1326623 – dnsdist should not be run as root

Bug 1326623 - dnsdist should not be run as root

Summary: dnsdist should not be run as root

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	dnsdist
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Sander Hoentjen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-04-13 08:40 UTC by Pieter Lexis
Modified:	2016-04-15 15:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-15 15:34:07 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Pieter Lexis 2016-04-13 08:40:40 UTC

Description of problem:
In it's current packaged form, dnsdist is run as root and does not drop privileges. Upstream, we have a PR that will make the packages provided by PowerDNS drop privileges to the 'dnsdist' user and group (https://github.com/PowerDNS/pdns/pull/3700). It is recommended that Fedora and EPEL do the same.

Comment 1 Sander Hoentjen 2016-04-13 20:49:08 UTC

Thanks for reminding me. You are definitely right, it is something we should really do. I won't get around to it this week I am afraid.

something to think about maybe is to add support for specifying the user/group in configure. make would then add -u and -g to dnsdistdist/dnsdist.service.in

This way we can all use the same upstream dnsdist.service

Comment 2 Ruben Kerkhof 2016-04-15 15:34:07 UTC

I took a stab at this. I agree with Sander that it would be nice to be able to specify the user/group from ./configure in the future.

Note You need to log in before you can comment on or make changes to this bug.