From fa2c95084ef9b575bfbe62543e0765623c9b8a0e Mon Sep 17 00:00:00 2001 From: David Runge Date: Mon, 26 Mar 2018 20:48:22 +0200 Subject: [PATCH] Adding DynamicUser to systemd service file, enhancing socket and service (#261) * Adding nss-lookup.target to the socket Before and Wants directive. Adding current upstream wiki as documentation to service and socket file. Adding DynamicUser=yes to the service file, alongside various hardening settings (Protect{ControlGroups,KernelModules}. Allowing the service to bind to ports below 1024 by setting CAP_NET_BIND_SERVICE. Adding {Cache,Logs,Runtime}Directory for dnscrypt-proxy. Removing (default) Type=simple. Adding a more default ExecStart location and usage of configuration. * systemd/dnscrypt-proxy.socket: Adding back ipv6 functionality. * systemd/dnscrypt-proxy.service: Updating Description to match project name. Explicitely setting ProtectHome=yes. Adding information on the DynamicUser settings. * systemd/dnscrypt-proxy.socket: Updating description to match project name. * systemd/dnscrypt-proxy.service: Adding Requires= and Also= for dnscrypt-proxy.socket in favor of CAP_NET_BIND_SERVICE capabilities. * dnscrypt-proxy/example-dnscrypt-proxy.toml: Clarifying how to set listen_addresses, when using systemd socket activation. --- dnscrypt-proxy/example-dnscrypt-proxy.toml | 2 +- systemd/dnscrypt-proxy.service | 29 +++++++++++----------- systemd/dnscrypt-proxy.socket | 3 ++- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/dnscrypt-proxy/example-dnscrypt-proxy.toml b/dnscrypt-proxy/example-dnscrypt-proxy.toml index 372f1833..ef7a34da 100644 --- a/dnscrypt-proxy/example-dnscrypt-proxy.toml +++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml @@ -26,7 +26,7 @@ ## List of local addresses and ports to listen to. Can be IPv4 and/or IPv6. -## To only use systemd activation sockets, use an empty set: [] +## Note: When using systemd socket activation, choose an empty set (i.e. [] ). listen_addresses = ['127.0.0.1:53', '[::1]:53'] diff --git a/systemd/dnscrypt-proxy.service b/systemd/dnscrypt-proxy.service index 03de0018..f2953c6b 100644 --- a/systemd/dnscrypt-proxy.service +++ b/systemd/dnscrypt-proxy.service @@ -1,27 +1,26 @@ [Unit] -Description=DNSCrypt client proxy -Documentation=man:dnscrypt-proxy(8) +Description=DNSCrypt-proxy client +Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki Requires=dnscrypt-proxy.socket After=network.target Before=nss-lookup.target Wants=nss-lookup.target -[Install] -Also=dnscrypt-proxy.socket -WantedBy=multi-user.target - [Service] -Type=simple NonBlocking=true -ProtectHome=true - -# Change this -ExecStart=/opt/dnscrypt-proxy/dnscrypt-proxy +ExecStart=/usr/bin/dnscrypt-proxy --config /etc/dnscrypt-proxy/dnscrypt-proxy.toml +ProtectHome=yes +ProtectControlGroups=yes +ProtectKernelModules=yes # Run dnscrypt-proxy as unprivileged user with # temporary assigned UID/GID. See man:systemd.exec # for more info. Requires systemd 232+. -#DynamicUser=yes -#CacheDirectory=dnscrypt-proxy -#LogsDirectory=dnscrypt-proxy -#RuntimeDirectory=dnscrypt-proxy +DynamicUser=yes +CacheDirectory=dnscrypt-proxy +LogsDirectory=dnscrypt-proxy +RuntimeDirectory=dnscrypt-proxy + +[Install] +Also=dnscrypt-proxy.socket +WantedBy=multi-user.target diff --git a/systemd/dnscrypt-proxy.socket b/systemd/dnscrypt-proxy.socket index dd5cd93b..9bf9f228 100644 --- a/systemd/dnscrypt-proxy.socket +++ b/systemd/dnscrypt-proxy.socket @@ -1,5 +1,6 @@ [Unit] -Description=dnscrypt-proxy listening socket +Description=DNSCrypt-proxy socket +Documentation=https://github.com/jedisct1/dnscrypt-proxy/wiki Before=nss-lookup.target Wants=nss-lookup.target