On Mon, May 13, 2019 at 12:51:09PM +0200, Kristoffel Pirard wrote:
> On Mon, 13 May 2019, 12:36 Geert Stappers wrote:
> > On 13-05-2019 11:02, Roy Marples wrote:
> > > On 13/05/2019 09:31, Kristoffel Pirard wrote:
> > >> The dnsmasq man page for the --user parameter says that "Dnsmasq must
> > >> _normally_ be started as root".  We tested starting as non-root user,
> > >> but with capabilities cap_net_bind_service, cap_net_admin,
> > >> cap_net_raw.  It currently seems to work, but I'm debating if we
> > >> should actually use this 'hack'.
> > >>
> > >> So should the ambiguous adverb 'normally' be removed from the
> > >> documentation?  If not, what are the circumstances in which it is
> > >> allowed to not start as root?
> > >
> > > The whole world is not Linux. Most other OS's don't have these caps.
> > >
> > >
> > In other words:    The _normally_  in  'Dnsmasq must normally be started
> > as root' is correct.
> >
> So I should interpret it as 'unless you have a really good reason and you
> know what you're doing'?  (Which I answer 'no' to twice)


] 'Dnsmasq must normally be started as root'


Read that as "Dnsmasq listens on ports 53, 67 and 69. That requires
root privilege."  Running a process as root does get that privilege.
Yes we did that all the time in days before the fear.

Avoiding to run Dnsmasq as root can be done with "net capabilities"

> > >> We tested starting as non-root user, but with capabilities
> > >> cap_net_bind_service, cap_net_admin, cap_net_raw.

:-)

> > >> It currently seems to work,

I do read that as "Confirming that cap_net_*** works"


> > >> but I'm debating if we should actually use this 'hack'.




Groeten
Geert Stappers
-- 
Leven en laten leven

_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to