From 849f7008338cf21043551d2ebe6de2255400b3e3 Mon Sep 17 00:00:00 2001
From: prspkt <prspkt@protonmail.com>
Date: Sun, 13 Jan 2019 22:44:37 +0200
Subject: [PATCH] stubby: run service as unprivileged user

---
 srcpkgs/stubby/INSTALL          | 12 ++++++++++++
 srcpkgs/stubby/files/stubby/run |  2 +-
 srcpkgs/stubby/template         |  9 ++++++++-
 3 files changed, 21 insertions(+), 2 deletions(-)
 create mode 100644 srcpkgs/stubby/INSTALL

diff --git a/srcpkgs/stubby/INSTALL b/srcpkgs/stubby/INSTALL
new file mode 100644
index 00000000000..20e8b594e3c
--- /dev/null
+++ b/srcpkgs/stubby/INSTALL
@@ -0,0 +1,12 @@
+case "${ACTION}" in
+post)
+	# Set CAP_NET_BIND_SERVICE capability or exit gracefully if we cannot set the capability
+	# due to invalid permissions (fakeroot install).
+	set +e
+	setcap 'cap_net_bind_service=+ep' /usr/bin/stubby
+	if [ $? -ne 0 ]; then
+		echo "ERROR: failed to set cap_net_bind_service capability on stubby."
+		exit 0
+	fi
+	;;
+esac
diff --git a/srcpkgs/stubby/files/stubby/run b/srcpkgs/stubby/files/stubby/run
index 3a5b089ede4..2e12b92f0c3 100644
--- a/srcpkgs/stubby/files/stubby/run
+++ b/srcpkgs/stubby/files/stubby/run
@@ -1,2 +1,2 @@
 #!/bin/sh
-exec /usr/bin/stubby 2>&1
+exec chpst -u _stubby:_stubby /usr/bin/stubby 2>&1
diff --git a/srcpkgs/stubby/template b/srcpkgs/stubby/template
index c1245047a55..9f43275fcdc 100644
--- a/srcpkgs/stubby/template
+++ b/srcpkgs/stubby/template
@@ -1,18 +1,25 @@
 # Template file for 'stubby'
 pkgname=stubby
 version=0.2.5
-revision=1
+revision=2
 build_style=gnu-configure
 conf_files="/etc/stubby/stubby.yml"
 hostmakedepends="automake"
 makedepends="getdns-devel libyaml-devel"
+depends="libcap-progs"	# For setcap(8)
 short_desc="DNS Privacy stub resolver"
 maintainer="Frank Steinborn <steinex@nognu.de>"
 license="BSD-3-Clause"
 homepage="https://github.com/getdnsapi/stubby"
+changelog="https://raw.githubusercontent.com/getdnsapi/stubby/v${version}/ChangeLog"
 distfiles="https://github.com/getdnsapi/stubby/archive/v${version}.tar.gz"
 checksum=56ee63f4b9ee00476a168e6ba5614f6830f93e89baa305c2d38577b2e39eae5b
 
+# Create stubby system user/group
+system_accounts="_${pkgname}"
+_stubby_homedir="/var/lib/${pkgname}"
+make_dirs="/var/lib/${pkgname} 0755 _${pkgname} _${pkgname}"
+
 pre_configure() {
 	autoreconf -fi
 }