Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 908800

Summary: Dnsmasq seems to send root-originated answers to local queries
Product: Gentoo Security Reporter: Anek Novikov <movepoint>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Anek Novikov 2023-06-18 19:29:58 UTC 
I've played with nftables and came up with situation where I couldn't allow local queries to dnsmasq to be answered, while requests to 8.8.8.8 and 8.8.4.4
went on OK. The issue was found to be at my nft:skuid usage.
After server reboot, I was able to reproduce.
Here are configs&logs:
---====---r
#!/sbin/nft -f
flush ruleset
table inet blackh {
	chain input {
		type filter hook input priority 0; policy drop;
		iif "lo" accept
		ct state 0x1 drop
		ct state 0x2 accept
		jump ping
		jump dnsmasq
		jump portage
		jump antminer-dhcp
		jump rostelecom-dhcp
		jump tor
		log prefix "nft.input"
		drop
	}

	chain output {
		type filter hook output priority 0; policy drop;
		oif "lo" meta skuid 43 accept
		jump ping
		jump dnsmasq
		jump portage
		jump rostelecom-dhcp
		jump antminer-dhcp
		jump tor
		log prefix "nft.output"
		drop
	}

	chain ping {
		iif "enp6s1f1" icmp type 0 log prefix "RT-PING"
		iif "enp6s1f1" icmp type 0 accept
		oif "enp6s1f1" icmp type 8 log prefix "RT-PING"
		oif "enp6s1f1" icmp type 8 accept
		iif "enp6s1f0" icmp type 0 log prefix "PING-ANT"
		iif "enp6s1f0" icmp type 0 accept
		oif "enp6s1f0" icmp type 8 log prefix "PING-ANT"
		oif "enp6s1f0" icmp type 8 accept
	}

	chain dnsmasq {
		iif "enp6s1f1" udp sport 53 accept
		oif "enp6s1f1" udp dport 53 meta skuid 275 accept
		oif "lo" udp sport 53 log flags skuid
		oif "lo" udp sport 53 skuid "dnsmasq" accept
		oif "lo" udp dport 53 accept
	}

	chain portage {
		iif "enp6s1f1" meta skuid 250 accept
		oif "enp6s1f1" meta skuid 250 accept
	}

	chain rostelecom-dhcp {
		iif "enp6s1f1" udp sport 67 udp dport 68 log prefix "RT-DHCP"
		iif "enp6s1f1" udp sport 67 udp dport 68 accept
	}

	chain antminer-dhcp {
		iif "enp6s1f0" udp sport 68 udp dport 67 log prefix "DHCP-ANT"
		iif "enp6s1f0" udp sport 68 udp dport 67 accept
		oif "enp6s1f0" udp sport 67 udp dport 68 log prefix "DHCP-ANT"
		oif "enp6s1f0" udp sport 67 udp dport 68 accept
	}

	chain tor {
		iif "lo" tcp dport 9111 accept
		iif "lo" tcp sport 9111 accept
		oif "lo" tcp sport 9111 accept
		oif "lo" tcp dport 9111 accept
		meta skuid 43 oif "enp6s1f1" tcp dport 9003 ip daddr 105.108.116.155 accept
		meta skuid 43 oif "enp6s1f1" tcp dport 8000 ip daddr 108.56.180.213 accept
		meta skuid 43 oif "enp6s1f1" tcp dport 47081 ip daddr 78.47.90.114 accept
		meta skuid 43 oif "enp6s1f1" tcp dport 4083 ip daddr 91.107.200.52 accept
	}
}
---====---r
Jun 19 00:23:46 descend kernel: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=42730 DF PROTO=UDP SPT=53 DPT=41500 LEN=59 UID=0 GID=0 
Jun 19 00:23:46 descend kernel: nft.outputIN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=42730 DF PROTO=UDP SPT=53 DPT=41500 LEN=59 
anek@descend ~ $
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-19 03:13:14 UTC 
I'm not really sure what the problem is here, what in particular is the security boundary/expectation being crossed?
Comment 2 Anek Novikov 2023-06-19 07:30:53 UTC 
I haven't any issue with this, but just noticed this at the very end of the day.
I thought of this as of bug in either kernel or dnsmasq.
Just needed to post it somewhere, and security could very well be involved.
Comment 3 Anek Novikov 2023-06-19 07:45:29 UTC 
So the issue is that, although dnsmasq is told to drop root priveleges in config, and clearly does that, as `ps aux` shows user `dnsmasq`, it just doesn't do it really, that's strange.
Comment 4 Anek Novikov 2023-06-19 09:08:07 UTC 
I've tried to put DNSmasq at unpriveleged 5353, issue remains
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-06-19 15:18:37 UTC 
I admit I'm not at all familiar with the internals of dnsmasq, but it sounds like it opens the socket as root and then drops privileges.
Comment 6 Anek Novikov 2023-06-19 19:35:58 UTC 
(In reply to John Helmert III from comment #5)
> I admit I'm not at all familiar with the internals of dnsmasq, but it sounds
> like it opens the socket as root and then drops privileges.

Now that it's been said to you in cleartext, I do understand that kernel internals keep uid, like, for FD, and this is expected behavior.
Well then, sorry for misunderstanding, I really did think that it's a bug.
If this looks OK, please close the bug.