From e845ef8968e37045c87812e28f9253518139cd98 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Date: Thu, 27 Apr 2017 12:04:36 -0700 Subject: [PATCH] Provide guidance for integration with systemd Stubby needs to be able to bind to privileged ports, but otherwise shouldn't need root capabilities. systemd makes it easy to set the minimal capability set while otherwise launching the daemon as a non-privileged user. Ship these files upstream for distributors to deploy. --- systemd/README.md | 16 ++++++++++++++++ systemd/stubby.conf | 2 ++ systemd/stubby.service | 12 ++++++++++++ 3 files changed, 30 insertions(+) create mode 100644 systemd/README.md create mode 100644 systemd/stubby.conf create mode 100644 systemd/stubby.service diff --git a/systemd/README.md b/systemd/README.md new file mode 100644 index 00000000..98cea72d --- /dev/null +++ b/systemd/README.md @@ -0,0 +1,16 @@ +Stubby integration with systemd +=============================== + +For GNU/Linux operating systems which use systemd as a process +manager, you might want to run stubby as a system service. + +This directory provides recommended systemd unit files. + +This setup assumes that there is a system-level user named "stubby" +which is in group "stubby", and try to limit the privileges of the +running daemon to that user as closely as possible. + +Normally, a downstream distributor will install them as: + + /usr/lib/tmpfiles.d/stubby.conf + /lib/systemd/system/stubby.service diff --git a/systemd/stubby.conf b/systemd/stubby.conf new file mode 100644 index 00000000..bf704927 --- /dev/null +++ b/systemd/stubby.conf @@ -0,0 +1,2 @@ +# tmpfiles.d (5) for use with stubby.service +d /run/stubby 0750 root stubby - - diff --git a/systemd/stubby.service b/systemd/stubby.service new file mode 100644 index 00000000..b85b8e90 --- /dev/null +++ b/systemd/stubby.service @@ -0,0 +1,12 @@ +[Unit] +Description=stubby DNS resolver + +[Service] +WorkingDirectory=/run/stubby +ExecStart=/usr/bin/stubby +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +User=stubby + +[Install] +WantedBy=multi-user.target