> I'm sorry for sending you a poor and untested patch, if you're not generally opposed to this sort of change I will create a proper patch and test it before sending it.
No, I am not generally opposed to the change, I am just generally opposed to "throw in everything and let's see what breaks" in a routing daemon :). I would even suggest fixing `birdc configure` to return non-zero status instead of circumventing it via `bird -p`. Let's start with a minimal patch - if you have account on salsa.debian.org, I can setup https://salsa.debian.org/debian/bird2, so you can submit MRs to the packaging there. Ondrej On Tue, 21 Jul 2020 at 22:05, bauen1 <j24...@googlemail.com> wrote: > Hi, > > > so, I’ve seen this before with a different package (bind9) and I’ve seen > > this to gloriously fail because the systemd file was overzealous and > > obviously even you didn’t test it before you sent it to me. > > I'm sorry, I hit send prematurely, and it was meant as a sort of RFC. > I've been using a very similar service file for at least a few months pn a > few systems running BGP and OSPF so this isn't completely untested. > > > Unless the changed systemd file is extensively tested with ALL routing > > protocols, there’s no way I am applying this as it is. > > I will reduce the patch to things that should be uncontroversial (you're > right about overzealous being a bad thing). > > Bird already drops capabilities itself almost directly after startup (see > https://salsa.debian.org/debian/bird2/-/blob/master/sysdep/linux/syspriv.h#L54-79) > this would be the same as: > > User=bird > Group=bird > AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND CAP_NET_BROADCAST > CAP_NET_ADMIN CAP_NET_BIND_SERVICE > > I believe that if bird is configured to log to a file inaccessible to > bird:bird this might break, but bird might break anyway in that case if a > reload is triggered. I will look into this. > > prepare-environment creates the runtime directory and fixes the ownership, > this is equivalent to: > > RuntimeDirectory=bird > > These sandbox options should also not cause any trouble: > > # prevent access to /home > ProtectHome=true > # mount /usr, /boot, /efi read-only > ProtectSystem=yes > > Some of the other options could be added and some of the others might > introduce breakages in very rare cases or future changes to bird. > > Verifying the configuration as part of the reload works around `birdc > configure` always exiting with 0 even if the configuration has an error. > ExecReload=/usr/sbin/bird -p > > > Also, the package still supports sysv-rc, and I have no intention for > > dropping the support and I would pretty much would like to keep the > > configuration same for the time being. > > I don't want to suggest dropping support for sysv-rc. But yes, this change > would duplicate the user and group name into systemd service file and that > isn't ideal. > > I'm sorry for sending you a poor and untested patch, if you're not > generally opposed to this sort of change I will create a proper patch and > test it before sending it. > > bauen1 > > -- > bauen1 > https://dn42.bauen1.xyz/ >