[arch-general] nsd 4.3.5 broken
Geo Kozey
geokozey at mailfence.com
Sat Feb 6 17:03:53 UTC 2021
> ----------------------------------------
> From: Archange via arch-general <arch-general at lists.archlinux.org>
> Sent: Sat Feb 06 17:51:25 CET 2021
> To: General Discussion about Arch Linux <arch-general at lists.archlinux.org>
> Cc: Archange <archange at archlinux.org>
> Subject: Re: [arch-general] nsd 4.3.5 broken
>
>
> Le 06/02/2021 à 20:00, Archange via arch-general a écrit :
> > Le 06/02/2021 à 18:51, Genes Lists via arch-general a écrit :
> >> On 2/6/21 9:34 AM, Genes Lists via arch-general wrote:
> >>>
> >>
> >> I tried couple more things.
> >>
> >> I changed RunTimeDirecroy=/etc/nad # it was previosuly set to: =nsd
> >>
> >> Now I can get nsd to start up, but get this problem:
> >>
> >> nsd[10230]: setsockopt(..., IP_TRANSPARENT, ...) failed for tcp:
> >> Operation not permitted
>
> So if you use this option (IP_TRANSPARENT), which is non-default, you
> might want to add a service drop-in extending CapabilityBoundingSet to
> also include CAP_NET_ADMIN. Since I expect this to be a non-standard use
> case, I’d prefer to not add it by default and rather document it on the
> wiki.
I disagree with downstream hardening efforts that limit app features (even when
they aren't default) and passing the burden of making things work to users.
Security should be transparent and not block legitimate app usage. I recommend
to add relevant capability to systemd service. This was done for unbound when
similar issue popped out.
Yours sincerely
G. K.
More information about the arch-general
mailing list