Pidfiles aren't needed while running unbound through systemd.
The PID of the unbound daemon can still be obtained with:
'systemctl show --property MainPID --value unbound'.
While disabling pidfiles we can also drop CAP_CHOWN and writable
/run directory.
CAP_IPC_LOCK controls whether a process can lock pages into physical
memory (for instance to prevent passwords or private keys from
being swapped to disk), e.g. mmap() with the MAP_LOCKED flag or
shmctl() with the SHM_LOCK command, neither of which seem to be
used by unbound.
State directory will be created under /var/lib/unbound and will be
useful for writing various files managed at runtime like trust
anchors updates there instead of in ConfigureDirectory which could
be made read-only next. For this chroot needs to be disabled.
The real purpose of this service is to make it work with
https://systemd.io/PORTABLE_SERVICES/ which are incompatible with
chroot workarounds from original unbound.service.
The service content is identical to unbound.service with exception
for chroot related rules which were modified as needed.
Adding 'RuntimeDirectory' is needed when pidfile path is set to
subdirectory under /run.
Adding ConfigurationDirectory may help in some non-standard setups.
Also add more descriptions about used rules to avoid user confusion
about they meaning and purpose.
This commit removes the hardcoded dependency in the libunbound
pkg-config .pc file on the libcrypto and libssl modules and instead
populates the .pc file based on which crypto library was selected at
configure time.
Note that the .pc file specifies pkg-config module names for the
"Requires" line and this can vary from the library filename (e.g. "nss"
is the pkg-config module name vs. "nss3" being the library name).
According to the pkg-config manpage, the "Libs" line in a .pc file
should give the link flags "specific to your package", and specifically
says not to include link flags for dependencies:
Libs: This line should give the link flags specific to your
package. Don't add any flags for required packages;
pkg-config will add those automatically.
Add a new configure option `--with-libbsd', which allows to use libbsd's
portable implementations of:
strlcpy strlcat arc4random arc4random_uniform reallocarray
instead of the embedded code copies in contrib/, which will be
difficult to maintain in the long term.
Also patch util/random.c so that, when building with libbsd and without
OpenSSL, arc4random can still be used as the PRNG. Otherwise, building
with libnettle would need a kernel-specific getentropy implementation,
and libbsd does not export one.
[edmonds@debian.org: Imported patch description from BTS, refreshed
patch against Unbound 1.9.6.]
- Merge PR#150 from Frzk: Systemd unit without chroot. It add
contrib/unbound_nochroot.service.in, a systemd file for use with
chroot: "", see comments in the file, it uses systemd protections
instead.
replacements for unbound-fuzzme.c that gets created after applying
the contrib/unbound-fuzzme.patch. They are contributed by
Eric Sesterhenn from X41 D-Sec.
queries, to stop random floods. Apply with
patch -p1 < contrib/drop-tld.diff and compile.
From Saksham Manchanda (Secure64). Please note that we think this
will drop DNSKEY and DS lookups for tlds and hence break DNSSEC
lookups for downstream clients.
CAP_KILL seems a bit too much privileges for the sole purpose of being able to make ExecReload= work.
Use the + prefix on ExecReload= instead to run "/bin/kill -HUP $MAINPID" with full privileges, ignoring the restrictions from CapabilityBoundingSet=.
See https://www.freedesktop.org/software/systemd/man/systemd.service.html#ExecStart= for further details about the + prefix in ExecReload=.
The ExecReload command calls kills on a process owned by the unbound user (or whatever user is configured). To do so, it needs the CAP_KILL capability.
This is needed when unbound config doesn't set "do-daemonize: no" by itself otherwise starting service fails with:
systemd[1]: unbound.service: Got notification message from PID <PID>, but reception only permitted for main PID which is currently not known
https://github.com/NLnetLabs/unbound/blob/release-1.9.3/doc/example.conf.in#L236
Since kernel 3.2, CAP_NET_RAW instead of CAP_NET_ADMIN is sufficient to allow for the usage of the IP_TRANSPARENT socket option. CAP_NET_ADMIN allows far more mayhem then CAP_NET_RAW, so prefer the safer, more restrictive solution.
1. Remove `ProtectKernelTunables=true`: This prevents various with socket options from working as shown below.
`unbound[] warning: so-rcvbuf 1048576 was not granted. Got 425984. To fix: start with root permissions(linux) or sysctl bigger net.core.rmem_max(linux) or kern.ipc.maxsockbuf(bsd) values.`
2. Add `CAP_NET_ADMIN` to available caps which is needed for `ip-transparent: yes` config option to work as shown below.
`unbound[] warning: setsockopt(.. IP_TRANSPARENT ..) failed: Operation not permitted`
3. Make `ReadWritePaths` less permissive: `UNBOUND_SYSCONF_DIR` equals to `sysconfdir` which usually equals to `/etc` and `UNBOUND_LOCALSTATE_DIR` equals to `localstatedir` which usually equals to `/var`. Allowing write access for those dirs shouldn't be needed. The only dirs unbound should be allow to write to are `/run` ( for pidfile), `@UNBOUND_RUN_DIR@` (for chroot) and `@UNBOUND_CHROOT_DIR@` in case it differs from the previous one.
4. Bind-mount `/run/systemd/notify`, `UNBOUND_PIDFILE`, `/dev/log`, `/dev/urandom` in order to use them inside chroot.
5. Add few extra hardening options: `RestrictNamespaces`, `LockPersonality` and `RestrictSUIDSGID` should be safe to use.
Add unit dependency ordering (based on systemd-resolved).
Add 'CAP_SYS_RESOURCE' to 'CapabilityBoundingSet' (fixes warnings
about missing privileges during startup). Add 'AF_INET6' to
'RestrictAddressFamilies' (without it IPV6 can't work). From
Guido Shanahan.
git-svn-id: file:///svn/unbound/trunk@4834 be551aaa-1e26-0410-a405-d3ace91eadb9
