With my dnsmasq maintainer hat on, the current arrangement looks like this.
1) /run/dnsmasq is a directory owned by dnsmasq:nogroup 2) /run/dnsmasq/dnsmasq.pid gets written by dnsmasq before it drops root, so is root:root 3) The reason /run/dnsmasq is owned by dnsmasq is so that dnsmasq can unlink the pidfile at shutdown, after it has dropped root and is running as 'dnsmasq' There's a potential security hole here, since an attacker who can become user dnsmasq, can create a symlink at /run/dnsmasq/dnsmasq.pid to anywhere, and have the target of the symlink overwritten (as root) at startup. The dnsmasq PID-file creation code detects and blocks this case: see src/dnsmasq.c around line 507. I think that this can be fixed in dnsmasq by chown()ing the pid file to the same user dnsmasq is about to drop privs too, but I'm not sure is that's enough to keep the new systemd checks happy. Cheers, Simon.
