From 7e6d27b7bb5bb1bee492b741d885d5d7a4fe856e Mon Sep 17 00:00:00 2001 From: Pieter Lexis Date: Thu, 6 Jun 2019 12:32:30 +0200 Subject: [PATCH] rec: create service file with User/Group --- pdns/recursordist/Makefile.am | 2 +- pdns/recursordist/configure.ac | 1 + pdns/recursordist/m4/pdns_with_service_user.m4 | 1 + pdns/recursordist/pdns-recursor.service.in | 5 ++++- 4 files changed, 7 insertions(+), 2 deletions(-) create mode 120000 pdns/recursordist/m4/pdns_with_service_user.m4 diff --git a/pdns/recursordist/Makefile.am b/pdns/recursordist/Makefile.am index 12d93f680..7e31711f4 100644 --- a/pdns/recursordist/Makefile.am +++ b/pdns/recursordist/Makefile.am @@ -493,7 +493,7 @@ endif if HAVE_SYSTEMD pdns-recursor.service: pdns-recursor.service.in - $(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' < $< > $@ + $(AM_V_GEN)sed -e 's![@]sbindir[@]!$(sbindir)!' -e 's![@]service_user[@]!$(service_user)!' -e 's![@]service_group[@]!$(service_group)!' < $< > $@ if !HAVE_SYSTEMD_LOCK_PERSONALITY $(AM_V_GEN)perl -ni -e 'print unless /^LockPersonality/' $@ endif diff --git a/pdns/recursordist/configure.ac b/pdns/recursordist/configure.ac index 3d2b20f55..7cc54f1de 100644 --- a/pdns/recursordist/configure.ac +++ b/pdns/recursordist/configure.ac @@ -173,6 +173,7 @@ PDNS_ENABLE_VALGRIND AX_AVAILABLE_SYSTEMD AX_CHECK_SYSTEMD_FEATURES AM_CONDITIONAL([HAVE_SYSTEMD], [ test x"$systemd" = "xy" ]) +PDNS_WITH_SERVICE_USER([pdns-recursor]) PDNS_CHECK_VIRTUALENV AC_SUBST(LIBS) diff --git a/pdns/recursordist/m4/pdns_with_service_user.m4 b/pdns/recursordist/m4/pdns_with_service_user.m4 new file mode 120000 index 000000000..bc72a6e12 --- /dev/null +++ b/pdns/recursordist/m4/pdns_with_service_user.m4 @@ -0,0 +1 @@ +../../../m4/pdns_with_service_user.m4 \ No newline at end of file diff --git a/pdns/recursordist/pdns-recursor.service.in b/pdns/recursordist/pdns-recursor.service.in index 357af4329..ce9472c76 100644 --- a/pdns/recursordist/pdns-recursor.service.in +++ b/pdns/recursordist/pdns-recursor.service.in @@ -8,6 +8,8 @@ After=network-online.target [Service] ExecStart=@sbindir@/pdns_recursor --daemon=no --write-pid=no --disable-syslog --log-timestamp=no +User=@service_user@ +Group=@service_group@ Type=notify Restart=on-failure StartLimitInterval=0 @@ -16,7 +18,8 @@ StartLimitInterval=0 LimitNOFILE=16384 # Sandboxing -CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_CHOWN CAP_SYS_CHROOT +CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN LockPersonality=true NoNewPrivileges=true PrivateDevices=true -- 2.40.0