From bc31a344163c5039c62ffc661b927ccc629daa29 Mon Sep 17 00:00:00 2001 From: Toria Date: Tue, 30 Dec 2025 20:37:25 +0000 Subject: [PATCH] Change need for sudo, to use systemd unit ability to run as user:group natively (safer than needing sudoers access AND config). --- contrib/systemd/unbound-anchor.service.in | 4 +++- contrib/systemd/unbound-roothints.service.in | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/contrib/systemd/unbound-anchor.service.in b/contrib/systemd/unbound-anchor.service.in index bf46c3f14..1324b4486 100644 --- a/contrib/systemd/unbound-anchor.service.in +++ b/contrib/systemd/unbound-anchor.service.in @@ -58,9 +58,11 @@ OnFailure=logger "Error (unbound-anchor): Please check root anchor." WantedBy=multi-user.target [Service] +User=unbound +Group=unbound ExecCondition=@UNBOUND_RUN_DIR@/roothints-sig.sh ExecStart=/bin/cp "/etc/trusted-key.key" @UNBOUND_ROOTKEY_FILE@ -ExecStart=/bin/sudo -u unbound @UNBOUND_SBIN_DIR@/unbound-anchor -f "/etc/resolv.conf" -r @UNBOUND_RUN_DIR@/root.hints -a @UNBOUND_ROOTKEY_FILE@ -c @UNBOUND_RUN_DIR@/icannbundle.pem +ExecStart=@UNBOUND_SBIN_DIR@/unbound-anchor -f "/etc/resolv.conf" -r @UNBOUND_RUN_DIR@/root.hints -a @UNBOUND_ROOTKEY_FILE@ -c @UNBOUND_RUN_DIR@/icannbundle.pem NotifyAccess=main Type=oneshot # TODO: Needs checking. Does unbound-anchor require net capabilities? diff --git a/contrib/systemd/unbound-roothints.service.in b/contrib/systemd/unbound-roothints.service.in index d6f22b1f5..e0a1de2f5 100644 --- a/contrib/systemd/unbound-roothints.service.in +++ b/contrib/systemd/unbound-roothints.service.in @@ -58,6 +58,8 @@ OnFailure=logger "Error (unbound-roothints): Please check root hints." WantedBy=multi-user.target [Service] +User=unbound +Group=unbound ExecStart=/bin/curl -o @UNBOUND_RUN_DIR@/root.hints https://www.internic.net/domain/named.cache ExecStart=/bin/curl -o @UNBOUND_RUN_DIR@/root-hints.md5 https://www.internic.net/domain/named.cache.md5 ExecStart=/bin/curl -o @UNBOUND_RUN_DIR@/icannbundle.pem https://data.iana.org/root-anchors/icannbundle.pem