[OpenWrt-Devel] [PATCH/RFC] dnsmasq: run as dedicated UID/GID

Daniel Golle daniel at makrotopia.org
Mon Apr 25 14:25:54 EDT 2016


Hi John!

On Mon, Apr 25, 2016 at 06:28:47PM +0200, John Crispin wrote:
> 
> 
> On 22/04/2016 06:26, Daniel Golle wrote:
> > Running dnsmasq in a dedicated user/group allows matching its outgoing
> > traffic more easily using iptables' owner match.
> > Add UID/GID to the package metadata and append the user/group
> > parameters to the init script.
> > 
> > Signed-off-by: Daniel Golle <daniel at makrotopia.org>
> > ---
> >  package/network/services/dnsmasq/Makefile           | 1 +
> >  package/network/services/dnsmasq/files/dnsmasq.init | 4 +++-
> >  2 files changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
> > index a5c3740..9a0f165 100644
> > --- a/package/network/services/dnsmasq/Makefile
> > +++ b/package/network/services/dnsmasq/Makefile
> > @@ -34,6 +34,7 @@ define Package/dnsmasq/Default
> >    CATEGORY:=Base system
> >    TITLE:=DNS and DHCP server
> >    URL:=http://www.thekelleys.org.uk/dnsmasq/
> > +  USERID:=dnsmasq=65453:dnsmasq=65453
> 
> please us an id between 0-999. ideally check what debian uses.

This is what debian does (in dnsmasq package postinst):
---
# create a user to run as (code stolen from dovecot-common)
if [ "$1" = "configure" ]; then
  if [ -z "`id -u dnsmasq 2> /dev/null`" ]; then
    adduser --system  --home /var/lib/misc --gecos "dnsmasq" \
            --no-create-home --disabled-password \
            --quiet dnsmasq || true
  fi

  # Make the directory where we keep the pid file - this
  # has to be owned by "dnsmasq" do that the file can be unlinked.
  if [ ! -d /var/run/dnsmasq ]; then
    mkdir /var/run/dnsmasq
    chown dnsmasq:nogroup /var/run/dnsmasq
  fi
---

This is what wikipedia suggests:
https://en.wikipedia.org/wiki/User_identifier#Reserved_ranges

What we do in OpenWrt seems to be more similar to the FreeBSD'ish way
mentioned on that wikipedia page. However, FreeBSD doesn't have a UID
asigned for dnsmasq (but does for bind and unbound), see
http://svnweb.freebsd.org/ports/head/UIDs

Considering what you wrote and looking at the above, I guess choosing
a value between 100 and 499 would be the wisest thing to do, right?

So I'll pick 453, that's within that range and isn't allocated for
anything else in OpenWrt nor FreeBSD's UID register.

I reckon that UID allocation rules should be documented and enforced
for existing packages, a quick grep revealed that most packages use
an UID < 100 which should only be used in post-install scripts and such
according to LSB (which I wouldn't give much about).
Also, there are many packages in the feed installing UIDs > 999 which
is probably the convention you saw violated by using 65453 for dnsmasq,
I probably had a look at the portmap package build.

The only package in core seems to be
network/services/lldpd/Makefile:  USERID:=lldp=121:lldp=129
which is inside the range LSB suggests...

Other packages adding UIDs:

admin/zabbix/Makefile:  USERID:=zabbix=53:zabbix=53
libs/avahi/Makefile:  USERID:=avahi=105:avahi=105
libs/postgresql/Makefile:  USERID:=postgres=5432:postgres=5432
mail/dovecot/Makefile:  USERID:=dovecot=59:dovecot=59
mail/fdm/Makefile:  USERID:=_fdm=99:_fdm=99
multimedia/icecast/Makefile:  USERID:=icecast=87:icecast=87
net/transmission/Makefile:  USERID:=transmission=224:transmission=224
net/prosody/Makefile:  USERID:=prosody=54:prosody=54
net/knot/Makefile:	USERID:=knot=5353:knot=5353
net/openssh/Makefile:	USERID:=sshd=22:sshd=22
net/openssh/Makefile:	USERID:=sshd=22:sshd=22
net/mosquitto/Makefile:  USERID:=mosquitto=200:mosquitto=200
net/portmap/Makefile:  USERID:=rpc=65533:rpc=65533
net/privoxy/Makefile:  USERID:=privoxy=8118:privoxy=8118
net/ocserv/Makefile:  USERID:=ocserv=72:ocserv=72
net/ntpd/Makefile:  USERID:=ntp=123:ntp=123
net/dmapd/Makefile:  USERID:=dmapd=56:dmapd=56
net/bind/Makefile:USERID:=bind=57:bind=57
net/gnunet/Makefile:  USERID:=gnunet=400:gnunet=400
net/radicale/Makefile:  USERID:=radicale=5232:radicale=5232
net/tor/Makefile:  USERID:=tor=52:tor=52
net/chrony/Makefile:  USERID:=chrony=323:chrony=323
sound/pulseaudio/Makefile:  USERID:=pulse=51:pulse=51
sound/upmpdcli/Makefile:  USERID:=upmpdcli=89:upmpdcli=89
sound/pianod/Makefile:  USERID:=pianod=88:pianod=88


Cheers


Daniel

 
> 	John
> 
> >  endef
> >  
> >  define Package/dnsmasq
> > diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
> > index 61ded6a..83fcbb0 100644
> > --- a/package/network/services/dnsmasq/files/dnsmasq.init
> > +++ b/package/network/services/dnsmasq/files/dnsmasq.init
> > @@ -218,6 +218,8 @@ dnsmasq() {
> >  	mkdir -p /tmp/hosts /tmp/dnsmasq.d
> >  	xappend "--addn-hosts=/tmp/hosts"
> >  	xappend "--conf-dir=/tmp/dnsmasq.d"
> > +	xappend "--user=dnsmasq"
> > +	xappend "--group=dnsmasq"
> >  
> >  	echo >> $CONFIGFILE
> >  
> > @@ -589,7 +591,7 @@ start_service() {
> >  
> >  	if [ ! -f "$TIMESTAMPFILE" ]; then
> >  		touch "$TIMESTAMPFILE"
> > -		chown nobody.nogroup "$TIMESTAMPFILE"
> > +		chown dnsmasq.dnsmasq "$TIMESTAMPFILE"
> >  	fi
> >  
> >  	echo "# auto-generated config file from /etc/config/dhcp" > $CONFIGFILE
> > 
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list