On 12/12/13 20:15, Matthias Andree wrote:
Am 09.12.2013 17:58, schrieb Simon Kelley:

OK, using this, I've implemented dynamic interface-address discovery for
*BSD. Available now in git and as 2.69test1. This is very useful as it
stands, since it makes the dynamic DHCPv6 address-range facility using
the constructor: keyword work on *BSD.

Unfortunately, it doesn't make --bind-dynamic work, and least not in a
useful way. The problem is that when new interface addresses come along,
dnsmasq has to bind sockets to them at low ports. This is not allowed
when running as non-root, and of course dnsmasq drops root once it's

On Linux, this problem is solved by using process capabilities: the
dnsmasq process retains the ability to bind low ports when it gives away
the rest of the root privileges. I don'r think there's a direct
equivalent to capabilities in *BSD. Is there another way to allow a
non-root process to bind low ports?

A. There is a system-wide feature that enables certain uid/gids to bind
particular tcp or udp ports.

http://www.freebsd.org/doc/handbook/mac-portacl.html - check the
Example.  Note that TrustedBSD/MAC is dubbed experimental.

Minimum survival on FreeBSD 9.2:

1. These are preparations the sysadmin would have to make:

# kldload mac_portacl
# sysctl security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53

2. And that tells dnsmasq to drop privileges to user 53 (I hope it
understands UID, else try "bind" - it has uid 53 on my system):

dnsmasq -u 53  [options [...]]

B. If you find that too cumbersome due to the global nature, the
traditional way would be using a helper process that retains privileges,
opens the socket, binds it and passes it and the file descriptor to the
unprivileged process.
http://www.lst.de/~okir/blackhats/node121.html or
http://www.thomasstover.com/uds.html perhaps.

The first of these is more attractive: creating a helper process and passing file descriptors is a big re-factor.

the -u option doesn't understand uids, but that's easy to fix.



Dnsmasq-discuss mailing list

Reply via email to