Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop CAP_KILL, use + prefix for ExecReload= instead #87

Merged
merged 1 commit into from Sep 26, 2019
Merged

Drop CAP_KILL, use + prefix for ExecReload= instead #87

merged 1 commit into from Sep 26, 2019

Conversation

hardfalcon
Copy link
Contributor

@hardfalcon hardfalcon commented Sep 26, 2019

CAP_KILL seems a bit too much privileges for the sole purpose of being able to make ExecReload= work.
Use the + prefix on ExecReload= instead to run "/bin/kill -HUP $MAINPID" with full privileges, ignoring the restrictions from CapabilityBoundingSet=.

See https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= for further details about the + prefix in ExecReload=.

CAP_KILL seems a bit too much privileges for the sole purpose of being able to make ExecReload= work.
Use the + prefix on ExecReload= instead to run "/bin/kill -HUP $MAINPID" with full privileges, ignoring the restrictions from CapabilityBoundingSet=.

See https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= for further details about the + prefix in ExecReload=.
@wcawijngaards wcawijngaards merged commit 710851e into NLnetLabs:master Sep 26, 2019
1 check passed
wcawijngaards added a commit that referenced this issue Sep 26, 2019
- Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
  Drop CAP_KILL, use + prefix for ExecReload= instead.
@wcawijngaards
Copy link
Member

@wcawijngaards wcawijngaards commented Sep 26, 2019

Thanks for the fixup, less permissions sounds good. Merged.

jedisct1 added a commit to jedisct1/unbound that referenced this issue Oct 1, 2019
* nlnet/master:
  Changelog note for NLnetLabs#87. - Merge NLnetLabs#87 from hardfalcon: Fix contrib/unbound.service.in,   Drop CAP_KILL, use + prefix for ExecReload= instead.
  Drop CAP_KILL, use + prefix for ExecReload= instead
  - The unbound.conf includes are sorted ascending, for include   statements with a '*' from glob.
  Changelog entry for fix NLnetLabs#84 and NLnetLabs#85. - Merge NLnetLabs#85 for NLnetLabs#84 from sam-lunt: Add kill capability to systemd   service file to fix that systemctl reload fails.
  Add kill capability to systemd service file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants