Linux (recent kernels at least) and systemd give us ability to run daemons without root privilleges at start. Here is example configuration for freeradius:

Contents

  1. freeradius
  2. bind

freeradius

1. systemd unit file: /etc/systemd/system/freeradius.service

[Unit]
Description=FreeRADIUS multi-protocol policy server

After=network.target
Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/

[Service]
Type=forking
PIDFile=/run/freeradius/freeradius.pid
EnvironmentFile=-/etc/default/freeradius
User=freerad
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
ExecStart=/usr/sbin/freeradius $FREERADIUS_OPTIONS
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

Key lines are "User=" and "?AmbientCapabilities="

2. /etc/tmpfiles.d/freeradius.conf

d     /var/run/freeradius    0755 freerad freerad -

bind

/etc/systemd/system/bind9.service

[Unit]
Description=BIND Domain Name Server
Documentation=man:named(8)
After=network.target
Wants=nss-lookup.target
Before=nss-lookup.target

[Service]
EnvironmentFile=/etc/default/bind9
ExecStart=/usr/sbin/named -f $OPTIONS
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop
AmbientCapabilities=CAP_NET_BIND_SERVICE
User=bind
Group=bind
[Install]
WantedBy=multi-user.target

key lines are ?AmbientCapabilities=, User=, Group=

2. /etc/tmpfiles.d/bind9.conf

d     /var/run/named    0775 root bind  -