Anand Buddhdev via Unbound-users wrote: > On 20/05/2018 23:16, Adam Gold via Unbound-users wrote: >> Here's my systemd: >> >> [Unit] >> Description=Unbound DNS server >> Documentation=man:unbound(8) >> After=network.target >> >> [Service] >> LimitNOFILE = 65536 >> ExecStart = /usr/local/sbin/unbound -c /etc/unbound/unbound.conf >> ExecReload = /bin/kill -HUP $MAINPID >> User = unbound > > ^^^ > > This makes systemd switch to user "unbound" (non-privileged user) > *before* starting unbound, and so it cannot bind to port 53. Remove this > line so that systemd can start unbound can start as root and bind to > port 53. After that, unbound drops privileges by itself (as directed by > the "username" option in unbound.conf).
One could also start unbound service with User=unbound but let systemd assign capability CAP_NET_BIND_SERVICE to the unbound process. See CapabilityBoundingSet= and AmbientCapabilities= in systemd.exec(5). Ciao, Michael.
