Am 09.12.2013 17:58, schrieb Simon Kelley: > OK, using this, I've implemented dynamic interface-address discovery for > *BSD. Available now in git and as 2.69test1. This is very useful as it > stands, since it makes the dynamic DHCPv6 address-range facility using > the constructor: keyword work on *BSD. > > Unfortunately, it doesn't make --bind-dynamic work, and least not in a > useful way. The problem is that when new interface addresses come along, > dnsmasq has to bind sockets to them at low ports. This is not allowed > when running as non-root, and of course dnsmasq drops root once it's > started. > > On Linux, this problem is solved by using process capabilities: the > dnsmasq process retains the ability to bind low ports when it gives away > the rest of the root privileges. I don'r think there's a direct > equivalent to capabilities in *BSD. Is there another way to allow a > non-root process to bind low ports?
A. There is a system-wide feature that enables certain uid/gids to bind particular tcp or udp ports. http://www.freebsd.org/doc/handbook/mac-portacl.html - check the Example. Note that TrustedBSD/MAC is dubbed experimental. Minimum survival on FreeBSD 9.2: 1. These are preparations the sysadmin would have to make: # kldload mac_portacl # sysctl security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53 2. And that tells dnsmasq to drop privileges to user 53 (I hope it understands UID, else try "bind" - it has uid 53 on my system): dnsmasq -u 53 [options [...]] B. If you find that too cumbersome due to the global nature, the traditional way would be using a helper process that retains privileges, opens the socket, binds it and passes it and the file descriptor to the unprivileged process. http://www.lst.de/~okir/blackhats/node121.html or http://www.thomasstover.com/uds.html perhaps. _______________________________________________ Dnsmasq-discuss mailing list Dnsmasqemail@example.com http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss