From 260168bf470feb5492e8b9576e03aae018c2e227 Mon Sep 17 00:00:00 2001
From: adamluk <adamluk@users.noreply.github.com>
Date: Thu, 12 Jul 2018 15:03:36 +0100
Subject: [PATCH] Update dnscrypt-proxy.toml.j2 (#1022)

---
 .../dns_encryption/templates/dnscrypt-proxy.toml.j2  | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2 b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2
index 22e9cfc5..c5bd6ccc 100644
--- a/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2
+++ b/roles/dns_encryption/templates/dnscrypt-proxy.toml.j2
@@ -41,6 +41,18 @@ listen_addresses  = ['{{ local_service_ip }}:{{ listen_port }}']
 max_clients = 250
 
 
+## Switch to a non-privileged system user after listening sockets have been created.
+## Two processes will be running.
+## The first one will keep root privileges, but is only a supervisor, that does nothing
+## except create the sockets, manage the service, and restart it if it crashes.
+## The second process is the service itself, and that one will always run as a different
+## user.
+## Note (1): this feature is currently unsupported on Windows.
+## Note (2): this feature is not compatible with systemd socket activation.
+
+user_name = 'nobody'
+
+
 ## Require servers (from static + remote sources) to satisfy specific properties
 
 # Use servers reachable over IPv4