stubby: run service as unprivileged user

This commit is contained in:
prspkt 2019-01-13 22:44:37 +02:00 committed by maxice8
parent 75b24444f0
commit 849f700833
3 changed files with 21 additions and 2 deletions

12
srcpkgs/stubby/INSTALL Normal file
View file

@ -0,0 +1,12 @@
case "${ACTION}" in
post)
# Set CAP_NET_BIND_SERVICE capability or exit gracefully if we cannot set the capability
# due to invalid permissions (fakeroot install).
set +e
setcap 'cap_net_bind_service=+ep' /usr/bin/stubby
if [ $? -ne 0 ]; then
echo "ERROR: failed to set cap_net_bind_service capability on stubby."
exit 0
fi
;;
esac

View file

@ -1,2 +1,2 @@
#!/bin/sh
exec /usr/bin/stubby 2>&1
exec chpst -u _stubby:_stubby /usr/bin/stubby 2>&1

View file

@ -1,18 +1,25 @@
# Template file for 'stubby'
pkgname=stubby
version=0.2.5
revision=1
revision=2
build_style=gnu-configure
conf_files="/etc/stubby/stubby.yml"
hostmakedepends="automake"
makedepends="getdns-devel libyaml-devel"
depends="libcap-progs" # For setcap(8)
short_desc="DNS Privacy stub resolver"
maintainer="Frank Steinborn <steinex@nognu.de>"
license="BSD-3-Clause"
homepage="https://github.com/getdnsapi/stubby"
changelog="https://raw.githubusercontent.com/getdnsapi/stubby/v${version}/ChangeLog"
distfiles="https://github.com/getdnsapi/stubby/archive/v${version}.tar.gz"
checksum=56ee63f4b9ee00476a168e6ba5614f6830f93e89baa305c2d38577b2e39eae5b
# Create stubby system user/group
system_accounts="_${pkgname}"
_stubby_homedir="/var/lib/${pkgname}"
make_dirs="/var/lib/${pkgname} 0755 _${pkgname} _${pkgname}"
pre_configure() {
autoreconf -fi
}