On 15/09/2019 08:00, Tore Anderson wrote:
> * Simon Kelley
> 
>> http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=90d7c6b97dbae2c913e7bb7af9c6c0f874493092
>>
>> should fix this, if I've understood it right.
> 
> Hi Simon,
> 
> Not quite. With this patch, Dnsmasq does refuse to start as non-root:
> 
> $ src/dnsmasq 
> dnsmasq: process is missing required capability NET_ADMIN
> 
> However, when started as root, it still answers REFUSED:
> 
> $ sudo src/dnsmasq & sleep 1; dig @127.0.0.1 -p 5353 fud.no A +vc +short
> [1] 14179
> dnsmasq[14181]: started, version 2.80-73-g90d7c6b cachesize 150
> dnsmasq[14181]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n 
> no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect 
> inotify dumpfile
> dnsmasq[14181]: using nameserver 1.1.1.1#53(via wlp2s0)
> dnsmasq[14181]: cleared cache
> dnsmasq[14186]: query[A] fud.no from 127.0.0.1
> dnsmasq[14186]: config error is REFUSED
> 
> It is clearly related to privileges, because if I add «-d» to the Dnsmasq 
> command line, it works:
> 
> $ sudo src/dnsmasq -d & sleep 1; dig @127.0.0.1 -p 5353 fud.no A +vc +short
> [1] 15333
> dnsmasq[15335]: started, version 2.80-73-g90d7c6b cachesize 150
> dnsmasq[15335]: compile time options: IPv6 GNU-getopt no-DBus no-UBus no-i18n 
> no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect 
> inotify dumpfile
> dnsmasq[15335]: using nameserver 1.1.1.1#53(via wlp2s0)
> dnsmasq[15335]: cleared cache
> dnsmasq[15335]: query[A] fud.no from 127.0.0.1
> dnsmasq[15335]: forwarded fud.no to 1.1.1.1
> dnsmasq[15335]: reply fud.no is 87.238.59.19
> 87.238.59.19
> 
> /etc/dnsmasq.conf contains:
> 
> keep-in-foreground
> log-facility=-
> log-queries
> no-hosts
> no-resolv
> port=5353
> server=1.1.1.1@wlp2s0
> 
> Tore
> 


I got the wrong capability, it needs CAP_NET_RAW, not CAP_NET_ADMIN. Fix
pushed to git.


Cheers,

Simon.


_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss

Reply via email to