knot-resolver/doc/config-no-systemd-privileges.rst

.. SPDX-License-Identifier: GPL-3.0-or-later

Privileges and capabilities
===========================

The kresd daemon requires privileges when it is configured to bind to
well-known ports. There are multiple ways to achieve this.

Using capabilities
^^^^^^^^^^^^^^^^^^

The most secure and recommended way is to use capabilities and execute kresd as
an unprivileged user.

* ``CAP_NET_BIND_SERVICE`` is required to bind to well-known ports.
* ``CAP_SETPCAP`` when this capability is available, kresd drops any extra
  capabilities after the daemon successfully starts when running as
  a non-root user.

Running as non-privileged user
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Another possibility is to start the process as privileged user and then switch
to a non-privileged user after binding to network interfaces.

.. function:: user(name, [group])

   :param string name: user name
   :param string group: group name (optional)
   :return: boolean

   Drop privileges and start running as given user (and group, if provided).

   .. tip:: Note that you should bind to required network addresses before
      changing user. At the same time, you should open the cache **AFTER** you
      change the user (so it remains accessible). A good practice is to divide
      configuration in two parts:

      .. code-block:: lua

         -- privileged
         net.listen('127.0.0.1')
         net.listen('::1')
         user('knot-resolver', 'netgrp')
         -- unprivileged
         cache.size = 100*MB

   Example output:

   .. code-block:: lua

      > user('baduser')
      invalid user name
      > user('knot-resolver', 'netgrp')
      true
      > user('root')
      Operation not permitted

Running as root
^^^^^^^^^^^^^^^

.. warning:: Executing processes as root is generally insecure, as these
   processes have unconstrained access to the complete system at runtime.

While not recommended, it is also possible to run kresd directly as root.