chiark / gitweb /
resolved: run as unpriviliged "systemd-resolve" user
authorTom Gundersen <teg@jklm.no>
Sun, 1 Jun 2014 21:01:20 +0000 (22:01 +0100)
committerTom Gundersen <teg@jklm.no>
Tue, 3 Jun 2014 08:40:28 +0000 (10:40 +0200)
This service is not yet network facing, but let's prepare nonetheless.
Currently all caps are dropped, but some may need to be kept in the
future.

Makefile.am
README
src/resolve/resolved.c
units/systemd-resolved.service.in

index b14a6c3..de42424 100644 (file)
@@ -4215,6 +4215,7 @@ CLEANFILES += \
        src/resolve/resolved-gperf.c
 
 systemd_resolved_LDADD = \
        src/resolve/resolved-gperf.c
 
 systemd_resolved_LDADD = \
+       libsystemd-capability.la \
        libsystemd-network.la \
        libsystemd-label.la \
        libsystemd-internal.la \
        libsystemd-network.la \
        libsystemd-label.la \
        libsystemd-internal.la \
diff --git a/README b/README
index 0ea5043..adc5b08 100644 (file)
--- a/README
+++ b/README
@@ -193,6 +193,11 @@ USERS AND GROUPS:
         facing service will drop privileges (with the exception of
         CAP_NET_*) and assumed this uid/gid for security reasons.
 
         facing service will drop privileges (with the exception of
         CAP_NET_*) and assumed this uid/gid for security reasons.
 
+        The name resolution daemon requires the "systemd-resolve"
+        system user and group to exist. During execution this network
+        facing service will drop privileges and assume this uid/gid
+        for security reasons.
+
 WARNINGS:
         systemd will warn you during boot if /etc/mtab is not a
         symlink to /proc/mounts. Please ensure that /etc/mtab is a
 WARNINGS:
         systemd will warn you during boot if /etc/mtab is not a
         symlink to /proc/mounts. Please ensure that /etc/mtab is a
index 2eaff60..f61b70f 100644 (file)
 #include "resolved.h"
 
 #include "mkdir.h"
 #include "resolved.h"
 
 #include "mkdir.h"
+#include "capability.h"
 
 int main(int argc, char *argv[]) {
         _cleanup_manager_free_ Manager *m = NULL;
 
 int main(int argc, char *argv[]) {
         _cleanup_manager_free_ Manager *m = NULL;
+        const char *user = "systemd-resolve";
+        uid_t uid;
+        gid_t gid;
         int r;
 
         log_set_target(LOG_TARGET_AUTO);
         int r;
 
         log_set_target(LOG_TARGET_AUTO);
@@ -42,11 +46,23 @@ int main(int argc, char *argv[]) {
                 goto out;
         }
 
                 goto out;
         }
 
+        r = get_user_creds(&user, &uid, &gid, NULL, NULL);
+        if (r < 0) {
+                log_error("Cannot resolve user name %s: %s", user, strerror(-r));
+                goto out;
+        }
+
         /* Always create the directory where resolv.conf will live */
         /* Always create the directory where resolv.conf will live */
-        r = mkdir_label("/run/systemd/resolve", 0755);
-        if (r < 0)
+        r = mkdir_safe_label("/run/systemd/resolve", 0755, uid, gid);
+        if (r < 0) {
                 log_error("Could not create runtime directory: %s",
                           strerror(-r));
                 log_error("Could not create runtime directory: %s",
                           strerror(-r));
+                goto out;
+        }
+
+        r = drop_privileges(uid, gid, 0);
+        if (r < 0)
+                goto out;
 
         r = manager_new(&m);
         if (r < 0) {
 
         r = manager_new(&m);
         if (r < 0) {
index f4bbb7c..9d422ca 100644 (file)
@@ -15,7 +15,7 @@ Type=notify
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-resolved
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-resolved
-CapabilityBoundingSet=
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
 
 [Install]
 WantedBy=multi-user.target
 
 [Install]
 WantedBy=multi-user.target