Skip to content

Linux capabilities rewrite

Robert Edmonds requested to merge edmonds/knot-dns:edmonds/linux-capability-rewrite into master

Hi,

This branch simplifies knot's implementation of Linux capabilities. See the discussion in #546 (closed) for details. Basically, this allows knotd to be started as a non-root user with elevated capabilities, e.g.:

[Service]
User=knot
Group=knot
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETPCAP
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETPCAP

This causes knotd to be started as a non-root user/group (knot:knot). After knotd binds to privileged ports (using CAP_NET_BIND_SERVICE), it gives up all its capabilities (using CAP_SETPCAP), resulting in a completely unprivileged process.

Thanks!

Merge request reports