-
Notifications
You must be signed in to change notification settings - Fork 906
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnsdist: don't start as root within a systemd environment #7820
Conversation
Remove the setuid/setgid capabilities _and_ add CAP_NET_BIND_SERVICE to the AmbientCapabilities.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
@rgacogne Do you have an opinion on
We already refuse to start the recursor then |
I'm fine with refusing to start in that exact case, provided that we can figure out a clear enough error message :) |
I think we can target this for dnsdist 1.5.0? |
Done! |
9a12005
to
c98c0ef
Compare
|
It would not help. I'll fix it on master soon. |
I fixed it on master in June. A rebase would help. We can also ignore it for this PR :) |
Short description
With this PR, dnsdist is never started as root on Linux systems with systemd. This PR adds a
configure
option to set the username and group in the service file. It also removes the capabilities for dnsdist to do setuid and setgid.Discussion:
NOTIFY_SOCKET
defined) and-u
or-g
is set on the command line?Checklist
I have: