Package: nsd
Version: 4.1.26-1
Severity: important
--- i/debian/nsd.service
+++ w/debian/nsd.service
@@ -8,7 +8,7 @@ Type=notify
Restart=always
ExecStart=/usr/sbin/nsd -d
ExecReload=+/bin/kill -HUP $MAINPID
-CapabilityBoundingSet=CAP_CHOWN CAP_IPC_LOCK CAP_NET_BIND_SERVICE
CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_IPC_LOCK
CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
In a recent upgrade to buster, the nsd service failed to start after
upgrade. After spending more time than expected digging through the
details, it turns out that the CAP_DAC_OVERRIDE capability should be
included in the systemd service unit file since the
CapabilityBoundingSet configuration was added in the latest version [1].
The affected host in particular has been through several release
upgrades (I also ran into #932010). I use "include:" lines in my
configuration file set in order to ease management and version control
of my zone files. As a result, the included configuration files were not
readable. They have permission bits 0440 and are owned by the nsd user.
I haven't done a deep investigation, but it appears that with systemd
starting the process as root, without the CAP_DAC_OVERRIDE capability
available it's unable to read files owned by the 'nsd' user.
Relatedly, have you considered directly running the daemon as the nsd
user using AmbientCapabilities=CAP_NET_BIND_SERVICE? That removes the
need for CAP_{CHOWN,SETGID,SETUID}. In my local testing I haven't found
a need for CAP_IPC_LOCK, and don't use chroot configuration so haven't
needed CAP_SYS_CHROOT.
It sort of looks like the Debian service unit file was derived
incrementally from the upstream one. It'd be useful for external diff
review to rebase the content and ordering based on the upstream file
provided in contrib/nsd.service. In fact, you may consider a Debian
patch making targeted adjustments (ReadWritePaths) and shipping the
upstream config directly. Notably, the upstream unit file doesn't list
CAP_CHOWN in the bounding set, is there a Debian specific rationale for
needing to include it?
Thanks,
Joel
[1] https://salsa.debian.org/dns-team/nsd/commit/8a6039c