[Dnsmasq-discuss] dnsmasq runs as root if setcap() fails

Uwe Gansert ug at suse.de
Fri Jun 20 09:51:24 BST 2008

On Thursday 19 June 2008, Simon Kelley wrote:

> That's a good idea, even simpler would be to just check that capget()
> will work early: that's enough to detect a kernel which doesn't have the
> correct support compiled in.
> Would that satisfy your security people, Uwe?

I talked to them and yes, that would be okay.
They just care about that no admin has a running root daemon by accident. Of 
course we know that this is not per se a security problem but you know how 
security guys are - totally paranoid :) It's part of their job.
So to quote them, "as long as dnsmasq terminates when capset() fails, 
instead of falling back to root, we are happy :)"

Thanx Simon!

ciao, Uwe Gansert

Uwe Gansert, Server Technologies Team
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
Business: http://www.suse.de/~ug

More information about the Dnsmasq-discuss mailing list