[Dnsmasq-discuss] Starting as non-root just works
Geert Stappers
stappers at stappers.nl
Thu May 16 19:29:57 BST 2019
On Tue, May 14, 2019 at 11:32:50AM +0200, Kristoffel Pirard wrote:
> On Mon, May 13, 2019 at 11:35 PM Geert Stappers wrote:
> > On Mon, May 13, 2019 at 12:51:09PM +0200, Kristoffel Pirard wrote:
> > > On Mon, 13 May 2019, 12:36 Geert Stappers wrote:
> > > > On 13-05-2019 11:02, Roy Marples wrote:
> > > > >
> > > > > The whole world is not Linux. Most other OS's don't have these caps.
> > > > >
> > > > >
> > > > In other words: The _normally_ in 'Dnsmasq must normally be started
> > > > as root' is correct.
> > > >
> > > So I should interpret it as 'unless you have a really good reason and you
> > > know what you're doing'? (Which I answer 'no' to twice)
> >
> >
> > ] 'Dnsmasq must normally be started as root'
> >
> >
> > Read that as "Dnsmasq listens on ports 53, 67 and 69. That requires
> > root privilege." Running a process as root does get that privilege.
> > Yes we did that all the time in days before the fear.
> >
> > Avoiding to run Dnsmasq as root can be done with "net capabilities"
> >
> > > > >> We tested starting as non-root user, but with capabilities
> > > > >> cap_net_bind_service, cap_net_admin, cap_net_raw.
> >
> > :-)
> >
> > > > >> It currently seems to work,
> >
> > I do read that as "Confirming that cap_net_*** works"
> >
> >
> > > > >> but I'm debating if we should actually use this 'hack'.
> >
> >
> >
> >
> > Groeten
> > Geert Stappers
> > --
> > Leven en laten leven
> >
> Hi Geert,
Hello all,
> That is terribly helpful. Thanks a lot!
>
> Although 'the whole world is not Linux', your explanation "Dnsmasq listens
> on ports 53, 67 and 69. That requires
> root privilege; Avoiding to run dnsmasq as root can be done with net
> capabilities" seems a terrific candidate to go in the man page :) Would
> you like me to prepare a pull request?
Yes, send in patches and see what happens.
Surely do NOT wait for my permission :-)
> Regards
> Kristoffel
For those who missed it: The reply goes _below_ the previous text
Cheers
Geert Stappers
More information about the Dnsmasq-discuss
mailing list