Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service #82

Merged
merged 1 commit into from Sep 20, 2019

Conversation

@hardfalcon
Copy link
Contributor

hardfalcon commented Sep 20, 2019

Since kernel 3.2, just using CAP_NET_RAW instead of CAP_NET_ADMIN is sufficient to allow for the usage of the IP_TRANSPARENT socket option. CAP_NET_ADMIN allows far more mayhem then CAP_NET_RAW, so prefer the safer, more restrictive solution.

Since kernel 3.2, CAP_NET_RAW instead of CAP_NET_ADMIN is sufficient to allow for the usage of the IP_TRANSPARENT socket option. CAP_NET_ADMIN allows far more mayhem then CAP_NET_RAW, so prefer the safer, more restrictive solution.
@wcawijngaards wcawijngaards merged commit 15020f7 into NLnetLabs:master Sep 20, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
wcawijngaards added a commit that referenced this pull request Sep 20, 2019
- Merge #82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW
  in unbound.service.
@wcawijngaards

This comment has been minimized.

Copy link
Member

wcawijngaards commented Sep 20, 2019

Thanks for the fixup, less permissions are better. Merged it.

jedisct1 added a commit to jedisct1/unbound that referenced this pull request Sep 21, 2019
* nlnet/master: (22 commits)
  Changelog entry for NLnetLabs#83 - Merge NLnetLabs#83 from Maryse47: contrib/unbound.service.in: do not fork   into the background.
  unbound.service.in: do not fork into the background
  Changelog entry for NLnetLabs#81. - Merge NLnetLabs#81 from Maryse47: Consistently use /dev/urandom instead   of /dev/random in scripts and docs.
  (Changelog entry for NLnetLabs#82). - Merge NLnetLabs#82 from hardfalcon: Downgrade CAP_NET_ADMIN to CAP_NET_RAW   in unbound.service.
  Downgrade CAP_NET_ADMIN to CAP_NET_RAW in unbound.service
  Consistently use /dev/urandom instead of /dev/random in scripts and docs
  - Merge NLnetLabs#80 from stasic: Improve wording in man page. (Changelog entry for merge)
  Improve wording in man page
  - Fix wrong response ttl for prepended short CNAME ttls, this would   create a wrong zero_ttl response count with serve-expired enabled.
  - Fix for oss-fuzz build warning.
  - Fix fix for NLnetLabs#78 to also free service callback struct.
  - oss-fuzz badge on README.md.
  - Merge pull request NLnetLabs#76 from Maryse47: Improvements and fixes for   systemd unbound.service. (Changelog note for merge of NLnetLabs#76).
  - Fix NLnetLabs#78: Memory leak in outside_network.c.
  Improvements and fixes for systemd unbound.service
  - Use explicit bzero for wiping clear buffer of hash in cachedb,   reported by Eric Sesterhenn from X41 D-Sec.
  - Fix NLnetLabs#72: configure --with-syslog-facility=LOCAL0-7 with default   LOG_DAEMON (as before) can set the syslog facility that the server   uses to log messages.
  - Fix NLnetLabs#71: fix openssl error squelch commit compilation error.
  - squelch DNS over TLS errors 'ssl handshake failed crypto error'   on low verbosity, they show on verbosity 3 (query details), because   there is a high volume and the operator cannot do anything for the   remote failure.  Specifically filters the high volume errors.
  - updated Makefile dependencies.
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.