[Dnsmasq-discuss] systemd service improvements

Craig Andrews candrews at integralblue.com
Thu Jun 30 15:58:56 BST 2016


I'd like to propose a couple changes in terms of systemd in dnsmaq.
First, dnsmasq should always install a systemd unit so all 
distributions/users can use it (if a user/distro doesn't use systemd, 
the unit will be simply be ignored - no harm done). Currently, the unit 
is only part of the Debian packaging. Dnsmaq may want to include an 
alternate unit in the Debian packaging and a generic, for-all-distros 
version in the default installation.
Second, the systemd unit should be improved a bit to feature hardening 
and not running as root. Here's my proposed dnsmasq.service:
---
[Unit]
Description=A lightweight DHCP and caching DNS server
After=network.target

[Service]
User=dnsmasq
Group=dnsmasq
Type=simple
PIDFile=/run/dnsmasq/dnsmasq.pid
ExecStartPre=/usr/sbin/dnsmasq --test
ExecStart=/usr/sbin/dnsmasq -k -x /run/dnsmasq/dnsmasq.pid
ExecReload=/bin/kill -HUP $MAINPID
RuntimeDirectory=dnsmasq
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes

[Install]
WantedBy=multi-user.target
---

Compared to 
http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=blob;f=debian/systemd.service;h=40b8d27cba21400d8b56ecc4a85266879988911d;hb=HEAD 
I think this is a nice improvement.

The only issue is that the Debian version uses /etc/init.d/dnsmasq and 
depends on Debian's resolvconf which other distros won't have, hence 
dnsmaq will probably want to keep a special unit for Debian.

Thanks,
~Craig



More information about the Dnsmasq-discuss mailing list