4 Čen
2018
4 Čen
'18
8:37
Hello,
On 3.6.2018 10:25, Ondrej Vaško wrote:
Hello knot-resolver users,
I have a question about design of systemd service for knot-resolver. I
installed knot from repository OpenSuse repository
<https://software.opensuse.org//download.html?project=home%3ACZ-NIC%3Aknot-resolver-latest&package=knot-resolver>
on Ubuntu 16 and 18.
The systemd service uses user *knot-resolver*. But this user cannot bind
to unprivileged ports, so when I have configuration like below where I
bind to network interface on privileged port and change user context, it
fails with "/[system] bind to '10.20.30.118@853' Permission denied/":
```
net.listen({'10.20.30.118'}, 853, { tls = true })
user('knot-resolver', 'knot-resolver')
```
To fix this I changed User *knot-resolver* to *root* in systemd service.
Now service starts to run as root, binds to network interface and then
changes context.
My question is, is this solution security wise fine? Why is the systemd
service designed to run as user knot-resolver, when I guess many people
will need to override this in order to use knot-resolver properly? What
is the main idea? Or is there a different approach to overcome this
(Such as linux capabilities)?
Most secure configuration for systems with systemd is described in
$ man kresd.systemd
It is done using systemd drop-in files and avoids running code under
root user completely. Please let us know if the man page is not clear,
we will be happy to clarify.
Petr Špaček @ CZ.NIC
Thank you for responses and please correct me in anything if I am wrong.
Ondrej Vaško