[Dnsmasq-discuss] dnsmasq runs as root if setcap() fails
simon at thekelleys.org.uk
Thu Jun 19 11:51:20 BST 2008
Uwe Gansert wrote:
> our security team did a review of the dnsmasq package in openSUSE.
> This bug: https://bugzilla.novell.com/show_bug.cgi?id=401650 is maybe
> worth a discussion here.
Hmm, can't get at that without a login, are there any other interesting
conclusions about dnsmasq security from the review?
> Quote: dnsmasq runs as root if the call to setcap() fails. For
> security reasons it would be better to quit in this case. If the
> system intentionally lacks capability support in the kernel the admin
> can explicity configure dnsmasqd to run as root via dnsmasqd.conf.
> This issue is not distro specific IMHO and probably worth reporting
I'd be interested in opinions on this. Clearly, I think the current
behaviour is good, since I coded it that way, but I'm willing to be
persuaded otherwise. It's worth noting that in that in these
circumstances (ie lack of suitable capability support) dnsmasq logs very
dnsmasq: warning: setting capabilities failed: <error>
dnsmasq: running as root.
More information about the Dnsmasq-discuss