auth: create service file with User/Group

diff --git a/configure.ac b/configure.ac
index 5efd2c4b1c950bb3047904c6eb3c95261047bb3e..1546caf433f60bce9f4c147e8639ec72efc7c637 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -286,6 +286,7 @@ done
 AX_AVAILABLE_SYSTEMD
 AX_CHECK_SYSTEMD_FEATURES
 AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
+ PDNS_WITH_SERVICE_USER([pdns])
 
 LDFLAGS="$RELRO_LDFLAGS $LDFLAGS"
 

diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 32fd8453828eeca69fbe875bbd2c9b009d48768a..9de4b641d4c475fa9b292e0c3d7374bef2520c04 100644 (file)
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -1552,7 +1552,7 @@ dnsdist:
 
 if HAVE_SYSTEMD
 pdns.service: pdns.service.in
-       $(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' < $< > $@
+       $(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' -e 's![@]service_user[@]!$(service_user)!' -e 's![@]service_group[@]!$(service_group)!' < $< > $@
 if !HAVE_SYSTEMD_LOCK_PERSONALITY
        $(AM_V_GEN)perl -ni -e 'print unless /^LockPersonality/' $@
 endif

diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
index 60a6e075ab7086f420a10c0ff855916e23770620..a272eddfbf8e217c645cbe96404d083d6b4f5872 100644 (file)
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -7,13 +7,16 @@ After=network-online.target mysqld.service postgresql.service slapd.service mari
 
 [Service]
 ExecStart=@sbindir@/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
+User=@service_user@
+Group=@service_group@
 Type=notify
 Restart=on-failure
 RestartSec=1
 StartLimitInterval=0
 
 # Sandboxing
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
 LockPersonality=true
 ProtectControlGroups=true
 ProtectHome=true