Hi Geert,

That is terribly helpful.  Thanks a lot!

Although 'the whole world is not Linux', your explanation "Dnsmasq listens
on ports 53, 67 and 69. That requires
root privilege; Avoiding to run dnsmasq as root can be done with net
capabilities" seems a terrific candidate to go in the man page :)  Would
you like me to prepare a pull request?

Regards
Kristoffel


On Mon, May 13, 2019 at 11:35 PM Geert Stappers <stapp...@stappers.nl>
wrote:

> On Mon, May 13, 2019 at 12:51:09PM +0200, Kristoffel Pirard wrote:
> > On Mon, 13 May 2019, 12:36 Geert Stappers wrote:
> > > On 13-05-2019 11:02, Roy Marples wrote:
> > > > On 13/05/2019 09:31, Kristoffel Pirard wrote:
> > > >> The dnsmasq man page for the --user parameter says that "Dnsmasq
> must
> > > >> _normally_ be started as root".  We tested starting as non-root
> user,
> > > >> but with capabilities cap_net_bind_service, cap_net_admin,
> > > >> cap_net_raw.  It currently seems to work, but I'm debating if we
> > > >> should actually use this 'hack'.
> > > >>
> > > >> So should the ambiguous adverb 'normally' be removed from the
> > > >> documentation?  If not, what are the circumstances in which it is
> > > >> allowed to not start as root?
> > > >
> > > > The whole world is not Linux. Most other OS's don't have these caps.
> > > >
> > > >
> > > In other words:    The _normally_  in  'Dnsmasq must normally be
> started
> > > as root' is correct.
> > >
> > So I should interpret it as 'unless you have a really good reason and you
> > know what you're doing'?  (Which I answer 'no' to twice)
>
>
> ] 'Dnsmasq must normally be started as root'
>
>
> Read that as "Dnsmasq listens on ports 53, 67 and 69. That requires
> root privilege."  Running a process as root does get that privilege.
> Yes we did that all the time in days before the fear.
>
> Avoiding to run Dnsmasq as root can be done with "net capabilities"
>
> > > >> We tested starting as non-root user, but with capabilities
> > > >> cap_net_bind_service, cap_net_admin, cap_net_raw.
>
> :-)
>
> > > >> It currently seems to work,
>
> I do read that as "Confirming that cap_net_*** works"
>
>
> > > >> but I'm debating if we should actually use this 'hack'.
>
>
>
>
> Groeten
> Geert Stappers
> --
> Leven en laten leven
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss@lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to