The dnsmasq is not prepared for a chroot environment. I did enhance the config and the init script to prepare everthing as needed for running dnsmasq in chroot. This includes copying of libs and programs, as well as stripped passwd and group files. Includes extensive checking of config before doing action in the init script. Reproducible: Always Steps to Reproduce: 1. Try to setup a chroot for dnsmasq by hand 2. Forget to copy relevant libs libnss*.so* to chroot environment 3. Wonder why dnsmasq stays in root uid within chroot program. an strace showed, that the libnss*.so* were missing. I thought of automating the steps of copying the files into chroot directory to ease the setup of dnsmasq inside chroot for beginners. Same for group and password files sample config, /etc/conf.d/dnsmasq: # Config file for /etc/init.d/dnsmasq # See the dnsmasq(8) man page for possible options to put here. DNSMASQ_OPTS="" # user & group replacement DNSMASQ_USER="named" DNSMASQ_GROUP="named" # run in chroot env #DNSMASQ_USE_CHROOT="no" DNSMASQ_USE_CHROOT="yes" # only valid if DNSMASQ_USE_CHROOT=yes above # # chroot dir DNSMASQ_CHROOT_DIR="/opt/chroot/dnsmasq/" init script, /etc/init.d/dnsmasq: #!/sbin/runscript # Copyright 1999-2004 Gentoo Foundation # Distributed under the terms of the GNU General Public License, v2 or later # $Header: /var/cvsroot/gentoo-x86/net-dns/dnsmasq/files/dnsmasq-init,v 1.6 2004 /07/14 23:23:32 agriffis Exp $ depend() { provide dns need net } checkconfig() { # test for chroot env if [ "${DNSMASQ_USE_CHROOT}" == "yes" ] ; then if [ -z "${DNSMASQ_CHROOT_DIR}" ] ; then eerror "You specified dnsmasq to run with chroot," eerror " but didn't give a directory in DNSMASQ_CHROOT_D IR." eerror "Please update /etc/conf.d/dnsmasq" return 1 fi if [ ! -d ${DNSMASQ_CHROOT_DIR} ] ; then eerror "\"${DNSMASQ_CHROOT_DIR}\" is no directory." eerror "Please update DNSMASQ_CHROOT_DIR in /etc/conf.d/ dnsmasq" return 1 fi if [ "`/bin/ls -id ${DNSMASQ_CHROOT_DIR}/ | /bin/cut -d' ' -f1`" == "`/bin/ls -id / | /bin/cut -d' ' -f1`" ] ; then eerror "\"${DNSMASQ_CHROOT_DIR}\" points to root directo ry." eerror "Please update DNSMASQ_CHROOT_DIR in /etc/conf.d/ dnsmasq" return 1 fi if [ -z "${DNSMASQ_USER}" ] ; then eerror "You have to give a user, else chroot makes no se nse." eerror "Please update DNSMASQ_USER in /etc/conf.d/dnsmas q" return 1 fi if ! /bin/id ${DNSMASQ_USER} > /dev/null 2>&1 ; then eerror "Unknown user \"${DNSMASQ_USER}\"." eerror "Please update DNSMASQ_USER in /etc/conf.d/dnsmas q" return 1 fi if [ -n "${DNSMASQ_GROUP}" ] ; then if ! /bin/cut -d ':' -f1 /etc/group | /bin/grep -wq ${DN SMASQ_GROUP} ; then eerror "Group ${DNSMASQ_GROUP} no found." eerror "Please update DNSMASQ_GROUP in /etc/conf .d/dnsmasq" return 1 fi fi fi } start() { if ! checkconfig ; then eend 1 return 1 fi if [ "${DNSMASQ_USE_CHROOT}" == "yes" ] ; then ebegin "Starting dnsmasq in chroot environment" # make a symlink to find it later on /bin/ln -sf ${DNSMASQ_CHROOT_DIR}/var/run/dnsmasq.pid /var/run/d nsmasq.pid # get uid and gid DNSMASQ_OPTS="${DNSMASQ_OPTS} --user=${DNSMASQ_USER}" if [ -z "${DNSMASQ_GROUP}" ] ; then DNSMASQ_GROUP="`/bin/id -gn ${DNSMASQ_USER}`" fi DNSMASQ_OPTS="${DNSMASQ_OPTS} --group=${DNSMASQ_GROUP}" # prepare chroot env # make directories for A in /etc/ppp /lib /usr/sbin; do if [ ! -d ${DNSMASQ_CHROOT_DIR}/${A} ] ; then if ! /bin/mkdir -p ${DNSMASQ_CHROOT_DIR}/${A} ; then eerror "Can not create directory ${DNSMA SQ_CHROOT_DIR}/${A}. Bailing out" eend 1 return 1 fi fi done # copy files for A in /etc/dnsmasq.conf /etc/localtime /etc/hosts /etc/nsswit ch.conf /etc/resolv.conf ; do if ! /bin/cp -aLf ${A} ${DNSMASQ_CHROOT_DIR}/etc/. ; the n eerror "Can not copy \"${A}\" to ${DNSMASQ_CHROO T_DIR}/etc/. Bailing out" eend 1 return 1 fi done for A in /lib/ld-linux.so.2 /lib/libc.so.6 /lib/libnsl.so.1 /lib /libnss_compat.so.2 ; do if ! /bin/cp -aLf ${A} ${DNSMASQ_CHROOT_DIR}/lib/.; then eerror "Can not copy \"${A}\" to ${DNSMASQ_CHROO T_DIR}/lib/. Bailing out" eend 1 return 1 fi done # again test for chroot dir in "/" # is is a scurity measure to prevent stipping /etc/passwd of ro ot account if [ "`/bin/ls -id ${DNSMASQ_CHROOT_DIR}/ | /bin/cut -d' ' -f1`" == "`/bin/ls -id / | /bin/cut -d' ' -f1`" ] ; then eerror "\"${DNSMASQ_CHROOT_DIR}\" points to root directo ry." eerror "In danger of erasings parts of the password data base, exiting" eend 1 return 1 fi if [ -f ${DNSMASQ_CHROOT_DIR}/etc/passwd ] ; then /bin/mv -f ${DNSMASQ_CHROOT_DIR}/etc/passwd ${DNSMASQ_CH ROOT_DIR}/etc/passwd.bak fi /bin/grep -w ${DNSMASQ_USER} /etc/passwd > ${DNSMASQ_CHROOT_DIR} /etc/passwd if [ -f ${DNSMASQ_CHROOT_DIR}/etc/group ] ; then /bin/mv -f ${DNSMASQ_CHROOT_DIR}/etc/group ${DNSMASQ_CHR OOT_DIR}/etc/group.bak fi /bin/grep -w ${DNSMASQ_GROUP} /etc/group > ${DNSMASQ_CHROOT_DIR} /etc/group /bin/cp -aLf /usr/sbin/dnsmasq ${DNSMASQ_CHROOT_DIR}/usr/sbin/. # start in chroot /bin/chroot ${DNSMASQ_CHROOT_DIR} /usr/sbin/dnsmasq -x /var/run/ dnsmasq.pid ${DNSMASQ_OPTS} else ebegin "Starting dnsmasq" /usr/sbin/dnsmasq -x /var/run/dnsmasq.pid ${DNSMASQ_OPTS} fi eend $? } stop() { ebegin "Stopping dnsmasq" start-stop-daemon --stop --quiet --pidfile /var/run/dnsmasq.pid # remove maybe dangling symlink from chroot environment /bin/rm -f /var/run/dnsmasq.pid eend $? } system info: [ebuild R ] net-dns/dnsmasq-2.22 0 kB Portage 2.0.51.22-r3 (default-linux/x86/2005.1, gcc-3.3.6, glibc-2.3.5-r2, 2.6.13-gentoo-r5 i686) ================================================================= System uname: 2.6.13-gentoo-r5 i686 mobile AMD Athlon(tm) XP 2400+ Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon-xp -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror http://ftp.uni-erlangen.de/pub/mirrors/gentoo http://mirrors.sec.informatik.tu-darmstadt.de/gentoo http://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo http://pandemonium.tiscali.de/pub/gentoo http://gentoo.intergenia.de/ http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="x86 alsa apm bash-completion berkdb bitmap-fonts bzip2 caps clamav crypt cups eds emboss encode expat foomaticdb gdbm gif gnome gpm gstreamer imlib ipv6 jpeg libg++ libwww lm_sensors mad mhash mikmod mmx motif mp3 mpeg ncurses nls ogg oggvorbis oss pam pdflib perl png python quicktime readline sdl spell sse ssl tcpd truetype-fonts type1-fonts udev userlocales vorbis xml2 xmms zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
Please, don't paste ebuilds inline, *attach* them (preferably, just a unified diff against the latest ebuild). Reopen when you've done so. Thanks.
Created attachment 72990 [details, diff] config file for /etc/conf.d/dnsmasq added variables to enable and configure chroot environment. chroot disabled by default
Created attachment 72991 [details, diff] init script in /etc/init.d/dnsmasq checks carefully the settings, copies all relevant files (config, lib, program) to chroot directory, start dnsmasq using "chroot"
uploaded diffs of init and config file.
I'm not sure this is worth the maintenance & support hassle on my end. dnsmasq is a very small nameserver intended for LAN use; I suspect very few users want or need this functionality else they'd be using a more sophisticated nameserver, but I'm open to second opinions.
(In reply to comment #5) > I'm not sure this is worth the maintenance & support hassle on my end. dnsmasq > is a very small nameserver intended for LAN use; I suspect very few users want > or need this functionality else they'd be using a more sophisticated > nameserver, but I'm open to second opinions. > Well, dnsmasq seems to be the perfect program both being easy to use and easy to setup. For my purpose the chroot was missing. I got 2 internal nets: an easy one for my private computers and a "hot" one (my DMZ) which may be the source of an attack to my gateway which serves DNS to both nets. I intended to give enhanced security to my gateway by using a chroot env. And yes: I don't want to take another program because I consider the easiness of configuring dnsmasq quite secure. Hm, I know that ease of maintenance is a good point. Is it possible to refer to my WEB site/email, so other people with the same problem can copy this approach? cu J
Description of converting the server to chrooted environment left at http://gentoo-wiki.com/HOWTO_put_dnsmasq_in_a_chroot_jail Bug shall be closed regards
