[Dnsmasq-discuss] [PATCH] Allow root group write to log file
Simon Kelley
simon at thekelleys.org.uk
Tue Jan 11 23:48:38 UTC 2022
On 11/01/2022 00:11, Petr Menšík wrote:
> Hi!
>
> I have received error report on Fedora [1] with problem of log-facility
> used. Problem happens because systemd does not grant even root processes
> cap_dac_override. Therefore log file created by dnsmasq has to be
> writable by dnsmasq user. But it is created/opened when still did not
> drop privileges under effective uid == 0. It leads to surprising
> situation. If dnsmasq with log-facility=/var/log/dnsmasq.log is started
> first time, it passes just fine. However when it is started second time
> with /var/log/dnsmasq owned by dnsmasq:root, mode 0640, it fails opening
> the log.
>
> My attached patch fixes it. If dnsmasq were started as root, it gives
> also group write right to log file. Because it does not change group of
> file, it should be always root. My patch expects log file group is not
> changed in mean time. If it is something different, for example adm
> group, skip granting writeable flag. It fixes the problem at hand.
>
> What do you think Simon? Others?
>
This looks good to me, and I've applied it.
One quibble, which I've changed. --log-facility=/tmp/log in the commit
message is a really bad example, since putting a log file in /tmp is
always doomed because /tmp has the sticky bit set, so once the owner of
the file is changed, it becomes inaccessible anyway. I tried using
/tmp/log and it fails in the described way even after the patch is
applied, but for that different reason. A test with /var/log/dnsmasq.log
works fine.
Cheers,
Simon.
More information about the Dnsmasq-discuss
mailing list