[Dnsmasq-discuss] dnsmasq runs as root if setcap() fails
Simon Kelley
simon at thekelleys.org.uk
Thu Jun 19 19:53:05 BST 2008
Uwe Gansert wrote:
> On Thursday 19 June 2008, Simon Kelley wrote:
>
>>> our security team did a review of the dnsmasq package in openSUSE.
>>> This bug: https://bugzilla.novell.com/show_bug.cgi?id=401650 is maybe
>>> worth a discussion here.
>> Hmm, can't get at that without a login, are there any other interesting
>> conclusions about dnsmasq security from the review?
>
> just two issues. Running as user "nobody" is not a good idea and being in
> group "dialout" too - might be openSUSE specific.
Agreed. "nobody" is there for "make && make install" installations - the
Debian package creates a "dnsmasq" user and runs "dnsmasq -u dnsmasq"
>
>>> Quote: dnsmasq runs as root if the call to setcap() fails. For
>> I'd be interested in opinions on this. Clearly, I think the current
>> behaviour is good, since I coded it that way, but I'm willing to be
>> persuaded otherwise. It's worth noting that in that in these
>> circumstances (ie lack of suitable capability support) dnsmasq logs very
>> explicit warning:
>>
>> dnsmasq: warning: setting capabilities failed: <error>
>> dnsmasq: running as root.
>
> I have the same opinion as our security team.
> In case the capset fails, the fallback should be to the safe side
> (terminating dnsmasq) and not to the more dangerous side (running as root).
> A not so experienced administrator might run it as root then without
> noticing but even the least experienced administrator would notice if it
> does not run at all :) Then the admin can decide how to fix it. Force
> dnsmasq to run as root via config or fix the broken capability support on
> his system.
> Maybe dnsmasq could terminate then with a message that capabilities don't
> work and the daemon has to run as root, with a description of how to
> configure it in dnsmasq.conf
>
The mechanics of this are mind-boggling. Dnsmasq can be configured to
run a process every time the lease database changes, as root. To do this
is keeps a child process which is still root, even when the main process
is non-root.
That means that the process of dropping root and doing capability
manipulation has to happen after the helper process forks. That's after
the process becomes a daemon.
The result of this is that if dnsmasq is going to exit because of
capability problems, it can't return a non-zero exit code: starting the
daemon will appear to start fine, and then it will silently kill itself
(logging is allowed, but not a return code to the init script.)
That's why it keeps going in degraded mode at the moment, once startup
has succeeded, the code does everything it can to provide service.
Suggestions about how to square this circle appreciated......
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list