From fe9e7b8d472b21fbb8d769319c3208b8eee07502 Mon Sep 17 00:00:00 2001
From: Pieter Lexis <pieter.lexis@powerdns.com>
Date: Mon, 8 Jul 2019 10:25:04 +0200
Subject: [PATCH] Ensure Debian SysV users get set{g,u}id

---
 builder-support/debian/recursor/debian-buster/rules |  2 ++
 builder-support/debian/recursor/debian-jessie/rules |  2 ++
 .../debian/recursor/debian-stretch/rules            |  2 ++
 pdns/pdns_recursor.cc                               | 13 +++++++++++--
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/builder-support/debian/recursor/debian-buster/rules b/builder-support/debian/recursor/debian-buster/rules
index b6495990d..c8a82683b 100755
--- a/builder-support/debian/recursor/debian-buster/rules
+++ b/builder-support/debian/recursor/debian-buster/rules
@@ -44,6 +44,8 @@ override_dh_auto_install:
 		-e 's!# config-dir=.*!config-dir=/etc/powerdns!' \
 		-e 's!# local-address=.*!local-address=127.0.0.1!' \
 		-e 's!# quiet=.*!quiet=yes!' \
+		-e 's!# setgid=.*!setgid=pdns!' \
+		-e 's!# setuid=.*!setuid=pdns!' \
 		-e 's!# hint-file=.*!&\nhint-file=/usr/share/dns/root.hints!' \
 		> debian/pdns-recursor/etc/powerdns/recursor.conf
 
diff --git a/builder-support/debian/recursor/debian-jessie/rules b/builder-support/debian/recursor/debian-jessie/rules
index 18583724c..20d715d51 100755
--- a/builder-support/debian/recursor/debian-jessie/rules
+++ b/builder-support/debian/recursor/debian-jessie/rules
@@ -44,6 +44,8 @@ override_dh_auto_install:
 		-e 's!# config-dir=.*!config-dir=/etc/powerdns!' \
 		-e 's!# local-address=.*!local-address=127.0.0.1!' \
 		-e 's!# quiet=.*!quiet=yes!' \
+		-e 's!# setgid=.*!setgid=pdns!' \
+		-e 's!# setuid=.*!setuid=pdns!' \
 		-e 's!# hint-file=.*!&\nhint-file=/usr/share/dns/root.hints!' \
 		> debian/tmp/etc/powerdns/recursor.conf
 
diff --git a/builder-support/debian/recursor/debian-stretch/rules b/builder-support/debian/recursor/debian-stretch/rules
index b6495990d..c8a82683b 100755
--- a/builder-support/debian/recursor/debian-stretch/rules
+++ b/builder-support/debian/recursor/debian-stretch/rules
@@ -44,6 +44,8 @@ override_dh_auto_install:
 		-e 's!# config-dir=.*!config-dir=/etc/powerdns!' \
 		-e 's!# local-address=.*!local-address=127.0.0.1!' \
 		-e 's!# quiet=.*!quiet=yes!' \
+		-e 's!# setgid=.*!setgid=pdns!' \
+		-e 's!# setuid=.*!setuid=pdns!' \
 		-e 's!# hint-file=.*!&\nhint-file=/usr/share/dns/root.hints!' \
 		> debian/pdns-recursor/etc/powerdns/recursor.conf
 
diff --git a/pdns/pdns_recursor.cc b/pdns/pdns_recursor.cc
index 03e7c0523..3135f1d6f 100644
--- a/pdns/pdns_recursor.cc
+++ b/pdns/pdns_recursor.cc
@@ -4424,8 +4424,17 @@ int main(int argc, char **argv)
     ::arg().set("log-timestamp","Print timestamps in log lines, useful to disable when running with a tool that timestamps stdout already")="yes";
     ::arg().set("log-common-errors","If we should log rather common errors")="no";
     ::arg().set("chroot","switch to chroot jail")="";
-    ::arg().set("setgid","If set, change group id to this gid for more security")="";
-    ::arg().set("setuid","If set, change user id to this uid for more security")="";
+    ::arg().set("setgid","If set, change group id to this gid for more security"
+#ifdef HAVE_SYSTEMD
+#define SYSTEMD_SETID_MSG ". When running inside systemd, use the User and Group settings in the unit-file!"
+        SYSTEMD_SETID_MSG
+#endif
+        )="";
+    ::arg().set("setuid","If set, change user id to this uid for more security"
+#ifdef HAVE_SYSTEMD
+        SYSTEMD_SETID_MSG
+#endif
+        )="";
     ::arg().set("network-timeout", "Wait this number of milliseconds for network i/o")="1500";
     ::arg().set("threads", "Launch this number of threads")="2";
     ::arg().set("distributor-threads", "Launch this number of distributor threads, distributing queries to other threads")="0";
-- 
2.49.0