[arch-commits] Commit in nsd/trunk (PKGBUILD nsd.install nsd.service)
Bruno Pagani
archange at archlinux.org
Sat Feb 6 22:13:22 UTC 2021
Date: Saturday, February 6, 2021 @ 22:13:22
Author: archange
Revision: 847455
More and less hardening
Add missing bits and loosen some other for capabilities to work.
Also add a .INSTALL file to warn about cert/key perms.
Added:
nsd/trunk/nsd.install
Modified:
nsd/trunk/PKGBUILD
nsd/trunk/nsd.service
-------------+
PKGBUILD | 5 +++--
nsd.install | 5 +++++
nsd.service | 18 +++++++++++-------
3 files changed, 19 insertions(+), 9 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2021-02-06 22:13:18 UTC (rev 847454)
+++ PKGBUILD 2021-02-06 22:13:22 UTC (rev 847455)
@@ -5,7 +5,7 @@
pkgname=nsd
pkgver=4.3.5
-pkgrel=2
+pkgrel=3
pkgdesc="Authoritative only, high performance and simple DNS server"
arch=(x86_64)
url="https://www.nlnetlabs.nl/nsd/"
@@ -20,9 +20,10 @@
nsd.tmpfiles)
sha256sums=('7da2b43e30b3d7f307722c608f719bfb169f0d985c764a34fa0669dc33484472'
'SKIP'
- '2849d5d52fa70ac695c9e9f3ac57de9e3946203d85f6a0bbf5184fa85191c137'
+ '51dcf15195be0f6a4154a29ad882eabe180b2413e6b3cadbb1535885ff0d4dfa'
'12ce2a05fbb23bb38c31933530a7773f796e250691843b9da76f178f5e7c94f5'
'07a31cecdc787c7ef44018dfc696115bd7b5d44b6e93f56c6c08ed0887d51579')
+install=nsd.install
prepare() {
cd ${pkgname}-${pkgver}
Added: nsd.install
===================================================================
--- nsd.install (rev 0)
+++ nsd.install 2021-02-06 22:13:22 UTC (rev 847455)
@@ -0,0 +1,5 @@
+post_upgrade() {
+ if [ "$(vercmp "$2" "4.3.5")" -le 0 ]; then
+ echo "nsd now runs as a dedicated nsd user and group. If you use certs and keys, make sure they are readable by the nsd user or group."
+ fi
+}
Modified: nsd.service
===================================================================
--- nsd.service 2021-02-06 22:13:18 UTC (rev 847454)
+++ nsd.service 2021-02-06 22:13:22 UTC (rev 847455)
@@ -3,24 +3,26 @@
After=network.target
[Service]
+Type=notify
User=nsd
Group=nsd
-PermissionsStartOnly=true
RuntimeDirectory=nsd
ReadWritePaths=/var/db/nsd
PIDFile=/run/nsd/nsd.pid
ExecStart=/usr/bin/nsd -d -c /etc/nsd/nsd.conf
-ExecReload=/bin/kill -HUP $MAINPID
-ExecStop=/bin/kill -TERM $MAINPID
+ExecReload=+/bin/kill -HUP $MAINPID
+ExecStop=+/bin/kill -TERM $MAINPID
Restart=always
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-NoNewPrivileges=True
-#SecureBits=noroot-locked
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+NoNewPrivileges=true
+SecureBits=noroot-locked
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
-PrivateUsers=true
+#Not compatible with Capabilities
+#PrivateUsers=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
@@ -29,10 +31,12 @@
ProtectControlGroups=true
LockPersonality=true
MemoryDenyWriteExecute=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
[Install]
WantedBy=multi-user.target
More information about the arch-commits
mailing list