On 12/12/13 20:15, Matthias Andree wrote:
Am 09.12.2013 17:58, schrieb Simon Kelley:
OK, using this, I've implemented dynamic interface-address discovery for
*BSD. Available now in git and as 2.69test1. This is very useful as it
stands, since it makes the dynamic DHCPv6 address-range facility using
the constructor: keyword work on *BSD.
Unfortunately, it doesn't make --bind-dynamic work, and least not in a
useful way. The problem is that when new interface addresses come along,
dnsmasq has to bind sockets to them at low ports. This is not allowed
when running as non-root, and of course dnsmasq drops root once it's
On Linux, this problem is solved by using process capabilities: the
dnsmasq process retains the ability to bind low ports when it gives away
the rest of the root privileges. I don'r think there's a direct
equivalent to capabilities in *BSD. Is there another way to allow a
non-root process to bind low ports?
A. There is a system-wide feature that enables certain uid/gids to bind
particular tcp or udp ports.
http://www.freebsd.org/doc/handbook/mac-portacl.html - check the
Example. Note that TrustedBSD/MAC is dubbed experimental.
Minimum survival on FreeBSD 9.2:
1. These are preparations the sysadmin would have to make:
# kldload mac_portacl
# sysctl security.mac.portacl.rules=uid:53:tcp:53,uid:53:udp:53
2. And that tells dnsmasq to drop privileges to user 53 (I hope it
understands UID, else try "bind" - it has uid 53 on my system):
dnsmasq -u 53 [options [...]]
B. If you find that too cumbersome due to the global nature, the
traditional way would be using a helper process that retains privileges,
opens the socket, binds it and passes it and the file descriptor to the
The first of these is more attractive: creating a helper process and
passing file descriptors is a big re-factor.
the -u option doesn't understand uids, but that's easy to fix.
Dnsmasq-discuss mailing list