[Pdns-users] why CAP_CHOWN?
Michael Ströder
michael at stroeder.com
Sat May 16 20:43:06 UTC 2020
On 5/16/20 10:25 PM, bert hubert wrote:
> On Sat, May 16, 2020 at 08:42:21PM +0200, Michael Ströder via Pdns-users wrote:
>> But I wonder why CAP_CHOWN is set in CapabilityBoundingSet= and
>> AmbientCapabilities= and I could not find a reason in the git history of
>> that file.
>
> We chown the UNIX domain control socket to the 'setgid' and 'setuid'
> setting.
>
> This is likely why we need CAP_CHOWN.
It seems to create the control socket just fine because the User= and
Group= are set:
srwxr-xr-x 1 pdns pdns 0 May 16 22:39
/run/pdns-recursor/pdns_recursor.controlsocket=
Anything more I could test to ensure that it's safe to remove CAP_CHOWN?
Ciao, Michael.
More information about the Pdns-users
mailing list