Bug 269198
| Summary: | dns/blocky: running daemon as non-root user is not supported | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | Benjamin Spiegel <bspiegel100> | ||||||
| Component: | Individual Port(s) | Assignee: | Nuno Teixeira <eduardo> | ||||||
| Status: | Closed FIXED | ||||||||
| Severity: | Affects Some People | Flags: | bugzilla:
maintainer-feedback?
(eduardo) eduardo: merge-quarterly+ |
||||||
| Priority: | --- | ||||||||
| Version: | Latest | ||||||||
| Hardware: | amd64 | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
Cannot start service blocky with rc.conf blocky_user="myuser". cmd line: user: `blocky -c ~/blocky-config.yml:` --- (...) [2023-01-30 08:23:16] INFO server: Starting server [2023-01-30 08:23:16] INFO server: http server is up and running on addr/port 4000 [2023-01-30 08:23:16] ERROR server start failed: start udp listener failed: listen udp :53: bind: permission denied --- superuser: `doas blocky -c ~/blocky-config.yml`: --- [2023-01-30 08:24:56] INFO server: Starting server [2023-01-30 08:24:56] INFO server: http server is up and running on addr/port 4000 [2023-01-30 08:24:56] INFO server: TCP server is up and running on address :53 [2023-01-30 08:24:56] INFO server: UDP server is up and running on address :53 --- Am I'm missing something? By default, a regular user can't bind to ports below 1024.
Would you try again with one of the following? Either should work.
a. In blocky-config.yml, set `port: 5053` or another high-numbered port.
b. Load the mac_portacl kernel module and set sysctl values as follows so
your user can bind to port 53:
/boot/loader.conf:
mac_portacl_load="YES"
/etc/sysctl.conf:
# net.inet.ip.portrange.reservedlow=0 # same as default
net.inet.ip.portrange.reservedhigh=0
# security.mac.portacl.port_high=1023 # same as default
# security.mac.portacl.suser_exempt=1 # same as default
security.mac.portacl.rules=uid:<ID>:tcp:53,uid:<ID>:udp:53
Replacing <ID> with your user's UID.
(The BIND DNS docs have a nice article on this setup:
https://kb.isc.org/docs/aa-00621)
Thanks for taking a look!
(In reply to Benjamin Spiegel from comment #2) I've tested with port 5053 (a.) and it works ok with service blocky and manual cmd line. Ready to commit. Just one question: should this config info a. and b. be included in port message so users should know how to properly config it? Cheers (In reply to Nuno Teixeira from comment #3) Awesome! Good idea to add to the port message. I'm attaching another diff with my suggested update--let me know what you think. Or feel free to edit. Created attachment 239817 [details]
Follow-up patch for pkg-message
(In reply to Benjamin Spiegel from comment #4) Thanks for excellent message! A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ffd87be94f2c60fb6c8d0434dd9225d7c73b1441 commit ffd87be94f2c60fb6c8d0434dd9225d7c73b1441 Author: Benjamin Spiegel <bspiegel100@gmail.com> AuthorDate: 2023-01-31 08:29:30 +0000 Commit: Nuno Teixeira <eduardo@FreeBSD.org> CommitDate: 2023-01-31 08:38:01 +0000 dns/blocky: Support running daemon as non-root user Most rc.d scripts support a standard <service name>_user option in /etc/rc.conf to run the service as the specified user. The rc.d script for dns/blocky doesn't observe this setting. As a result, it's not possible to run as a user other than root (blocky documentation recommends using a non-privileged user). Instructions on how to run non-root user daemon have been added to pkg-message. PR: 269198 MFH: 2023Q1 (security fixes) dns/blocky/Makefile | 2 +- dns/blocky/files/blocky.in | 36 +++++++++++++++++++++++++++--------- dns/blocky/files/pkg-message.in | 15 +++++++++++++++ 3 files changed, 43 insertions(+), 10 deletions(-) A commit in branch 2023Q1 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e183bef6aa4787e2575e0cbe412ef742b8ca5eaf commit e183bef6aa4787e2575e0cbe412ef742b8ca5eaf Author: Benjamin Spiegel <bspiegel100@gmail.com> AuthorDate: 2023-01-31 08:29:30 +0000 Commit: Nuno Teixeira <eduardo@FreeBSD.org> CommitDate: 2023-01-31 08:41:02 +0000 dns/blocky: Support running daemon as non-root user Most rc.d scripts support a standard <service name>_user option in /etc/rc.conf to run the service as the specified user. The rc.d script for dns/blocky doesn't observe this setting. As a result, it's not possible to run as a user other than root (blocky documentation recommends using a non-privileged user). Instructions on how to run non-root user daemon have been added to pkg-message. PR: 269198 MFH: 2023Q1 (security fixes) (cherry picked from commit ffd87be94f2c60fb6c8d0434dd9225d7c73b1441) dns/blocky/Makefile | 2 +- dns/blocky/files/blocky.in | 36 +++++++++++++++++++++++++++--------- dns/blocky/files/pkg-message.in | 15 +++++++++++++++ 3 files changed, 43 insertions(+), 10 deletions(-) Committed, thank you! |
Created attachment 239759 [details] Patch with improved rc.d script Most rc.d scripts support a standard <service name>_user option in /etc/rc.conf to run the service as the specified user. The rc.d script for dns/blocky doesn't observe this setting. As a result, it's not possible to run as a user other than root (blocky documentation recommends using a non-privileged user). Please see the attached patch for an updated rc script that supports this option. Thanks for considering! Steps to Reproduce: Install dns/blocky, add the following to /etc/rc.conf and run service blocky start. blocky_user="<any user other than root>" blocky_enable="YES" Actual Behavior: The blocky daemon runs as root regardless of what's in /etc/rc.conf. Tested on 14.0-CURRENT and 13.1-RELEASE with blocky version 0.20_2 (from ports) and 0.20_1 (package). Expected Behavior: The blocky daemon should run as the specified user. Proposed Solution: The current rc.d script overrides the built-in start_cmd function (which checks for standard options like <name>_user and <name>_chroot). The replacement function doesn't check these options. The patch instead defines the command in $command and $command_args vars, adds handling for file permissions to support non-root users, and does a few minor touch-ups.