Re: [Dnsmasq-discuss] Starting as non-root just works
On Tue, May 14, 2019 at 11:32:50AM +0200, Kristoffel Pirard wrote: > On Mon, May 13, 2019 at 11:35 PM Geert Stappers wrote: > > On Mon, May 13, 2019 at 12:51:09PM +0200, Kristoffel Pirard wrote: > > > On Mon, 13 May 2019, 12:36 Geert Stappers wrote: > > > > On 13-05-2019 11:02, Roy Marples wrote: > > > > > > > > > > The whole world is not Linux. Most other OS's don't have these caps. > > > > > > > > > > > > > > In other words:The _normally_ in 'Dnsmasq must normally be started > > > > as root' is correct. > > > > > > > So I should interpret it as 'unless you have a really good reason and you > > > know what you're doing'? (Which I answer 'no' to twice) > > > > > > ] 'Dnsmasq must normally be started as root' > > > > > > Read that as "Dnsmasq listens on ports 53, 67 and 69. That requires > > root privilege." Running a process as root does get that privilege. > > Yes we did that all the time in days before the fear. > > > > Avoiding to run Dnsmasq as root can be done with "net capabilities" > > > > > > >> We tested starting as non-root user, but with capabilities > > > > >> cap_net_bind_service, cap_net_admin, cap_net_raw. > > > > :-) > > > > > > >> It currently seems to work, > > > > I do read that as "Confirming that cap_net_*** works" > > > > > > > > >> but I'm debating if we should actually use this 'hack'. > > > > > > > > > > Groeten > > Geert Stappers > > -- > > Leven en laten leven > > > Hi Geert, Hello all, > That is terribly helpful. Thanks a lot! > > Although 'the whole world is not Linux', your explanation "Dnsmasq listens > on ports 53, 67 and 69. That requires > root privilege; Avoiding to run dnsmasq as root can be done with net > capabilities" seems a terrific candidate to go in the man page :) Would > you like me to prepare a pull request? Yes, send in patches and see what happens. Surely do NOT wait for my permission :-) > Regards > Kristoffel For those who missed it: The reply goes _below_ the previous text Cheers Geert Stappers ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Starting as non-root just works
Hi Geert, That is terribly helpful. Thanks a lot! Although 'the whole world is not Linux', your explanation "Dnsmasq listens on ports 53, 67 and 69. That requires root privilege; Avoiding to run dnsmasq as root can be done with net capabilities" seems a terrific candidate to go in the man page :) Would you like me to prepare a pull request? Regards Kristoffel On Mon, May 13, 2019 at 11:35 PM Geert Stappers wrote: > On Mon, May 13, 2019 at 12:51:09PM +0200, Kristoffel Pirard wrote: > > On Mon, 13 May 2019, 12:36 Geert Stappers wrote: > > > On 13-05-2019 11:02, Roy Marples wrote: > > > > On 13/05/2019 09:31, Kristoffel Pirard wrote: > > > >> The dnsmasq man page for the --user parameter says that "Dnsmasq > must > > > >> _normally_ be started as root". We tested starting as non-root > user, > > > >> but with capabilities cap_net_bind_service, cap_net_admin, > > > >> cap_net_raw. It currently seems to work, but I'm debating if we > > > >> should actually use this 'hack'. > > > >> > > > >> So should the ambiguous adverb 'normally' be removed from the > > > >> documentation? If not, what are the circumstances in which it is > > > >> allowed to not start as root? > > > > > > > > The whole world is not Linux. Most other OS's don't have these caps. > > > > > > > > > > > In other words:The _normally_ in 'Dnsmasq must normally be > started > > > as root' is correct. > > > > > So I should interpret it as 'unless you have a really good reason and you > > know what you're doing'? (Which I answer 'no' to twice) > > > ] 'Dnsmasq must normally be started as root' > > > Read that as "Dnsmasq listens on ports 53, 67 and 69. That requires > root privilege." Running a process as root does get that privilege. > Yes we did that all the time in days before the fear. > > Avoiding to run Dnsmasq as root can be done with "net capabilities" > > > > >> We tested starting as non-root user, but with capabilities > > > >> cap_net_bind_service, cap_net_admin, cap_net_raw. > > :-) > > > > >> It currently seems to work, > > I do read that as "Confirming that cap_net_*** works" > > > > > >> but I'm debating if we should actually use this 'hack'. > > > > > Groeten > Geert Stappers > -- > Leven en laten leven > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Starting as non-root just works
On Mon, May 13, 2019 at 12:51:09PM +0200, Kristoffel Pirard wrote: > On Mon, 13 May 2019, 12:36 Geert Stappers wrote: > > On 13-05-2019 11:02, Roy Marples wrote: > > > On 13/05/2019 09:31, Kristoffel Pirard wrote: > > >> The dnsmasq man page for the --user parameter says that "Dnsmasq must > > >> _normally_ be started as root". We tested starting as non-root user, > > >> but with capabilities cap_net_bind_service, cap_net_admin, > > >> cap_net_raw. It currently seems to work, but I'm debating if we > > >> should actually use this 'hack'. > > >> > > >> So should the ambiguous adverb 'normally' be removed from the > > >> documentation? If not, what are the circumstances in which it is > > >> allowed to not start as root? > > > > > > The whole world is not Linux. Most other OS's don't have these caps. > > > > > > > > In other words:The _normally_ in 'Dnsmasq must normally be started > > as root' is correct. > > > So I should interpret it as 'unless you have a really good reason and you > know what you're doing'? (Which I answer 'no' to twice) ] 'Dnsmasq must normally be started as root' Read that as "Dnsmasq listens on ports 53, 67 and 69. That requires root privilege." Running a process as root does get that privilege. Yes we did that all the time in days before the fear. Avoiding to run Dnsmasq as root can be done with "net capabilities" > > >> We tested starting as non-root user, but with capabilities > > >> cap_net_bind_service, cap_net_admin, cap_net_raw. :-) > > >> It currently seems to work, I do read that as "Confirming that cap_net_*** works" > > >> but I'm debating if we should actually use this 'hack'. Groeten Geert Stappers -- Leven en laten leven ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Starting as non-root
So I should interpret it as 'unless you have a really good reason and you know what you're doing'? (Which I answer 'no' to twice) On Mon, 13 May 2019, 12:36 Geert Stappers, wrote: > > On 13-05-2019 11:02, Roy Marples wrote: > > On 13/05/2019 09:31, Kristoffel Pirard wrote: > >> The dnsmasq man page for the --user parameter says that "Dnsmasq must > >> _normally_ be started as root". We tested starting as non-root user, > >> but with capabilities cap_net_bind_service, cap_net_admin, > >> cap_net_raw. It currently seems to work, but I'm debating if we > >> should actually use this 'hack'. > >> > >> So should the ambiguous adverb 'normally' be removed from the > >> documentation? If not, what are the circumstances in which it is > >> allowed to not start as root? > > > > The whole world is not Linux. Most other OS's don't have these caps. > > > > > In other words:The _normally_ in 'Dnsmasq must normally be started > as root' is correct. > > > Cheers > > Geert Stappers > > > > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Starting as non-root
On 13-05-2019 11:02, Roy Marples wrote: > On 13/05/2019 09:31, Kristoffel Pirard wrote: >> The dnsmasq man page for the --user parameter says that "Dnsmasq must >> _normally_ be started as root". We tested starting as non-root user, >> but with capabilities cap_net_bind_service, cap_net_admin, >> cap_net_raw. It currently seems to work, but I'm debating if we >> should actually use this 'hack'. >> >> So should the ambiguous adverb 'normally' be removed from the >> documentation? If not, what are the circumstances in which it is >> allowed to not start as root? > > The whole world is not Linux. Most other OS's don't have these caps. > > In other words: The _normally_ in 'Dnsmasq must normally be started as root' is correct. Cheers Geert Stappers ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Starting as non-root
On 13/05/2019 09:31, Kristoffel Pirard wrote: The dnsmasq man page for the --user parameter says that "Dnsmasq must _normally_ be started as root". We tested starting as non-root user, but with capabilities cap_net_bind_service, cap_net_admin, cap_net_raw. It currently seems to work, but I'm debating if we should actually use this 'hack'. So should the ambiguous adverb 'normally' be removed from the documentation? If not, what are the circumstances in which it is allowed to not start as root? The whole world is not Linux. Most other OS's don't have these caps. Roy ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
