Description of problem: When dnsmasq.service is started, is starts a dnsmasq process, which runs as nobody! This is insecure and in direct contradiction to packaging guidelines [https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups]. Version-Release number of selected component (if applicable): dnsmasq-2.78-2.fc27.x86_64 How reproducible: Deterministic.
ok, It's easy to fix, I can write a fix for it, someone can review it ? dnsmasq.spec should be changed to create a new user for it, like mydns or apache does in their spec file, according dnsmasq manpage its accepts user/group arguments -> http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html -u, --user=<username> -g, --group=<groupname> I think after we get this bug fixed, then libvirt probably needs to be fixed too, including user/group in /var/lib/libvirt/dnsmasq/default.conf am I right ?
Yes. Sounds good. I'm happy to review/test any patches.
please take a look -> https://src.fedoraproject.org/rpms/dnsmasq/pull-request/1
*** Bug 1547932 has been marked as a duplicate of this bug. ***
Petr Menšík, I just figured out that the user creation needs to be at pre section, otherwise warning: user dnsmasq does not exist - using root standard dnsmasq (not the used libvirt) store lease file on -> %dir %attr(0755, dnsmasq, dnsmasq) %{_var}/lib/dnsmasq
I am going to perform this change -> https://github.com/systemd/systemd/blob/master/src/core/macros.systemd.in#L107 what do you think ?
That file and some related changes in systemd-sysusers are only in systemd master, and are not available in Fedora yet. systemd-238 should be released soon and land in F28+, and then this will be available. Please don't make use of it yet.
dnsmasq-2.78-5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2f1f243787
dnsmasq-2.78-5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2f1f243787
Updating : dnsmasq-2.78-5.fc27.x86_64 23/52 warning: user dnsmasq does not exist - using root warning: group dnsmasq does not exist - using root
Although user and group dnsmasq are created after the update.
https://src.fedoraproject.org/rpms/dnsmasq/pull-request/2
dnsmasq-2.78-4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-179bd72fd0
dnsmasq-2.78-4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-179bd72fd0
It's not fixed. 2.78-4 does not have user creation in preinstall script.
dnsmasq-2.78-6.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5cddb9c19c
dnsmasq-2.78-6.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5cddb9c19c
dnsmasq-2.78-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
dnsmasq-2.78-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
This seems to have broken rpm-ostree builds at least with --unified-core, see: https://ci.centos.org/view/Atomic/job/fahc-treecompose/12899/console 23:56:12 Running pre scripts... 19 done 23:56:19 Running post scripts... error: While applying overrides for pkg dnsmasq: Could not find group 'dnsmasq' in group file I bet that sysusers isn't doing anything if the system isn't booted via systemd.
https://github.com/systemd/systemd/pull/7631 is related if that's the case.
https://github.com/systemd/systemd/blob/master/doc/ENVIRONMENT.md#known-environment-variables is probably a better reference.
No this just looks plain broken to me, and since systemd uses the anti-pattern of "2>&1 || : " the errors are masked: Look: $ rpm -qp --scripts dnsmasq-2.79-3.fc28.x86_64.rpm preinstall scriptlet (using /bin/sh): #precreate users so that rpm can install files owned by that user systemd-sysusers - <<SYSTEMD_INLINE_EOF >/dev/null 2>&1 || : 'u dnsmasq - "Dnsmasq DHCP and DNS server" /var/lib/dnsmasq' SYSTEMD_INLINE_EOF $ Notice the extra quotes.
Oops, sorry for that. https://src.fedoraproject.org/rpms/dnsmasq/pull-request/3
this bug is assigned against f27. what all branches does this fix need to be ported to?
F27 and later. But there's no "porting", all releases are built from the same branch.
dnsmasq-2.79-5.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-04f258ff4b
dnsmasq-2.79-5.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-04f258ff4b
dnsmasq-2.79-5.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.