stubby: run service as unprivileged user

srcpkgs/stubby/INSTALL

@@ -0,0 +1,12 @@
+case "${ACTION}" in
+post)
+	# Set CAP_NET_BIND_SERVICE capability or exit gracefully if we cannot set the capability
+	# due to invalid permissions (fakeroot install).
+	set +e
+	setcap 'cap_net_bind_service=+ep' /usr/bin/stubby
+	if [ $? -ne 0 ]; then
+		echo "ERROR: failed to set cap_net_bind_service capability on stubby."
+		exit 0
+	fi
+	;;
+esac

srcpkgs/stubby/files/stubby/run

@@ -1,2 +1,2 @@
 #!/bin/sh
-exec /usr/bin/stubby 2>&1
+exec chpst -u _stubby:_stubby /usr/bin/stubby 2>&1

srcpkgs/stubby/template

@@ -1,18 +1,25 @@
 # Template file for 'stubby'
 pkgname=stubby
 version=0.2.5
-revision=1
+revision=2
 build_style=gnu-configure
 conf_files="/etc/stubby/stubby.yml"
 hostmakedepends="automake"
 makedepends="getdns-devel libyaml-devel"
+depends="libcap-progs"	# For setcap(8)
 short_desc="DNS Privacy stub resolver"
 maintainer="Frank Steinborn <steinex@nognu.de>"
 license="BSD-3-Clause"
 homepage="https://github.com/getdnsapi/stubby"
+changelog="https://raw.githubusercontent.com/getdnsapi/stubby/v${version}/ChangeLog"
 distfiles="https://github.com/getdnsapi/stubby/archive/v${version}.tar.gz"
 checksum=56ee63f4b9ee00476a168e6ba5614f6830f93e89baa305c2d38577b2e39eae5b
 
+# Create stubby system user/group
+system_accounts="_${pkgname}"
+_stubby_homedir="/var/lib/${pkgname}"
+make_dirs="/var/lib/${pkgname} 0755 _${pkgname} _${pkgname}"
+
 pre_configure() {
 	autoreconf -fi
 }