-
When the effective user is root, no capabilities are dropped. This change has no effect when running as non-privileged user or when switching to non-privileged user via user() in config. Dropping capabilities as a root user resulted in the following unexpected behaviour: 1. When using trust anchor update, r/w access to root keys is neeeded. These are typically owned by knot-resolver user. When kresd is executed as root and capabilities are dropped, this file was no longer writable, because it is owned by knot-resolver, not root. 2. It is impossible to recreate/resize cache due to the same permission issue as above. If you want to drop capabilities when starting kresd as a root user, you can switch the user with the `user()` command. This changes the effective user ID and drops any capabilities as well.
When the effective user is root, no capabilities are dropped. This change has no effect when running as non-privileged user or when switching to non-privileged user via user() in config. Dropping capabilities as a root user resulted in the following unexpected behaviour: 1. When using trust anchor update, r/w access to root keys is neeeded. These are typically owned by knot-resolver user. When kresd is executed as root and capabilities are dropped, this file was no longer writable, because it is owned by knot-resolver, not root. 2. It is impossible to recreate/resize cache due to the same permission issue as above. If you want to drop capabilities when starting kresd as a root user, you can switch the user with the `user()` command. This changes the effective user ID and drops any capabilities as well.
To find the state of this project's repository at the time of any of these versions, check out the tags.
Loading