Bugzilla – Bug 401648
dnsmasqd uses dialout group
Last modified: 2008-10-06 12:01:45 UTC
dnsmasqd uses the dialout group to access /etc/ppp/resolv.conf. The dialout group is not intended for that purpose IMO as it also gives you access to smpppd and some setuid binaries. IMO there are two possible solutions: a) use a custom script in /etc/ppp/ip-up.d that creates a resolv.conf for dnsmasqd in a place dnsmasqd can access b) patch dnsmasqd to open /etc/ppp/resolv.conf before dropping privileges and keep the fd. Not sure if that works as /etc/pppd/resolv.conf might not be recreated in-place c) patch pppd/the ip-up script to use a public place for resolv.conf as the content of resolv.conf is not secret anyways.
Henne, how about writing the /etc/ppp/resolv.conf file somewhere to /var/... and putting a link to /etc/ppp/resolv.conf to that file? I can point dnsmasq to that file then and can take dnsmasq out of the dailout group.
ip-up is from sysconfig
The ppp daemon writes /etc/ppp/resolv.conf itself, not the ip-up scripts. I'd say, fix the ppp daemon to write it to e.g. /var/run/ppp/resolv.conf plus a link to it in /etc/ppp/resolv.conf for compatibility. Because /-fs may be read-only in the feature, it makes sense anyway. Let me know where it is written in case I've to update the ip-up scripts that just checks the existence of the file.
BTW: What happens in case of two ppp interfaces providing DNS config? I think better would be to write e.g. /var/run/ppp/resolv.conf.ppp0 ... All together: - write /var/run/ppp/resolv.conf.$INTERFACE - link /var/run/ppp/resolv.conf -> resolv.conf.$INTERFACE [first one that goes up] or better write /var/run/ppp/resolv.conf with the content of all up resolv.confg.$INTERFACE files. - link /etc/ppp/resolv.conf -> /var/run/ppp/resolv.conf
Okay i have a patch that does /var/run/ppp_resolv.conf.$INTERFACE Note: $INTERFACE is $IFNAME which is the name from the ifcfg file.
Created attachment 229290 [details] proposed patch
Created attachment 239052 [details] ip-up changes from Factory/STABLE (/etc/ppp/resolv.conf not used) As the patch shows, the /etc/ppp/resolv.conf is not used any more in the ip-up script. The patch from comment #6 looks IMO good. We currently don't have support for dnsmasq as forwarder in our netconfig scripts (see /etc/netconfig.d/{dns-resolver,dns-bind}), but it would make sense to implement one...
Uwe, when the patch from comment #6 is active, there is no single /etc/ppp/resolv.conf any more. netconfig should collects the nameservers provided by ppp interfaces and it would make sense to implement a netconfig dns-dnsmasq module that merges them and writes to one file for dnsmasq when NETCONFIG_DNS_FORWARDER="dnsmasq". What do you think, what's the best place for this file? Can you add some instructions to the dnsmasq config how to switch to dnsmasq as forwarder?
OK, I've implemented a netconfig dnsmasq module just now that is active when NETCONFIG_DNS_FORWARDER is "dnsmasq" in the /etc/sysconfig/network/config. Currently only in sysconfig svn trunk, I'll test it and submit pkg tomorrow. Basically it writes the nameserver into /var/run/dnsmasq-forwarders.conf in resolv.conf format. Uwe will add an comment, etc about to the dnsmasq package and a warning to the init script in case /etc/ppp/resolv.conf is in use. Hendrik, let's submit the patch from comment #6 to STABLE tomorrow. OK?
submitted
I have added a README.SUSE file to the pacakge and a warning to the init script when /etc/ppp is used by dnsmasq. User dnsmasq moved from group dialout to nogroup. Manpage fixed.
The sysconfig-0.71.4 package in STABLE / Factory contains the dns-dnsmasq netconfig module, dnsmasq package is adopted, ppp daemon submitted too... I think we can close this bug now. When something is missing please reopen...
I think we can close this bug now. When something is missing please reopen...