Ubuntu
pdns-recursor package

Need CAP_SYS_CHROOT in /lib/systemd/system/pdns-recursor.service for chroot option in config

Bug #1669377 reported by Lars
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pdns-recursor (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Hi maintainers,
as it is possible to chroot the pdns-recursor it woud be nice to have CAP_SYS_CHROOT added per default to the CapabilityBoundingSet.
Thank you!
Greetings,
   Lars

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: pdns-recursor 4.0.0~alpha2-2ubuntu0.1 [modified: lib/systemd/system/pdns-recursor.service]
ProcVersionSignature: Ubuntu 4.4.0-64.85-generic 4.4.44
Uname: Linux 4.4.0-64-generic x86_64
NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Thu Mar 2 12:44:40 2017
SourcePackage: pdns-recursor
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.powerdns.recursor.conf: [modified]
mtime.conffile..etc.powerdns.recursor.conf: 2016-09-05T09:18:18.814824

Revision history for this message
Lars (lollypop) wrote :
Revision history for this message
Lars (lollypop) wrote :

# systemctl cat pdns-recursor.service
# /lib/systemd/system/pdns-recursor.service
[Unit]
Description=PowerDNS Recursor
Documentation=man:pdns_recursor(1) man:rec_control(1)
Wants=network-online.target
After=network-online.target

[Service]
Type=forking
ExecStart=/usr/sbin/pdns_recursor --daemon
Restart=on-failure
StartLimitInterval=0
PrivateTmp=true
PrivateDevices=true
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
NoNewPrivileges=true
ProtectSystem=full
ProtectHome=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
LimitNOFILE=4200

[Install]
WantedBy=multi-user.target

Revision history for this message
Chris Hofstaedtler (zeha) wrote :

chroot under systemd is not supported upstream.

Changed in pdns-recursor (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.