Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop CAP_KILL, use + prefix for ExecReload= instead #87

Merged
merged 1 commit into from Sep 26, 2019

Conversation

@hardfalcon
Copy link
Contributor

hardfalcon commented Sep 26, 2019

CAP_KILL seems a bit too much privileges for the sole purpose of being able to make ExecReload= work.
Use the + prefix on ExecReload= instead to run "/bin/kill -HUP $MAINPID" with full privileges, ignoring the restrictions from CapabilityBoundingSet=.

See https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= for further details about the + prefix in ExecReload=.

CAP_KILL seems a bit too much privileges for the sole purpose of being able to make ExecReload= work.
Use the + prefix on ExecReload= instead to run "/bin/kill -HUP $MAINPID" with full privileges, ignoring the restrictions from CapabilityBoundingSet=.

See https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= for further details about the + prefix in ExecReload=.
@wcawijngaards wcawijngaards merged commit 710851e into NLnetLabs:master Sep 26, 2019
1 check passed
1 check passed
continuous-integration/travis-ci/pr The Travis CI build passed
Details
wcawijngaards added a commit that referenced this pull request Sep 26, 2019
- Merge #87 from hardfalcon: Fix contrib/unbound.service.in,
  Drop CAP_KILL, use + prefix for ExecReload= instead.
@wcawijngaards

This comment has been minimized.

Copy link
Member

wcawijngaards commented Sep 26, 2019

Thanks for the fixup, less permissions sounds good. Merged.

jedisct1 added a commit to jedisct1/unbound that referenced this pull request Oct 1, 2019
* nlnet/master:
  Changelog note for NLnetLabs#87. - Merge NLnetLabs#87 from hardfalcon: Fix contrib/unbound.service.in,   Drop CAP_KILL, use + prefix for ExecReload= instead.
  Drop CAP_KILL, use + prefix for ExecReload= instead
  - The unbound.conf includes are sorted ascending, for include   statements with a '*' from glob.
  Changelog entry for fix NLnetLabs#84 and NLnetLabs#85. - Merge NLnetLabs#85 for NLnetLabs#84 from sam-lunt: Add kill capability to systemd   service file to fix that systemctl reload fails.
  Add kill capability to systemd service file
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.