Hi Michael, On 5/16/20 10:43 PM, Michael Ströder via Pdns-users wrote: > On 5/16/20 10:25 PM, bert hubert wrote: >> On Sat, May 16, 2020 at 08:42:21PM +0200, Michael Ströder via Pdns-users >> wrote: >>> But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and >>> AmbientCapabilities= and I could not find a reason in the git history of >>> that file. >> >> We chown the UNIX domain control socket to the 'setgid' and 'setuid' >> setting. >> >> This is likely why we need CAP_CHOWN. > > It seems to create the control socket just fine because the User= and > Group= are set: > > srwxr-xr-x 1 pdns pdns 0 May 16 22:39 > /run/pdns-recursor/pdns_recursor.controlsocket= > > Anything more I could test to ensure that it's safe to remove CAP_CHOWN?
As far as I can tell the only call to chown() in the recursor is to update the ownership of the Unix domain control socket to the value defined by the "socket-owner" and "socket-group" settings. Therefore I don't think we need CAP_CHOWN if these are not set (which is the default). Best regards, -- Remi Gacogne PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/pdns-users
