[Dnsmasq-discuss] FreeBSD complement to Linux's netlink: route(4) socket

Simon Kelley simon at thekelleys.org.uk
Tue Dec 17 18:07:08 GMT 2013

On 12/12/13 20:15, Matthias Andree wrote:
> Am 09.12.2013 17:58, schrieb Simon Kelley:
>> OK, using this, I've implemented dynamic interface-address discovery for
>> *BSD. Available now in git and as 2.69test1. This is very useful as it
>> stands, since it makes the dynamic DHCPv6 address-range facility using
>> the constructor: keyword work on *BSD.
>> Unfortunately, it doesn't make --bind-dynamic work, and least not in a
>> useful way. The problem is that when new interface addresses come along,
>> dnsmasq has to bind sockets to them at low ports. This is not allowed
>> when running as non-root, and of course dnsmasq drops root once it's
>> started.
>> On Linux, this problem is solved by using process capabilities: the
>> dnsmasq process retains the ability to bind low ports when it gives away
>> the rest of the root privileges. I don'r think there's a direct
>> equivalent to capabilities in *BSD. Is there another way to allow a
>> non-root process to bind low ports?
> A. There is a system-wide feature that enables certain uid/gids to bind
> particular tcp or udp ports.
> http://www.freebsd.org/doc/handbook/mac-portacl.html - check the
> Example.  Note that TrustedBSD/MAC is dubbed experimental.
> Minimum survival on FreeBSD 9.2:
> 1. These are preparations the sysadmin would have to make:
> # kldload mac_portacl
> # sysctl security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53
> 2. And that tells dnsmasq to drop privileges to user 53 (I hope it
> understands UID, else try "bind" - it has uid 53 on my system):
> dnsmasq -u 53  [options [...]]
> B. If you find that too cumbersome due to the global nature, the
> traditional way would be using a helper process that retains privileges,
> opens the socket, binds it and passes it and the file descriptor to the
> unprivileged process.
> http://www.lst.de/~okir/blackhats/node121.html or
> http://www.thomasstover.com/uds.html perhaps.

The first of these is more attractive: creating a helper process and 
passing file descriptors is a big re-factor.

the -u option doesn't understand uids, but that's easy to fix.



More information about the Dnsmasq-discuss mailing list