With my dnsmasq maintainer hat on, the current arrangement looks like this.

1) /run/dnsmasq is a directory owned by dnsmasq:nogroup
2) /run/dnsmasq/dnsmasq.pid gets written by dnsmasq before it drops
root, so is root:root
3) The reason /run/dnsmasq is owned by dnsmasq is so that dnsmasq can
unlink the pidfile at shutdown, after it has dropped root and is running
as 'dnsmasq'

There's a potential security hole here, since an attacker who can become
user dnsmasq, can create a symlink at /run/dnsmasq/dnsmasq.pid to
anywhere, and have the target of the symlink overwritten (as root) at
startup. The dnsmasq PID-file creation code detects and blocks this
case: see src/dnsmasq.c around line 507.

I think that this can be fixed in dnsmasq by chown()ing the pid file to
the same user dnsmasq is about to drop privs too, but I'm not sure is
that's enough to keep the new systemd checks happy.



Reply via email to