---------------------------------------- From: Archange via arch-general <arch-general@lists.archlinux.org> Sent: Sat Feb 06 17:51:25 CET 2021 To: General Discussion about Arch Linux <arch-general@lists.archlinux.org> Cc: Archange <archange@archlinux.org> Subject: Re: [arch-general] nsd 4.3.5 broken
Le 06/02/2021 à 20:00, Archange via arch-general a écrit :
Le 06/02/2021 à 18:51, Genes Lists via arch-general a écrit :
On 2/6/21 9:34 AM, Genes Lists via arch-general wrote:
I tried couple more things.
I changed RunTimeDirecroy=/etc/nad # it was previosuly set to: =nsd
Now I can get nsd to start up, but get this problem:
nsd[10230]: setsockopt(..., IP_TRANSPARENT, ...) failed for tcp: Operation not permitted
So if you use this option (IP_TRANSPARENT), which is non-default, you might want to add a service drop-in extending CapabilityBoundingSet to also include CAP_NET_ADMIN. Since I expect this to be a non-standard use case, I’d prefer to not add it by default and rather document it on the wiki.
I disagree with downstream hardening efforts that limit app features (even when they aren't default) and passing the burden of making things work to users. Security should be transparent and not block legitimate app usage. I recommend to add relevant capability to systemd service. This was done for unbound when similar issue popped out. Yours sincerely G. K.