> ---------------------------------------- > From: Archange via arch-general <arch-general@xxxxxxxxxxxxxxxxxxx> > Sent: Sat Feb 06 17:51:25 CET 2021 > To: General Discussion about Arch Linux <arch-general@xxxxxxxxxxxxxxxxxxx> > Cc: Archange <archange@xxxxxxxxxxxxx> > Subject: Re: nsd 4.3.5 broken > > > Le 06/02/2021 à 20:00, Archange via arch-general a écrit : > > Le 06/02/2021 à 18:51, Genes Lists via arch-general a écrit : > >> On 2/6/21 9:34 AM, Genes Lists via arch-general wrote: > >>> > >> > >> I tried couple more things. > >> > >> I changed RunTimeDirecroy=/etc/nad # it was previosuly set to: =nsd > >> > >> Now I can get nsd to start up, but get this problem: > >> > >> nsd[10230]: setsockopt(..., IP_TRANSPARENT, ...) failed for tcp: > >> Operation not permitted > > So if you use this option (IP_TRANSPARENT), which is non-default, you > might want to add a service drop-in extending CapabilityBoundingSet to > also include CAP_NET_ADMIN. Since I expect this to be a non-standard use > case, I’d prefer to not add it by default and rather document it on the > wiki. I disagree with downstream hardening efforts that limit app features (even when they aren't default) and passing the burden of making things work to users. Security should be transparent and not block legitimate app usage. I recommend to add relevant capability to systemd service. This was done for unbound when similar issue popped out. Yours sincerely G. K.
