AX_AVAILABLE_SYSTEMD
AX_CHECK_SYSTEMD_FEATURES
AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
+ PDNS_WITH_SERVICE_USER([pdns])
LDFLAGS="$RELRO_LDFLAGS $LDFLAGS"
if HAVE_SYSTEMD
pdns.service: pdns.service.in
- $(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' < $< > $@
+ $(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' -e 's![@]service_user[@]!$(service_user)!' -e 's![@]service_group[@]!$(service_group)!' < $< > $@
if !HAVE_SYSTEMD_LOCK_PERSONALITY
$(AM_V_GEN)perl -ni -e 'print unless /^LockPersonality/' $@
endif
[Service]
ExecStart=@sbindir@/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
+User=@service_user@
+Group=@service_group@
Type=notify
Restart=on-failure
RestartSec=1
StartLimitInterval=0
# Sandboxing
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
LockPersonality=true
ProtectControlGroups=true
ProtectHome=true