound.pid instead
-# then it may be safely removed.
-ReadWritePaths=/run
-
 # Below rules are needed when chroot is enabled (usually it's enabled by default).
 # If chroot is disabled like chrooot: "" then they may be safely removed.
 TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in
index a77df49fa..998b66dec 100644
--- a/contrib/unbound_portable.service.in
+++ b/contrib/unbound_portable.service.in
@@ -4,13 +4,11 @@
 ; To use this unit file, please make sure you either compile unbound with the
 ; following options:
 ;
-;  - --with-pidfile=/run/unbound/unbound.pid
 ;  - --with-chroot-dir=""
 ;
 ; Or put the following options in your unbound configuration file:
 ;
 ;  - chroot: ""
-;  - pidfile: /run/unbound/unbound.pid
 ;
 ;
 [Unit]
@@ -25,10 +23,10 @@ WantedBy=multi-user.target
 
 [Service]
 ExecReload=+/bin/kill -HUP $MAINPID
-ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
+ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true