Since most big distros are using systemd now it might be interesting for some of you how to modify the unit files provided by the respective packages. Those unit files are located in the /usr/lib/systemd/system/ directory. You could edit them directly - but those changes would be overwritten by the next update of those packages. As a much better alternative you can create drop-in snippets as described in the Arch Linux wiki. It's easy. I've done it for dnsmasq. The default unit file in Arch is this one: Code: [Unit] Description=A lightweight DHCP and caching DNS server After=network.target Documentation=man:dnsmasq(8) [Service] Type=dbus BusName=uk.org.thekelleys.dnsmasq ExecStartPre=/usr/bin/dnsmasq --test ExecStart=/usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target I wanted to add logging to dnsmasq. In order to do this just execute Code: sudo systemctl edit dnsmasq which opens your default editor with an empty file. I added the following lines: Code: [Service] ExecStart= ExecStart=/usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --log-queries --log-facility=/home/heat/dnsmasq/dnsmasq.log saved that file and exited the editor. (Note that the ExecStart= entry is necessary in order to clear the original ExecStart entry as explained on that wiki page).) This automatically creates the directory /etc/systemd/system/dnsmasq.service.d and the file override.conf therein with the lines above. dnsmasq should be restarted automatically. sudo systemctl status dnsmasq now reports the following: I find this method very useful in order to tailor unit files to your needs.
Just another example: dnscrypt-proxy. The default unit file in Arch is this: Code: [Unit] Description=A tool for securing communications between a client and a DNS resolver. After=network.target # Only needed if you use pdnsd, other caching DNS servers can go here. Could be ignored too. #Before=pdnsd.service [Service] EnvironmentFile=/etc/conf.d/dnscrypt-proxy ExecStart=/usr/bin/dnscrypt-proxy \ --local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \ --resolver-address=${DNSCRYPT_RESOLVERIP}:${DNSCRYPT_RESOLVERPORT} \ --provider-name=${DNSCRYPT_PROVIDER_NAME} \ --provider-key=${DNSCRYPT_PROVIDER_KEY} \ --user=${DNSCRYPT_USER} Restart=on-abort [Install] WantedBy=multi-user.target I had noticed on http://dnscrypt.org/ that the new versions support an --ephemeral-keys switch and a --resolver-name switch which refers to /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv list which makes it much easier to select a DNSCrypt resolver. Both switches are not reflected in the default unit file. So by executing sudo systemctl edit dnscrypt-proxy I automatically created the following override.conf file in /etc/systemd/system/dnscrypt-proxy.service.d : Code: [Service] ExecStart= ExecStart=/usr/bin/dnscrypt-proxy --ephemeral-keys --resolver-name=dnscrypt.eu-nl \ --local-address=${DNSCRYPT_LOCALIP}:${DNSCRYPT_LOCALPORT} \ --user=${DNSCRYPT_USER} In this case dnscrypt-proxy wasn't restarted automatically (contrary to what the Arch wiki page says), so I executed sudo systemctl restart dnscrypt-proxy. sudo systemctl status dnscrypt-proxy now reports:
FWIW, I modified the override.conf for dnsmasq again. Since dnsmasq is a network-related service and was affected by some vulnerabilities in the past I decided to sandbox it with Firejail: Code: [Service] ExecStart= #ExecStart=/usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --log-queries --log-facility=/home/heat/dnsmasq/dnsmasq.log ExecStart=/usr/bin/firejail --profile=/home/heat/.config/firejail/dnsmasq.profile /usr/bin/dnsmasq -k --enable-dbus --user=dnsmasq --pid-file --log-queries --log-facility=/home/heat/dnsmasq/dnsmasq.log In dnsmasq.profile I had to remove "include /etc/firejail/disable-mgmt.inc" since blacklisting /sbin and /usr/sbin broke caching in dnsmasq: Code: # system management blacklist ${PATH}/umount blacklist ${PATH}/mount blacklist ${PATH}/fusermount blacklist ${PATH}/su blacklist ${PATH}/sudo blacklist ${PATH}/xinput blacklist ${PATH}/strace include /etc/firejail/disable-secret.inc blacklist ${HOME}/.adobe blacklist ${HOME}/.macromedia blacklist ${HOME}/.mozilla blacklist ${HOME}/.icedove blacklist ${HOME}/.thunderbird blacklist ${HOME}/.mozilla blacklist ${HOME}/.local blacklist ${HOME}/.config caps seccomp Works well.