[Dnsmasq-discuss] dnsmasq question - running as root or user

richardvoigt at gmail.com richardvoigt at gmail.com
Sat Aug 22 17:03:08 BST 2009


On Sat, Aug 22, 2009 at 4:39 AM, Audio Phile<da_audiophile at yahoo.com> wrote:
> 1) What is the advantage of having dnsmasq run as a non-root user?

If someone found an exploitable bug in dnsmasq and you were running it
as root, your system would be toast.  If running as another user,
damage would be limited.  In the most secure scenario, where dnsmasq
has a dedicated user, an attacker could only affect the dhcp leases
file.

> 2) Is there any kernel module required to do so on 2.6.30?

Nope.  setuid doesn't require any kernel extensions, although some
extensions could interfere with it.

>
> According to some old docs, there was a requirement CONFIG_SECURITY_CAPABILITIES parameter, but it obsolete on kernel versions >2.6.26 (reference 1).  Nor does it appear in the config documentation for the latest kernel (reference 2).
>
> 1)  http://cateee.net/lkddb/web-lkddb/SECURITY_CAPABILITIES.html
> 2)  http://www.kernel.org/doc/menuconfig/x86.html

There is definitely no requirement to use security-enhanced linux to
run dnsmasq.  But if you do use selinux, make sure to configure the
capabilities correctly.



More information about the Dnsmasq-discuss mailing list