resolved: run as unpriviliged "systemd-resolve" user

This service is not yet network facing, but let's prepare nonetheless.
Currently all caps are dropped, but some may need to be kept in the
future.

4 files changed, 25 insertions, 3 deletions

diff --git a/Makefile.am b/Makefile.am
index b14a6c3392..de42424912 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -4215,6 +4215,7 @@ CLEANFILES += \
 	src/resolve/resolved-gperf.c
 
 systemd_resolved_LDADD = \
+	libsystemd-capability.la \
 	libsystemd-network.la \
 	libsystemd-label.la \
 	libsystemd-internal.la \
diff --git a/README b/README
index 0ea50434bb..adc5b081d2 100644
--- a/README
+++ b/README
@@ -193,6 +193,11 @@ USERS AND GROUPS:
         facing service will drop privileges (with the exception of
         CAP_NET_*) and assumed this uid/gid for security reasons.
 
+        The name resolution daemon requires the "systemd-resolve"
+        system user and group to exist. During execution this network
+        facing service will drop privileges and assume this uid/gid
+        for security reasons.
+
 WARNINGS:
         systemd will warn you during boot if /etc/mtab is not a
         symlink to /proc/mounts. Please ensure that /etc/mtab is a
diff --git a/src/resolve/resolved.c b/src/resolve/resolved.c
index 2eaff60fce..f61b70f46b 100644
--- a/src/resolve/resolved.c
+++ b/src/resolve/resolved.c
@@ -25,9 +25,13 @@
 #include "resolved.h"
 
 #include "mkdir.h"
+#include "capability.h"
 
 int main(int argc, char *argv[]) {
         _cleanup_manager_free_ Manager *m = NULL;
+        const char *user = "systemd-resolve";
+        uid_t uid;
+        gid_t gid;
         int r;
 
         log_set_target(LOG_TARGET_AUTO);
@@ -42,11 +46,23 @@ int main(int argc, char *argv[]) {
                 goto out;
         }
 
+        r = get_user_creds(&user, &uid, &gid, NULL, NULL);
+        if (r < 0) {
+                log_error("Cannot resolve user name %s: %s", user, strerror(-r));
+                goto out;
+        }
+
         /* Always create the directory where resolv.conf will live */
-        r = mkdir_label("/run/systemd/resolve", 0755);
-        if (r < 0)
+        r = mkdir_safe_label("/run/systemd/resolve", 0755, uid, gid);
+        if (r < 0) {
                 log_error("Could not create runtime directory: %s",
                           strerror(-r));
+                goto out;
+        }
+
+        r = drop_privileges(uid, gid, 0);
+        if (r < 0)
+                goto out;
 
         r = manager_new(&m);
         if (r < 0) {
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index f4bbb7c160..9d422ca7f2 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -15,7 +15,7 @@ Type=notify
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-resolved
-CapabilityBoundingSet=
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
 
 [Install]
 WantedBy=multi-user.target