From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Tue, 18 Jun 2019 14:37:18 +0000 (+0200)
Subject: auth: create service file with User/Group
X-Git-Tag: dnsdist-1.4.0-rc3~15^2~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f3d6553235219c02381e6d3477540e9f9fce08ae;p=pdns

auth: create service file with User/Group
---

diff --git a/configure.ac b/configure.ac
index 5efd2c4b1..1546caf43 100644
--- a/configure.ac
+++ b/configure.ac
@@ -286,6 +286,7 @@ done
 AX_AVAILABLE_SYSTEMD
 AX_CHECK_SYSTEMD_FEATURES
 AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ])
+ PDNS_WITH_SERVICE_USER([pdns])
 
 LDFLAGS="$RELRO_LDFLAGS $LDFLAGS"
 
diff --git a/pdns/Makefile.am b/pdns/Makefile.am
index 32fd84538..9de4b641d 100644
--- a/pdns/Makefile.am
+++ b/pdns/Makefile.am
@@ -1552,7 +1552,7 @@ dnsdist:
 
 if HAVE_SYSTEMD
 pdns.service: pdns.service.in
-	$(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' < $< > $@
+	$(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' -e 's![@]service_user[@]!$(service_user)!' -e 's![@]service_group[@]!$(service_group)!' < $< > $@
 if !HAVE_SYSTEMD_LOCK_PERSONALITY
 	$(AM_V_GEN)perl -ni -e 'print unless /^LockPersonality/' $@
 endif
diff --git a/pdns/pdns.service.in b/pdns/pdns.service.in
index 60a6e075a..a272eddfb 100644
--- a/pdns/pdns.service.in
+++ b/pdns/pdns.service.in
@@ -7,13 +7,16 @@ After=network-online.target mysqld.service postgresql.service slapd.service mari
 
 [Service]
 ExecStart=@sbindir@/pdns_server --guardian=no --daemon=no --disable-syslog --log-timestamp=no --write-pid=no
+User=@service_user@
+Group=@service_group@
 Type=notify
 Restart=on-failure
 RestartSec=1
 StartLimitInterval=0
 
 # Sandboxing
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
 LockPersonality=true
 ProtectControlGroups=true
 ProtectHome=true