Re: Portable service binding a system port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fr, 07.02.20 11:05, François (francois+systemd@xxxxxxxxxx) wrote:

> Hi,
>
> I’m finally answering my own question - well at least partially.
>
> I managed to identify the culprit : the `PrivateUsers=yes` directive.
>
> If I override it with a drop-in and set it to `no`, it works as expected and I can successfully bind to port 53.
>
> But I still don’t understand why, especially since it’s part of the
> default profile.

Ideally unbound would support socket activation, so that PID 1 can
bind the socket and pass it in pre-bound.

PrivateUsers=yes means userns, and only processes that have
CAP_NET_BIND_SERVICE in the host user ns can bind on ports <
1024. PrivateUsers= user namespace do not have that, and hence cannot
bind the port on the host.

Portable service profiles are best combined with socket activation to
limit the privileged surface...

Lennart

--
Lennart Poettering, Berlin
_______________________________________________
systemd-devel mailing list
systemd-devel@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux