resolved: run as unpriviliged "systemd-resolve" user

This service is not yet network facing, but let's prepare nonetheless. Currently all caps are dropped, but some may need to be kept in the future.
2025-03-28 02:50:16 +03:00 · 2014-06-01 22:01:20 +01:00 · 2014-06-01 22:01:20 +01:00 · 682265d5e2
commit 682265d5e2
parent 0bbea466dc
4 changed files with 25 additions and 3 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -4215,6 +4215,7 @@ CLEANFILES += \
 	src/resolve/resolved-gperf.c

 systemd_resolved_LDADD = \
+	libsystemd-capability.la \
 	libsystemd-network.la \
 	libsystemd-label.la \
 	libsystemd-internal.la \
--- a/5
+++ b/5
@ -193,6 +193,11 @@ USERS AND GROUPS:
        facing service will drop privileges (with the exception of
        CAP_NET_*) and assumed this uid/gid for security reasons.

+        The name resolution daemon requires the "systemd-resolve"
+        system user and group to exist. During execution this network
+        facing service will drop privileges and assume this uid/gid
+        for security reasons.
+
 WARNINGS:
        systemd will warn you during boot if /etc/mtab is not a
        symlink to /proc/mounts. Please ensure that /etc/mtab is a
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@ -25,9 +25,13 @@
 #include "resolved.h"

 #include "mkdir.h"
+#include "capability.h"

 int main(int argc, char *argv[]) {
        _cleanup_manager_free_ Manager *m = NULL;
+        const char *user = "systemd-resolve";
+        uid_t uid;
+        gid_t gid;
        int r;

        log_set_target(LOG_TARGET_AUTO);
@ -42,11 +46,23 @@ int main(int argc, char *argv[]) {
                goto out;
        }

+        r = get_user_creds(&user, &uid, &gid, NULL, NULL);
+        if (r < 0) {
+                log_error("Cannot resolve user name %s: %s", user, strerror(-r));
+                goto out;
+        }
+
        /* Always create the directory where resolv.conf will live */
-        r = mkdir_label("/run/systemd/resolve", 0755);
-        if (r < 0)
+        r = mkdir_safe_label("/run/systemd/resolve", 0755, uid, gid);
+        if (r < 0) {
                log_error("Could not create runtime directory: %s",
                          strerror(-r));
+                goto out;
+        }
+
+        r = drop_privileges(uid, gid, 0);
+        if (r < 0)
+                goto out;

        r = manager_new(&m);
        if (r < 0) {
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@ -15,7 +15,7 @@ Type=notify
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-resolved
-CapabilityBoundingSet=
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER

 [Install]
 WantedBy=multi-user.target