From 9aa4b5a7a61f3fc03d49e904cca6d31523e8b073 Mon Sep 17 00:00:00 2001
From: Maryse47 <41080948+Maryse47@users.noreply.github.com>
Date: Tue, 28 Jan 2020 18:47:21 +0100
Subject: [PATCH] unbound.service.in: don't write pidfile at start

Pidfiles aren't needed while running unbound through systemd.
The PID of the unbound daemon can still be obtained with:
'systemctl show --property MainPID --value unbound'.

While disabling pidfiles we can also drop CAP_CHOWN and writable
/run directory.
---
 contrib/unbound.service.in          | 9 ++-------
 contrib/unbound_portable.service.in | 6 ++----
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in
index ec6b3ba28..8c51bcbbe 100644
--- a/contrib/unbound.service.in
+++ b/contrib/unbound.service.in
@@ -51,10 +51,10 @@ WantedBy=multi-user.target
 
 [Service]
 ExecReload=+/bin/kill -HUP $MAINPID
-ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
+ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
@@ -75,11 +75,6 @@ LockPersonality=yes
 RestrictSUIDSGID=yes
 ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@
 
-# Below is needed when pidfile is stored directly under /run like /run/unbound.pid.
-# If pidfile is stored under subdirectory like /run/unbound/unbound.pid instead
-# then it may be safely removed.
-ReadWritePaths=/run
-
 # Below rules are needed when chroot is enabled (usually it's enabled by default).
 # If chroot is disabled like chrooot: "" then they may be safely removed.
 TemporaryFileSystem=@UNBOUND_CHROOT_DIR@/dev:ro
diff --git a/contrib/unbound_portable.service.in b/contrib/unbound_portable.service.in
index a77df49fa..998b66dec 100644
--- a/contrib/unbound_portable.service.in
+++ b/contrib/unbound_portable.service.in
@@ -4,13 +4,11 @@
 ; To use this unit file, please make sure you either compile unbound with the
 ; following options:
 ;
-;  - --with-pidfile=/run/unbound/unbound.pid
 ;  - --with-chroot-dir=""
 ;
 ; Or put the following options in your unbound configuration file:
 ;
 ;  - chroot: ""
-;  - pidfile: /run/unbound/unbound.pid
 ;
 ;
 [Unit]
@@ -25,10 +23,10 @@ WantedBy=multi-user.target
 
 [Service]
 ExecReload=+/bin/kill -HUP $MAINPID
-ExecStart=@UNBOUND_SBIN_DIR@/unbound -d
+ExecStart=@UNBOUND_SBIN_DIR@/unbound -d -p
 NotifyAccess=main
 Type=notify
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW CAP_CHOWN
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
-- 
2.47.2