[Dnsmasq-discuss] Disable setcap() call when dnsmasq starts?

Simon Kelley simon at thekelleys.org.uk
Fri May 17 11:49:31 BST 2013

On 16/05/13 04:29, Jon Hermansen wrote:
> Hello,
>   First time poster. Glad to be here!
> I have found a handful of posts relating to this, but with no clear answer:
> is there a way to prevent dnsmasq from calling setcap() without running it
> as root? I see this error when strace'ing dnsmasq startup, which I assume
> is why dnsmasq is exiting:
> [pid  3284] capset(0x20080522, 0, {CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW,
>> CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW}) = -1 EPERM (Operation not permitted)
> My aim is to run dnsmasq (no DHCP needed) for my LAN's local DNS on a
> remote Virtuozzo VPS instance. My home router caches records for me -- an
> Airport Extreme. I have firewall rules in place on the VPS to only allow
> inbound traffic on port 53 from my home network. Running dnsmasq as root is
> not preferable.
> I've tried variations in the config with listen-address, interface,
> no-dhcp-interface and/or bind-interfaces to get dnsmasq to bind only to my
> WAN IP interface on the specific ports it needs. Again, not using dnsmasq
> for anything but DNS.
> Any hints would be well appreciated. Thanks!

If dnsmasq is running as an unprivileged user, it needs to keep some 
privileges to work reliably.  There's not way to configure it not to, 
you'd have to patch the code. I'd look to see why you're getting the 
EPERM. Are you _starting_ dnsmasq as root? SELinux configuration problems?


More information about the Dnsmasq-discuss mailing list