[Security] do not run as root.

An Internet accessible service should aim to have as little as
possible attack surface, which is much easier to do when running
with the absolute minimum number of priviledges.

This makes the systemd setup run the service as a user 'yggdrasil'
and uses the systemd feature `RuntimeDirectory` to auto-create
the /var/run/yggdrasil dir so our non-elevated client can still
create the socket.

The sysusers file will cause the user be created on first install
using the sysusers subsystem.

contrib/systemd/yggdrasil.service

@@ -6,16 +6,21 @@ After=network-online.target
 After=yggdrasil-default-config.service
 
 [Service]
+User=yggdrasil
 Group=yggdrasil
 ProtectHome=true
 ProtectSystem=true
 SyslogIdentifier=yggdrasil
-CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
 ExecStartPre=+-/sbin/modprobe tun
 ExecStart=/usr/bin/yggdrasil -useconffile /etc/yggdrasil.conf
 ExecReload=/bin/kill -HUP $MAINPID
 Restart=always
 TimeoutStopSec=5
 
+# make sure /var/run/yggdrasil/ is created writable for the user.
+RuntimeDirectory=yggdrasil
+# the small list of admin capabilities we need to do our job
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_NET_BIND_SERVICE
+
 [Install]
 WantedBy=multi-user.target

contrib/systemd/yggdrasil.sysusers

@@ -0,0 +1 @@
+u yggdrasil - "Yggdrasil network daemon"