Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 587586

Summary: net-dns/dnsmasq: improve systemd unit (including security hardening)
Product: Gentoo Linux Reporter: Craig Andrews <candrews>
Component: Current packagesAssignee: Patrick McLean <chutzpah>
Status: UNCONFIRMED ---    
Severity: enhancement CC: bkohler, candrews, systemd
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
See Also:
Package list:
Runtime testing required: ---
Attachments: diff based on c1 PR link

Description Craig Andrews gentoo-dev 2016-06-30 14:17:20 UTC
The dnsmasq.service systemd unit can be improved by having dnsmasq never run as root, restricting capabilities as much as possible, and limiting file system access.

This has been discussed on the forums at
Comment 1 Craig Andrews gentoo-dev 2016-06-30 14:18:00 UTC
Comment 2 Ben Kohler gentoo-dev 2016-06-30 14:40:10 UTC
Created attachment 439234 [details, diff]
diff based on c1 PR link
Comment 3 Craig Andrews gentoo-dev 2016-06-30 15:01:03 UTC
I've posted to the upstream mailing list requesting that upstream distribute a systemd unit and that it have these features:
Comment 4 Matthias Maier gentoo-dev 2016-08-08 21:12:12 UTC
The configuration option


is only with systemd-229, or newer.

While I agree that some system hardening is a nice feature to introduce I would suggest that we let dnsmasq still handle the suid and sguid bits on its own. This has the advantage that the daemon can actually drop privileges/capabilities once it is done with setup.

See #587588