diff --git a/contrib/unbound-anchor.service.in b/contrib/systemd/unbound-anchor.service.in similarity index 93% rename from contrib/unbound-anchor.service.in rename to contrib/systemd/unbound-anchor.service.in index 36a7c227a..bf46c3f14 100644 --- a/contrib/unbound-anchor.service.in +++ b/contrib/systemd/unbound-anchor.service.in @@ -48,10 +48,9 @@ Description=unbound-anchor Documentation=man:unbound-anchor(8) After=network-online.target -After=unbound-roothints.service Wants=network-online.target +After=unbound-roothints.service Wants=unbound-roothints.service -Before=unbound-chown.service Before=unbound.service OnFailure=logger "Error (unbound-anchor): Please check root anchor." @@ -61,7 +60,7 @@ WantedBy=multi-user.target [Service] ExecCondition=@UNBOUND_RUN_DIR@/roothints-sig.sh ExecStart=/bin/cp "/etc/trusted-key.key" @UNBOUND_ROOTKEY_FILE@ -ExecStart=@UNBOUND_SBIN_DIR@/unbound-anchor -f "/etc/resolv.conf" -r @UNBOUND_RUN_DIR@/root.hints -a @UNBOUND_ROOTKEY_FILE@ +ExecStart=/bin/sudo -u unbound @UNBOUND_SBIN_DIR@/unbound-anchor -f "/etc/resolv.conf" -r @UNBOUND_RUN_DIR@/root.hints -a @UNBOUND_ROOTKEY_FILE@ -c @UNBOUND_RUN_DIR@/icannbundle.pem NotifyAccess=main Type=oneshot # TODO: Needs checking. Does unbound-anchor require net capabilities? @@ -88,4 +87,4 @@ RestrictNamespaces=yes LockPersonality=yes RestrictSUIDSGID=yes ReadWritePaths=@UNBOUND_ROOTKEY_FILE@ -ReadOnlyPaths=/etc/trusted-key.key /etc/resolv.conf @UNBOUND_RUN_DIR@/root.hints \ No newline at end of file +ReadOnlyPaths=/etc/trusted-key.key /etc/resolv.conf @UNBOUND_RUN_DIR@/root.hints @UNBOUND_RUN_DIR@/icannbundle.pem \ No newline at end of file diff --git a/contrib/unbound-anchor.timer.in b/contrib/systemd/unbound-anchor.timer.in similarity index 100% rename from contrib/unbound-anchor.timer.in rename to contrib/systemd/unbound-anchor.timer.in diff --git a/contrib/unbound-roothints.service.in b/contrib/systemd/unbound-roothints.service.in similarity index 100% rename from contrib/unbound-roothints.service.in rename to contrib/systemd/unbound-roothints.service.in diff --git a/contrib/unbound-roothints.timer.in b/contrib/systemd/unbound-roothints.timer.in similarity index 100% rename from contrib/unbound-roothints.timer.in rename to contrib/systemd/unbound-roothints.timer.in diff --git a/contrib/unbound-chown.service.in b/contrib/unbound-chown.service.in deleted file mode 100644 index a8750f45e..000000000 --- a/contrib/unbound-chown.service.in +++ /dev/null @@ -1,89 +0,0 @@ -; For further details about the directives used in this unit file, including -; the below, please refer to systemd's official documentation, available at -; https://www.freedesktop.org/software/systemd/man/systemd.exec.html. -; -; -; - `ProtectSystem=strict` implies we mount the entire file system hierarchy -; read-only for the processes invoked by the unit except for the API file -; system subtrees /dev, /proc and /sys (which are protected by -; PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). -; -; - `PrivateTmp=yes` secures access to temporary files of the process, and -; makes sharing between processes via /tmp or /var/tmp impossible. -; -; - `ProtectHome=yes` makes the directories /home, /root, and /run/user -; inaccessible and empty for processes invoked by the unit. -; -; - `ProtectControlGroups=yes` makes the Linux Control Groups hierarchies -; (accessible through /sys/fs/cgroup) read-only to all processes invoked by -; the unit. It also implies `MountAPIVFS=yes`. -; -; - `RuntimeDirectory=unbound` creates a /run/unbound directory, owned by the -; unit User and Group with read-write permissions (0755) as soon as the -; unit starts. This allows unbound to store its pidfile. The directory and -; its content are automatically removed by systemd when the unit stops. -; -; - `NoNewPrivileges=yes` ensures that the service process and all its -; children can never gain new privileges through execve(). -; -; - `RestrictSUIDSGID=yes` ensures that any attempts to set the set-user-ID -; (SUID) or set-group-ID (SGID) bits on files or directories will be denied. -; -; - `RestrictRealTime=yes` ensures that any attempts to enable realtime -; scheduling in a process invoked by the unit will be denied. -; -; - `RestrictNamespaces=yes` ensures that access to any kind of namespacing -; is prohibited. -; -; - `LockPersonality=yes` locks down the personality system call so that the -; kernel execution domain may not be changed from the default. -; -; - With /etc/systemd/network/*.network a setting to make sure the network -; is not considered online too early, can reduce network unreachable -; errors on server start: -; [Link] -; RequiredForOnline=routable -; -[Unit] -Description=unbound-chown -Documentation=man:chown(1) -After=network-online.target -After=unbound-anchor.service -After=unbound-roothints.service -Wants=network-online.target -Wants=unbound-anchor.service -Wants=unbound-roothints.service -Before=unbound.service -OnFailure=logger "Error (unbound-chown): Please check /etc/unbound ownership." - -[Install] -WantedBy=multi-user.target - -[Service] -ExecStart=/bin/chown -R unbound:unbound @UNBOUND_RUN_DIR@ -ExecStart=/bin/chown -R unbound:unbound @UNBOUND_CHROOT_DIR@ -ExecStart=/bin/chown unbound:unbound @UNBOUND_ROOTKEY_FILE@ -NotifyAccess=main -Type=oneshot -CapabilityBoundingSet=CAP_CHOWN -MemoryDenyWriteExecute=true -NoNewPrivileges=true -PrivateDevices=true -PrivateTmp=true -ProtectHome=true -ProtectClock=true -ProtectControlGroups=true -ProtectKernelLogs=true -ProtectKernelModules=true -ProtectKernelTunables=true -ProtectProc=invisible -ProtectSystem=strict -RuntimeDirectory=unbound -ConfigurationDirectory=unbound -StateDirectory=unbound -RestrictRealtime=true -SystemCallArchitectures=native -RestrictNamespaces=yes -LockPersonality=yes -RestrictSUIDSGID=yes -ReadWritePaths=@UNBOUND_RUN_DIR@ @UNBOUND_CHROOT_DIR@ @UNBOUND_ROOTKEY_FILE@ diff --git a/contrib/unbound.service.in b/contrib/unbound.service.in index aa5e228a5..257891043 100644 --- a/contrib/unbound.service.in +++ b/contrib/unbound.service.in @@ -48,14 +48,13 @@ Description=Validating, recursive, and caching DNS resolver Documentation=man:unbound(8) After=network-online.target -After=unbound-roothints.service -After=unbound-anchor.service -After=unbound-chown.service Wants=network-online.target -Wants=unbound-roothints.service -Wants=unbound-anchor.service -Wants=unbound-chown.service Before=nss-lookup.target +# These two are needed for systemd-managed root.hints and trusted-key.key updates. +#After=unbound-roothints.service +#Wants=unbound-roothints.service +#After=unbound-anchor.service +#Wants=unbound-anchor.service [Install] WantedBy=multi-user.target