Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 587586

Summary: net-dns/dnsmasq: improve systemd unit (including security hardening)
Product: Gentoo Linux Reporter: Craig Andrews <candrews>
Component: Current packagesAssignee: Patrick McLean <chutzpah>
Status: UNCONFIRMED ---    
Severity: enhancement CC: bkohler, candrews, systemd
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=587588
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: diff based on c1 PR link

Description Craig Andrews gentoo-dev 2016-06-30 14:17:20 UTC 
The dnsmasq.service systemd unit can be improved by having dnsmasq never run as root, restricting capabilities as much as possible, and limiting file system access.

This has been discussed on the forums at https://forums.gentoo.org/viewtopic-p-7907924.html?sid=03b7d4158d14b19351a6c772b87a2fbd
Comment 1 Craig Andrews gentoo-dev 2016-06-30 14:18:00 UTC 
https://github.com/gentoo/gentoo/pull/1798
Comment 2 Ben Kohler gentoo-dev 2016-06-30 14:40:10 UTC 
Created attachment 439234 [details, diff]
diff based on c1 PR link
Comment 3 Craig Andrews gentoo-dev 2016-06-30 15:01:03 UTC 
I've posted to the upstream mailing list requesting that upstream distribute a systemd unit and that it have these features: http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2016q2/010656.html
Comment 4 Matthias Maier gentoo-dev 2016-08-08 21:12:12 UTC 
The configuration option

  AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN

is only with systemd-229, or newer.

While I agree that some system hardening is a nice feature to introduce I would suggest that we let dnsmasq still handle the suid and sguid bits on its own. This has the advantage that the daemon can actually drop privileges/capabilities once it is done with setup.

See #587588