Created attachment 239759 [details] Patch with improved rc.d script Most rc.d scripts support a standard <service name>_user option in /etc/rc.conf to run the service as the specified user. The rc.d script for dns/blocky doesn't observe this setting. As a result, it's not possible to run as a user other than root (blocky documentation recommends using a non-privileged user). Please see the attached patch for an updated rc script that supports this option. Thanks for considering! Steps to Reproduce: Install dns/blocky, add the following to /etc/rc.conf and run service blocky start. blocky_user="<any user other than root>" blocky_enable="YES" Actual Behavior: The blocky daemon runs as root regardless of what's in /etc/rc.conf. Tested on 14.0-CURRENT and 13.1-RELEASE with blocky version 0.20_2 (from ports) and 0.20_1 (package). Expected Behavior: The blocky daemon should run as the specified user. Proposed Solution: The current rc.d script overrides the built-in start_cmd function (which checks for standard options like <name>_user and <name>_chroot). The replacement function doesn't check these options. The patch instead defines the command in $command and $command_args vars, adds handling for file permissions to support non-root users, and does a few minor touch-ups.
Cannot start service blocky with rc.conf blocky_user="myuser". cmd line: user: `blocky -c ~/blocky-config.yml:` --- (...) [2023-01-30 08:23:16] INFO server: Starting server [2023-01-30 08:23:16] INFO server: http server is up and running on addr/port 4000 [2023-01-30 08:23:16] ERROR server start failed: start udp listener failed: listen udp :53: bind: permission denied --- superuser: `doas blocky -c ~/blocky-config.yml`: --- [2023-01-30 08:24:56] INFO server: Starting server [2023-01-30 08:24:56] INFO server: http server is up and running on addr/port 4000 [2023-01-30 08:24:56] INFO server: TCP server is up and running on address :53 [2023-01-30 08:24:56] INFO server: UDP server is up and running on address :53 --- Am I'm missing something?
By default, a regular user can't bind to ports below 1024. Would you try again with one of the following? Either should work. a. In blocky-config.yml, set `port: 5053` or another high-numbered port. b. Load the mac_portacl kernel module and set sysctl values as follows so your user can bind to port 53: /boot/loader.conf: mac_portacl_load="YES" /etc/sysctl.conf: # net.inet.ip.portrange.reservedlow=0 # same as default net.inet.ip.portrange.reservedhigh=0 # security.mac.portacl.port_high=1023 # same as default # security.mac.portacl.suser_exempt=1 # same as default security.mac.portacl.rules=uid:<ID>:tcp:53,uid:<ID>:udp:53 Replacing <ID> with your user's UID. (The BIND DNS docs have a nice article on this setup: https://kb.isc.org/docs/aa-00621) Thanks for taking a look!
(In reply to Benjamin Spiegel from comment #2) I've tested with port 5053 (a.) and it works ok with service blocky and manual cmd line. Ready to commit. Just one question: should this config info a. and b. be included in port message so users should know how to properly config it? Cheers
(In reply to Nuno Teixeira from comment #3) Awesome! Good idea to add to the port message. I'm attaching another diff with my suggested update--let me know what you think. Or feel free to edit.
Created attachment 239817 [details] Follow-up patch for pkg-message
(In reply to Benjamin Spiegel from comment #4) Thanks for excellent message!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ffd87be94f2c60fb6c8d0434dd9225d7c73b1441 commit ffd87be94f2c60fb6c8d0434dd9225d7c73b1441 Author: Benjamin Spiegel <bspiegel100@gmail.com> AuthorDate: 2023-01-31 08:29:30 +0000 Commit: Nuno Teixeira <eduardo@FreeBSD.org> CommitDate: 2023-01-31 08:38:01 +0000 dns/blocky: Support running daemon as non-root user Most rc.d scripts support a standard <service name>_user option in /etc/rc.conf to run the service as the specified user. The rc.d script for dns/blocky doesn't observe this setting. As a result, it's not possible to run as a user other than root (blocky documentation recommends using a non-privileged user). Instructions on how to run non-root user daemon have been added to pkg-message. PR: 269198 MFH: 2023Q1 (security fixes) dns/blocky/Makefile | 2 +- dns/blocky/files/blocky.in | 36 +++++++++++++++++++++++++++--------- dns/blocky/files/pkg-message.in | 15 +++++++++++++++ 3 files changed, 43 insertions(+), 10 deletions(-)
A commit in branch 2023Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e183bef6aa4787e2575e0cbe412ef742b8ca5eaf commit e183bef6aa4787e2575e0cbe412ef742b8ca5eaf Author: Benjamin Spiegel <bspiegel100@gmail.com> AuthorDate: 2023-01-31 08:29:30 +0000 Commit: Nuno Teixeira <eduardo@FreeBSD.org> CommitDate: 2023-01-31 08:41:02 +0000 dns/blocky: Support running daemon as non-root user Most rc.d scripts support a standard <service name>_user option in /etc/rc.conf to run the service as the specified user. The rc.d script for dns/blocky doesn't observe this setting. As a result, it's not possible to run as a user other than root (blocky documentation recommends using a non-privileged user). Instructions on how to run non-root user daemon have been added to pkg-message. PR: 269198 MFH: 2023Q1 (security fixes) (cherry picked from commit ffd87be94f2c60fb6c8d0434dd9225d7c73b1441) dns/blocky/Makefile | 2 +- dns/blocky/files/blocky.in | 36 +++++++++++++++++++++++++++--------- dns/blocky/files/pkg-message.in | 15 +++++++++++++++ 3 files changed, 43 insertions(+), 10 deletions(-)
Committed, thank you!