[Dnsmasq-discuss] Problems with dnsmasq pid file
Simon Kelley
simon at thekelleys.org.uk
Mon Mar 9 16:13:10 GMT 2009
Oliver Metz wrote:
> Hi.
>
> We are using dnsmasq on an embedded system (router, linux 2.6.19.2, uClibc-0.9.29). There is a problem with the pid file:
> # ls -al /var/run/dnsmasq.pid
> -rw-r--r-- 1 root root 5 Mar 9 00:02 /var/run/dnsmasq.pid
>
> Although we are running dnsmasq with user nobody the pid file is created as root. Perhaps you can guess what happens on TERM signal:
> unlink("/var/run/dnsmasq.pid") = -1 EACCES (Permission denied)
>
> Do you have a solution for this?
>
There is a solution.
The problem is not the permissions on the PID file, what matters for
unlink() is the permission on the _directory_ (ie /var/run).
Clearly the only way to delete a file from /var/run is to be root, and
dnsmasq doesn't run as root deliberately, for security reasons. It used
to be that dnsmasq didn't even try to delete the PID file. Instead the
start/stop script (which is running as root) did the deletion.
It became necessary to have dnsmasq delete the PID-file on Debian and
Ubuntu, since the Debian/Ubuntu dnsmasq package now supports "fast
shutdown" where the daemon is sent SIGTERM, but no start/stop script
runs. To do that the unlink() call was added. To make this work, it's
necessary to do the following.
1) Create a directory (say /var/run/dnsmasq)
2) Change ownership of /var/run/dnsmasq to the user dnsmasq will run as,
either "nobody" or (much better) a unique system userid. Make it
owner-writable.
3) Tell dnsmasq to store the PID file in /var/run/dnsmasq/dnsmasq.pid
with a command-line or configuration option. If using a system user-id,
tell dnsmasq to use that in the same way.
4) Make sure that the start/stop script is using the same location as
the place where it expects to find the pid-file.
Note that the actual PID-file will still be owned by root: that doesn't
matter, the important thing is the ownership of the directory
/var/run/dnsmasq. Beware that on some systems /var/run gets cleared over
a reboot, so the startup script may have to recreate the directory each
time dnsmasq is started.
HTH
Simon.
More information about the Dnsmasq-discuss
mailing list