community/knot-resolver: start kresd as unprivileged user

3 files changed, 24 insertions, 3 deletions

diff --git a/community/knot-resolver/APKBUILD b/community/knot-resolver/APKBUILD
index d48bf7e9b8..b3aaca4010 100644
--- a/community/knot-resolver/APKBUILD
+++ b/community/knot-resolver/APKBUILD
@@ -27,6 +27,7 @@ makedepends="
 	bash
 	cmake
 	gnutls-dev
+	libcap
 	libcap-ng-dev
 	lmdb-dev
 	luacheck
@@ -36,7 +37,12 @@ makedepends="
 	py3-flake8
 	"
 checkdepends="cmocka-dev"
-install="$pkgname.pre-install $pkgname-openrc.pre-upgrade $pkgname-openrc.post-upgrade"
+install="
+	$pkgname.pre-install
+	$pkgname.post-upgrade
+	$pkgname-openrc.pre-upgrade
+	$pkgname-openrc.post-upgrade
+	"
 subpackages="
 	$pkgname-mod-http:http:noarch
 	$pkgname-mod-dnstap:dnstap
@@ -94,6 +100,11 @@ package() {
 
 	cd "$pkgdir"
 
+	# net_bind_service - required to bind to well-known ports
+	# setpcap - when available, resd drops any extra privileges after the
+	#   daemon successfully start
+	setcap 'cap_net_bind_service,cap_setpcap=+ep' ./usr/sbin/kresd
+
 	# These are useless on non-systemd distro.
 	rm ./usr/lib/knot-resolver/distro-preconfig.lua
 	rm ./usr/lib/knot-resolver/upgrade-4-to-5.lua
@@ -137,6 +148,6 @@ gpgfingerprints="
 sha512sums="9d5d77d3aff082d5f0132b39627fff5cd7af6e237ded219b7b8f2156de7acacb3bf94d5e278af4bb2c9e36ea80d9259d39ba33a18bb37a626a57c70fb9dc0931  knot-resolver-5.0.1.tar.xz
 688aeacb0c1f21c7e532533b402e67068897217713fb668636df7533000b493981ddfa0497f8dba7da7c804ee4ab8d587a4f52155b4e2bf1f4025d2588d314bb  knot-resolver.logrotate
 9c23d035ec1acedb3d946d25a55a85f13a57fc96ed2164aae9613f27e175d81b82615e88e797dff4378115eacaa497a36723fc36a1d417006e3766520bcd674e  kresd.confd
-79e1a7c003e13fecad5b68935c23554c735fee65fde93a4460c0562486af0656bac01c624cabdcd12e6f41c7b6414c2724a59f7447ddb7aa583d46df5814081e  kresd.initd
+e781f0d5638fcaac6bd6ab724639e493fb3e9404df02294f7c1a2433cdf15eaa4efef8907bf8c6824fa7bf6e39960a0ca7110dcd9d10522555d272184aad88ec  kresd.initd
 a1e4af78ad8df36feb41619ac63aa8505cb68b434a3e01c8929f69759f5a6abe9667a6d5738928ff67daaccab58e5fecd49ce4ff439674f1e073982042a907fd  kres-cache-gc.initd
 ad017f54aaa214862a67c8242efe9fa56dc66a8ac0012cc0f4eb981d6fd631b250378602f8f5af9916fff071d9a60d1e588e07458f8d891d19787c3b5d48cdb5  kres-cache-gc.confd"
diff --git a/community/knot-resolver/knot-resolver.post-upgrade b/community/knot-resolver/knot-resolver.post-upgrade
new file mode 100644
index 0000000000..fcb1f09074
--- /dev/null
+++ b/community/knot-resolver/knot-resolver.post-upgrade
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+ver_new="$1"
+ver_old="$2"
+
+if [ "$(apk version -t "$ver_old" "5.0.1-r0")" = "<" ]; then
+	chown -R kresd:kresd /var/cache/knot-resolver
+fi
diff --git a/community/knot-resolver/kresd.initd b/community/knot-resolver/kresd.initd
index 6f3db68264..7297cc40a3 100644
--- a/community/knot-resolver/kresd.initd
+++ b/community/knot-resolver/kresd.initd
@@ -1,5 +1,6 @@
 #!/sbin/openrc-run
 
+: ${command_user:="kresd:kresd"}
 : ${cfgfile:=${config:-"/etc/knot-resolver/kresd.conf"}}
 : ${cachedir:="/var/cache/knot-resolver"}
 : ${logfile:="/var/log/knot-resolver.log"}
@@ -20,5 +21,6 @@ depend() {
 }
 
 start_pre() {
-	checkpath -d -m 750 -o kresd:kresd "$cachedir"
+	checkpath -d -m 750 -o "$command_user" "$cachedir" || return 1
+	checkpath -f -m 640 -o "$command_user" /var/log/knot-resolver.log
 }