upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2026-02-18 18:25:10 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Change need for sudo, to use systemd unit ability to run as user:group natively (safer than needing sudoers access AND config).

Browse source
This commit is contained in:
Toria 2025-12-30 20:37:25 +00:00
parent 85a0ef858a
commit bc31a34416
No known key found for this signature in database
GPG key ID: 190F038FA508352E
2 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
contrib/systemd/unbound-anchor.service.in
View file

@ -58,9 +58,11 @@ OnFailure=logger "Error (unbound-anchor): Please check root anchor."
WantedBy=multi-user.target
[Service]
User=unbound
Group=unbound
ExecCondition=@UNBOUND_RUN_DIR@/roothints-sig.sh
ExecStart=/bin/cp "/etc/trusted-key.key" @UNBOUND_ROOTKEY_FILE@
ExecStart=/bin/sudo -u unbound @UNBOUND_SBIN_DIR@/unbound-anchor -f "/etc/resolv.conf" -r @UNBOUND_RUN_DIR@/root.hints -a @UNBOUND_ROOTKEY_FILE@ -c @UNBOUND_RUN_DIR@/icannbundle.pem
ExecStart=@UNBOUND_SBIN_DIR@/unbound-anchor -f "/etc/resolv.conf" -r @UNBOUND_RUN_DIR@/root.hints -a @UNBOUND_ROOTKEY_FILE@ -c @UNBOUND_RUN_DIR@/icannbundle.pem
NotifyAccess=main
Type=oneshot
# TODO: Needs checking. Does unbound-anchor require net capabilities?

2
contrib/systemd/unbound-roothints.service.in
View file

@ -58,6 +58,8 @@ OnFailure=logger "Error (unbound-roothints): Please check root hints."
WantedBy=multi-user.target
[Service]
User=unbound
Group=unbound
ExecStart=/bin/curl -o @UNBOUND_RUN_DIR@/root.hints https://www.internic.net/domain/named.cache
ExecStart=/bin/curl -o @UNBOUND_RUN_DIR@/root-hints.md5 https://www.internic.net/domain/named.cache.md5
ExecStart=/bin/curl -o @UNBOUND_RUN_DIR@/icannbundle.pem https://data.iana.org/root-anchors/icannbundle.pem