FS#56290 - [powerdns-recursor] Please use setuid and setgid by default
Attached to Project:
Community Packages
Opened by Pieter Lexis (lieter) - Friday, 10 November 2017, 12:54 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 16 June 2021, 12:40 GMT
Opened by Pieter Lexis (lieter) - Friday, 10 November 2017, 12:54 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 16 June 2021, 12:40 GMT
|
Details
Description:
The PowerDNS recursor supports dropping its privileges using the setuid and setgid configuration items. Right now, these are unset (as it is in the provided configuration file from upstream), meaning the process will run as root. Please consider setting these options to: setuid=nobody setgid=nogroup The powerdns-server package already does this for the authoritative server. Steps to reproduce: * Install * `systemctl start pdns-recursor.service` |
This task depends upon
Closed by Andreas Radke (AndyRTR)
Wednesday, 16 June 2021, 12:40 GMT
Reason for closing: Fixed
Additional comments about closing: 4.3.1-1
Wednesday, 16 June 2021, 12:40 GMT
Reason for closing: Fixed
Additional comments about closing: 4.3.1-1
In 4.3.0-alpha1 (https://blog.powerdns.com/2019/09/04/first-alpha-release-of-powerdns-recursor-4-3-0/), support was released for the --with-service-user and --with-service-group options that sets the User and Group in the service files. All capabilities have been set correctly as well. So starting from 4.3.0, the PowerDNS Recursor is started as a non-privileged user. The package should add a sysusers.d drop in for the recursor at that point.