[systemd-devel] Portable service binding a system port

François francois+systemd at kubler.org
Fri Feb 7 10:05:22 UTC 2020


Hi,

I’m finally answering my own question - well at least partially.

I managed to identify the culprit : the `PrivateUsers=yes` directive.

If I override it with a drop-in and set it to `no`, it works as expected and I can successfully bind to port 53.

But I still don’t understand why, especially since it’s part of the default profile.

My unit file is as follow :

> [Service]
> ExecStart=/usr/bin/unbound -d
> ExecReload=+/bin/kill -HUP $MAINPID
> NotifyAccess=main
> Type=notify
> CapabilityBoundingSet=CAP_IPC_LOCK CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE CAP_NET_RAW
> MemoryDenyWriteExecute=true
> NoNewPrivileges=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectHome=true
> ProtectControlGroups=true
> ProtectKernelModules=true
> ProtectSystem=strict
> ConfigurationDirectory=unbound
> RuntimeDirectory=unbound
> RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
> RestrictRealtime=true
> SystemCallArchitectures=native
> SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module mount @obsolete @resources
> RestrictNamespaces=yes
> LockPersonality=yes
> RestrictSUIDSGID=yes

My `override.conf` drop-in :

> [Service]
> User=unbound
> Group=unbound
> ConfigurationDirectoryMode=0440
> AmbientCapabilities=CAP_NET_BIND_SERVICE
> PrivateUsers=no


And I’m running with the default profile for portable services.

Can someone help me understand why I have to explicitly disable `PrivateUsers` to make it work (ie: to be able to bind to a port < 1024) ?

Thanks a lot,

-- 
François




More information about the systemd-devel mailing list