[Dnsmasq-discuss] dnsmasq runs as root if setcap() fails

Simon Kelley simon at thekelleys.org.uk
Thu Jun 19 20:52:01 BST 2008


Carlos Carvalho wrote:
> Simon Kelley (simon at thekelleys.org.uk) wrote on 19 June 2008 19:53:
>  >The result of this is that if dnsmasq is going to exit because of 
>  >capability problems, it can't return a non-zero exit code: starting the 
>  >daemon will appear to start fine, and then it will silently kill itself 
>  >(logging is allowed, but not a return code to the init script.)
> 
> I don't understand why. I think what Uwe says is that dnsmasq should
> completely abort, that is, it should kill the helper as well. This is
> possible if it still runs as root. And it should return a non-zero
> exit code, of course.
> 

It's an ordering problem: for instance, you can do (the current order)

fork to background
fork helper
do capset

Now, if capset fails you can't return a non-zero exit code, because that 
happens as part of the "fork to background" step.

So do

capset
fork to background
fork helper.

Now the helper process inherits restricted capabilities, which is wrong.

So try

fork helper
capset
fork to background.

Now the helper is no longer a child of the main daemon.

There's  no order which makes everything work, as far as I can see.


> It boils down to a choice between security and
> convenience/functionality. What do people usually chose? And what's
> the consequence of this attitude?...


Note that running as root is not a security hole, it just make the 
consequences of another breach worse....

Cheers,

Simon.

> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 




More information about the Dnsmasq-discuss mailing list