[Dnsmasq-discuss] FreeBSD complement to Linux's netlink: route(4) socket

Matthias Andree matthias.andree at gmx.de
Thu Dec 12 20:15:43 GMT 2013

Am 09.12.2013 17:58, schrieb Simon Kelley:

> OK, using this, I've implemented dynamic interface-address discovery for
> *BSD. Available now in git and as 2.69test1. This is very useful as it
> stands, since it makes the dynamic DHCPv6 address-range facility using
> the constructor: keyword work on *BSD.
> Unfortunately, it doesn't make --bind-dynamic work, and least not in a
> useful way. The problem is that when new interface addresses come along,
> dnsmasq has to bind sockets to them at low ports. This is not allowed
> when running as non-root, and of course dnsmasq drops root once it's
> started.
> On Linux, this problem is solved by using process capabilities: the
> dnsmasq process retains the ability to bind low ports when it gives away
> the rest of the root privileges. I don'r think there's a direct
> equivalent to capabilities in *BSD. Is there another way to allow a
> non-root process to bind low ports?

A. There is a system-wide feature that enables certain uid/gids to bind
particular tcp or udp ports.

http://www.freebsd.org/doc/handbook/mac-portacl.html - check the
Example.  Note that TrustedBSD/MAC is dubbed experimental.

Minimum survival on FreeBSD 9.2:

1. These are preparations the sysadmin would have to make:

# kldload mac_portacl
# sysctl security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53

2. And that tells dnsmasq to drop privileges to user 53 (I hope it
understands UID, else try "bind" - it has uid 53 on my system):

dnsmasq -u 53  [options [...]]

B. If you find that too cumbersome due to the global nature, the
traditional way would be using a helper process that retains privileges,
opens the socket, binds it and passes it and the file descriptor to the
unprivileged process.
http://www.lst.de/~okir/blackhats/node121.html or
http://www.thomasstover.com/uds.html perhaps.

More information about the Dnsmasq-discuss mailing list