On Fr, 07.02.20 11:05, François (francois+syst...@kubler.org) wrote: > Hi, > > I’m finally answering my own question - well at least partially. > > I managed to identify the culprit : the `PrivateUsers=yes` directive. > > If I override it with a drop-in and set it to `no`, it works as expected and > I can successfully bind to port 53. > > But I still don’t understand why, especially since it’s part of the > default profile.
Ideally unbound would support socket activation, so that PID 1 can bind the socket and pass it in pre-bound. PrivateUsers=yes means userns, and only processes that have CAP_NET_BIND_SERVICE in the host user ns can bind on ports < 1024. PrivateUsers= user namespace do not have that, and hence cannot bind the port on the host. Portable service profiles are best combined with socket activation to limit the privileged surface... Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel