[Dnsmasq-discuss] dnsmasq runs as root if setcap() fails

Simon Kelley simon at thekelleys.org.uk
Thu Jun 19 19:53:05 BST 2008


Uwe Gansert wrote:
> On Thursday 19 June 2008, Simon Kelley wrote:
> 
>>> our security team did a review of the dnsmasq package in openSUSE.
>>> This bug: https://bugzilla.novell.com/show_bug.cgi?id=401650 is maybe
>>> worth a discussion here.
>> Hmm, can't get at that without a login, are there any other interesting
>> conclusions about dnsmasq security from the review?
> 
> just two issues. Running as user "nobody" is not a good idea and being in 
> group "dialout" too - might be openSUSE specific.

Agreed. "nobody" is there for "make && make install" installations - the 
Debian package creates a "dnsmasq" user and runs "dnsmasq -u dnsmasq"

> 
>>> Quote: dnsmasq runs as root if the call to setcap() fails. For
>> I'd be interested in opinions on this. Clearly, I think the current
>> behaviour is good, since I coded it that way, but I'm willing to be
>> persuaded otherwise. It's worth noting that in that in these
>> circumstances (ie lack of suitable capability support) dnsmasq logs very
>> explicit warning:
>>
>> dnsmasq: warning: setting capabilities failed: <error>
>> dnsmasq: running as root.
> 
> I have the same opinion as our security team.
> In case the capset fails, the fallback should be to the safe side 
> (terminating dnsmasq) and not to the more dangerous side (running as root).
> A not so experienced administrator might run it as root then without 
> noticing but even the least experienced administrator would notice if it 
> does not run at all :) Then the admin can decide how to fix it. Force 
> dnsmasq to run as root via config or fix the broken capability support on 
> his system.
> Maybe dnsmasq could terminate then with a message that capabilities don't 
> work and the daemon has to run as root, with a description of how to 
> configure it in dnsmasq.conf
> 

The mechanics of this are mind-boggling. Dnsmasq can be configured to 
run a process every time the lease database changes, as root. To do this 
is keeps a child process which is still root, even when the main process 
is non-root.

That means that the process of dropping root and doing capability 
manipulation has to happen after the helper process forks. That's after 
the process becomes a daemon.

The result of this is that if dnsmasq is going to exit because of 
capability problems, it can't return a non-zero exit code: starting the 
daemon will appear to start fine, and then it will silently kill itself 
(logging is allowed, but not a return code to the init script.)

That's why it keeps going in degraded mode at the moment, once startup 
has succeeded, the code does everything it can to provide service.

Suggestions about how to square this circle appreciated......


Cheers,

Simon.



More information about the Dnsmasq-discuss mailing list