Bug 1548050 - dnsmasq starts dnsmasq which runs as nobody user
Summary: dnsmasq starts dnsmasq which runs as nobody user
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: dnsmasq
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Petr Menšík
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1547932 (view as bug list)
Depends On:
Blocks: 1537262 1591969
TreeView+ depends on / blocked
 
Reported: 2018-02-22 15:28 UTC by Zbigniew Jędrzejewski-Szmek
Modified: 2018-07-31 18:04 UTC (History)
12 users (show)

Fixed In Version: dnsmasq-2.78-5.fc27 dnsmasq-2.78-6.fc27 dnsmasq-2.79-5.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-31 18:04:29 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1547932 None None None Never

Internal Links: 1547932

Description Zbigniew Jędrzejewski-Szmek 2018-02-22 15:28:35 UTC
Description of problem:
When dnsmasq.service is started, is starts a dnsmasq process, which runs as nobody! This is insecure and in direct contradiction to packaging guidelines [https://fedoraproject.org/wiki/Packaging:Guidelines#Users_and_Groups].

Version-Release number of selected component (if applicable):
dnsmasq-2.78-2.fc27.x86_64

How reproducible:
Deterministic.

Comment 1 Itamar Reis Peixoto 2018-02-22 16:01:44 UTC
ok, It's easy to fix, I can write a fix for it, someone can review it ? 


dnsmasq.spec should be changed to create a new user for it, like mydns or apache  does in their spec file, 

according dnsmasq manpage its accepts user/group arguments -> 

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

-u, --user=<username>
-g, --group=<groupname>


I think after we get this bug fixed, then libvirt probably needs to be fixed too, including user/group in /var/lib/libvirt/dnsmasq/default.conf am I right ?

Comment 2 Zbigniew Jędrzejewski-Szmek 2018-02-22 16:10:15 UTC
Yes. Sounds good. I'm happy to review/test any patches.

Comment 3 Itamar Reis Peixoto 2018-02-22 16:33:19 UTC
please take a look ->

https://src.fedoraproject.org/rpms/dnsmasq/pull-request/1

Comment 4 Itamar Reis Peixoto 2018-02-23 02:50:55 UTC
*** Bug 1547932 has been marked as a duplicate of this bug. ***

Comment 5 Itamar Reis Peixoto 2018-02-23 14:51:05 UTC
Petr Menšík, 

I just figured out that  the user creation needs to be at pre section, otherwise 

warning: user dnsmasq does not exist - using root

standard dnsmasq (not the used libvirt) store lease file  on -> 

%dir %attr(0755, dnsmasq, dnsmasq) %{_var}/lib/dnsmasq

Comment 6 Itamar Reis Peixoto 2018-02-23 16:35:46 UTC
I am going to perform this change -> 

https://github.com/systemd/systemd/blob/master/src/core/macros.systemd.in#L107

what do you think ?

Comment 7 Zbigniew Jędrzejewski-Szmek 2018-02-23 17:00:12 UTC
That file and some related changes in systemd-sysusers are only in systemd master, and are not available in Fedora yet. systemd-238 should be released soon and land in F28+, and then this will be available. Please don't make use of it yet.

Comment 8 Fedora Update System 2018-02-24 04:35:55 UTC
dnsmasq-2.78-5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-2f1f243787

Comment 9 Fedora Update System 2018-02-24 20:33:10 UTC
dnsmasq-2.78-5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-2f1f243787

Comment 10 Nerijus Baliūnas 2018-02-25 11:07:27 UTC
  Updating   : dnsmasq-2.78-5.fc27.x86_64                                                                        23/52 
warning: user dnsmasq does not exist - using root
warning: group dnsmasq does not exist - using root

Comment 11 Nerijus Baliūnas 2018-02-25 11:09:16 UTC
Although user and group dnsmasq are created after the update.

Comment 12 Zbigniew Jędrzejewski-Szmek 2018-02-25 11:52:18 UTC
https://src.fedoraproject.org/rpms/dnsmasq/pull-request/2

Comment 13 Fedora Update System 2018-02-25 16:27:39 UTC
dnsmasq-2.78-4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-179bd72fd0

Comment 14 Fedora Update System 2018-02-25 22:01:16 UTC
dnsmasq-2.78-4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-179bd72fd0

Comment 15 Nerijus Baliūnas 2018-02-25 22:56:15 UTC
It's not fixed. 2.78-4 does not have user creation in preinstall script.

Comment 16 Fedora Update System 2018-02-25 23:30:21 UTC
dnsmasq-2.78-6.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-5cddb9c19c

Comment 17 Fedora Update System 2018-02-26 17:31:55 UTC
dnsmasq-2.78-6.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-5cddb9c19c

Comment 18 Fedora Update System 2018-02-27 17:24:55 UTC
dnsmasq-2.78-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2018-02-27 17:25:17 UTC
dnsmasq-2.78-6.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 20 Colin Walters 2018-07-26 00:21:08 UTC
This seems to have broken rpm-ostree builds at least with --unified-core, see:
https://ci.centos.org/view/Atomic/job/fahc-treecompose/12899/console

23:56:12 Running pre scripts... 19 done
23:56:19 Running post scripts... error: While applying overrides for pkg dnsmasq: Could not find group 'dnsmasq' in group file

I bet that sysusers isn't doing anything if the system isn't booted via systemd.

Comment 21 Colin Walters 2018-07-26 00:23:06 UTC
https://github.com/systemd/systemd/pull/7631 is related if that's the case.

Comment 22 Zbigniew Jędrzejewski-Szmek 2018-07-26 07:41:37 UTC
https://github.com/systemd/systemd/blob/master/doc/ENVIRONMENT.md#known-environment-variables is probably a better reference.

Comment 23 Colin Walters 2018-07-26 14:34:44 UTC
No this just looks plain broken to me, and since systemd uses the anti-pattern of "2>&1 || : " the errors are masked:

Look:

$ rpm -qp --scripts dnsmasq-2.79-3.fc28.x86_64.rpm 
preinstall scriptlet (using /bin/sh):
#precreate users so that rpm can install files owned by that user

systemd-sysusers - <<SYSTEMD_INLINE_EOF >/dev/null 2>&1 || : 
'u dnsmasq - "Dnsmasq DHCP and DNS server" /var/lib/dnsmasq' 
SYSTEMD_INLINE_EOF
$ 

Notice the extra quotes.

Comment 24 Zbigniew Jędrzejewski-Szmek 2018-07-26 17:12:40 UTC
Oops, sorry for that.
https://src.fedoraproject.org/rpms/dnsmasq/pull-request/3

Comment 25 Dusty Mabe 2018-07-26 17:23:57 UTC
this bug is assigned against f27. what all branches does this fix need to be ported to?

Comment 26 Zbigniew Jędrzejewski-Szmek 2018-07-26 21:56:23 UTC
F27 and later. But there's no "porting", all releases are built from the same branch.

Comment 27 Fedora Update System 2018-07-27 13:51:06 UTC
dnsmasq-2.79-5.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-04f258ff4b

Comment 28 Fedora Update System 2018-07-29 03:34:49 UTC
dnsmasq-2.79-5.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-04f258ff4b

Comment 29 Fedora Update System 2018-07-31 18:04:29 UTC
dnsmasq-2.79-5.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.