Bug 1819684
| Summary: | dnsmasq does not honour sysusers.d override during installation | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Didier <d.bz-redhat> | |
| Component: | dnsmasq | Assignee: | Tomas Korbar <tkorbar> | |
| Status: | CLOSED ERRATA | QA Contact: | Petr Sklenar <psklenar> | |
| Severity: | high | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.1 | CC: | pemensik, psklenar, tkorbar | |
| Target Milestone: | rc | Keywords: | AutoVerified, Patch, TestCaseProvided, Triaged | |
| Target Release: | 8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | dnsmasq-2.79-14.el8 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2099232 (view as bug list) | Environment: | ||
| Last Closed: | 2021-05-18 15:38:16 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1771008, 1894575, 2099232 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (dnsmasq bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1800 |
Description of problem: dnsmasq installation relies on systemd-sysusers to create the dnsmasq user & group. The dnsmasq installation does not honour the /etc/sysusers.d/dnsmasq.conf override, which is documented in "man sysusers.d". Version-Release number of selected component (if applicable): dnsmasq-2.79-6.el8.x86_64 systemd-239-18.el8_1.1.x86_64 How reproducible: always Steps to Reproduce: 1. create /etc/sysusers.d/dnsmasq.conf 2. dnf install dnsmasq Actual results: dnsmasq ignores the configuration as defined in /etc/sysusers.d/dnsmasq.conf Expected results: dnsmasq should honor the configuration in /etc/sysusers.d/dnsmasq.conf Additional info: We are running EL for the past 20 years, and have user account UID/GID's starting from 500 and upwards (as was the default in EL<7). Starting from EL7, lowest UID/GID for system packages has been rebased from 500 to 1000 ; relocating our 500-999 UID/GID use account range is not an option. In EL7, to retain compatibility across our server & storage infra, we mitigated this by modifying the /etc/login.defs values. In EL8, packages are starting to apply systemd-based systemd-sysusers. Systemd does *NOT* respect /etc/login.defs, but relies on a hardcoded (repeat : hardcoded) UID/GID value (1000) as high bounderay for system packages. systemd-sysusers allows to define the UID/GID range via the sysusers.d mechanism ('man man sysusers.d'), providing an opportunity to prevent UID/GID collisions below the 1000 range. dnsmasq does not honour this mechanism, resulting in UID/GID collisions between system packages and existing user accounts, which presents a security risk, as users now can manipulate system packages. -> severity=[high] Possibly related to : bz#1792462