From: Pascal Ernster <github@hardfalcon.net>
Date: Thu, 26 Sep 2019 08:41:37 +0000 (+0000)
Subject: Drop CAP_KILL, use + prefix for ExecReload= instead
X-Git-Tag: release-1.9.6rc1~95^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F87%2Fhead;p=thirdparty%2Funbound.git

Drop CAP_KILL, use + prefix for ExecReload= instead

CAP_KILL seems a bit too much privileges for the sole purpose of being able to make ExecReload= work.
Use the + prefix on ExecReload= instead to run "/bin/kill -HUP $MAINPID" with full privileges, ignoring the restrictions from CapabilityBoundingSet=.

See https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= for further details about the + prefix in ExecReload=.
---

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index 334ab6d17..6eb2d0c3f 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -9,11 +9,11 @@ Wants=nss-lookup.target
 WantedBy=multi-user.target
 
 [Service]
-ExecReload=/bin/kill -HUP $MAINPID
+ExecReload=+/bin/kill -HUP $MAINPID
 ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_KILL
+CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true