Skip to content
Snippets Groups Projects
  1. Aug 03, 2020
  2. Jul 27, 2020
  3. Jul 23, 2020
  4. Jul 16, 2020
  5. Jul 15, 2020
  6. Jul 14, 2020
  7. Jul 10, 2020
  8. Jul 08, 2020
  9. Jul 03, 2020
    • Vladimír Čunát's avatar
    • Tomas Krizek's avatar
      meson: add build options to disable libcapng · e9d15b7e
      Tomas Krizek authored and Vladimír Čunát's avatar Vladimír Čunát committed
      e9d15b7e
    • Tomas Krizek's avatar
      daemon: don't drop capabilities when running as root · 15d5b3d1
      Tomas Krizek authored and Vladimír Čunát's avatar Vladimír Čunát committed
      When the effective user is root, no capabilities are dropped. This
      change has no effect when running as non-privileged user or when
      switching to non-privileged user via user() in config.
      
      Dropping capabilities as a root user resulted in the following
      unexpected behaviour:
      
      1. When using trust anchor update, r/w access to root keys is neeeded.
         These are typically owned by knot-resolver user. When kresd is
         executed as root and capabilities are dropped, this file was no longer
         writable, because it is owned by knot-resolver, not root.
      2. It is impossible to recreate/resize cache due to the same permission
         issue as above.
      
      If you want to drop capabilities when starting kresd as a root user,
      you can switch the user with the `user()` command. This changes the
      effective user ID and drops any capabilities as well.
      15d5b3d1
  10. Jul 01, 2020
  11. Jun 30, 2020