[arch-commits] Commit in nsd/trunk (PKGBUILD nsd.install nsd.service)

Sat Feb 6 22:13:22 UTC 2021

Date: Saturday, February 6, 2021 @ 22:13:22
  Author: archange
Revision: 847455

More and less hardening

Add missing bits and loosen some other for capabilities to work.
Also add a .INSTALL file to warn about cert/key perms.

Added:
  nsd/trunk/nsd.install
Modified:
  nsd/trunk/PKGBUILD
  nsd/trunk/nsd.service

-------------+
 PKGBUILD    |    5 +++--
 nsd.install |    5 +++++
 nsd.service |   18 +++++++++++-------
 3 files changed, 19 insertions(+), 9 deletions(-)

Modified: PKGBUILD
===================================================================

--- PKGBUILD	2021-02-06 22:13:18 UTC (rev 847454)
+++ PKGBUILD	2021-02-06 22:13:22 UTC (rev 847455)
@@ -5,7 +5,7 @@
 
 pkgname=nsd
 pkgver=4.3.5
-pkgrel=2
+pkgrel=3
 pkgdesc="Authoritative only, high performance and simple DNS server"
 arch=(x86_64)
 url="https://www.nlnetlabs.nl/nsd/"
@@ -20,9 +20,10 @@
         nsd.tmpfiles)
 sha256sums=('7da2b43e30b3d7f307722c608f719bfb169f0d985c764a34fa0669dc33484472'
             'SKIP'
-            '2849d5d52fa70ac695c9e9f3ac57de9e3946203d85f6a0bbf5184fa85191c137'
+            '51dcf15195be0f6a4154a29ad882eabe180b2413e6b3cadbb1535885ff0d4dfa'
             '12ce2a05fbb23bb38c31933530a7773f796e250691843b9da76f178f5e7c94f5'
             '07a31cecdc787c7ef44018dfc696115bd7b5d44b6e93f56c6c08ed0887d51579')
+install=nsd.install
 
 prepare() {
   cd ${pkgname}-${pkgver}

Added: nsd.install
===================================================================
--- nsd.install	                        (rev 0)
+++ nsd.install	2021-02-06 22:13:22 UTC (rev 847455)
@@ -0,0 +1,5 @@
+post_upgrade() {
+  if [ "$(vercmp "$2" "4.3.5")" -le 0 ]; then
+    echo "nsd now runs as a dedicated nsd user and group. If you use certs and keys, make sure they are readable by the nsd user or group."
+  fi  
+}

Modified: nsd.service
===================================================================
--- nsd.service	2021-02-06 22:13:18 UTC (rev 847454)
+++ nsd.service	2021-02-06 22:13:22 UTC (rev 847455)
@@ -3,24 +3,26 @@
 After=network.target
 
 [Service]
+Type=notify
 User=nsd
 Group=nsd
-PermissionsStartOnly=true
 RuntimeDirectory=nsd
 ReadWritePaths=/var/db/nsd
 PIDFile=/run/nsd/nsd.pid
 ExecStart=/usr/bin/nsd -d -c /etc/nsd/nsd.conf
-ExecReload=/bin/kill -HUP $MAINPID
-ExecStop=/bin/kill -TERM $MAINPID
+ExecReload=+/bin/kill -HUP $MAINPID
+ExecStop=+/bin/kill -TERM $MAINPID
 Restart=always
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-NoNewPrivileges=True
-#SecureBits=noroot-locked
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_RAW
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
+NoNewPrivileges=true
+SecureBits=noroot-locked
 ProtectSystem=strict
 ProtectHome=true
 PrivateTmp=true
 PrivateDevices=true
-PrivateUsers=true
+#Not compatible with Capabilities
+#PrivateUsers=true
 ProtectHostname=true
 ProtectClock=true
 ProtectKernelTunables=true
@@ -29,10 +31,12 @@
 ProtectControlGroups=true
 LockPersonality=true
 MemoryDenyWriteExecute=true
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
 
 [Install]
 WantedBy=multi-user.target

