[OpenWrt-Devel] [PATCH/RFC] dnsmasq: run as dedicated UID/GID
John Crispin
john at phrozen.org
Mon Apr 25 12:28:47 EDT 2016
On 22/04/2016 06:26, Daniel Golle wrote:
> Running dnsmasq in a dedicated user/group allows matching its outgoing
> traffic more easily using iptables' owner match.
> Add UID/GID to the package metadata and append the user/group
> parameters to the init script.
>
> Signed-off-by: Daniel Golle <daniel at makrotopia.org>
> ---
> package/network/services/dnsmasq/Makefile | 1 +
> package/network/services/dnsmasq/files/dnsmasq.init | 4 +++-
> 2 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
> index a5c3740..9a0f165 100644
> --- a/package/network/services/dnsmasq/Makefile
> +++ b/package/network/services/dnsmasq/Makefile
> @@ -34,6 +34,7 @@ define Package/dnsmasq/Default
> CATEGORY:=Base system
> TITLE:=DNS and DHCP server
> URL:=http://www.thekelleys.org.uk/dnsmasq/
> + USERID:=dnsmasq=65453:dnsmasq=65453
please us an id between 0-999. ideally check what debian uses.
John
> endef
>
> define Package/dnsmasq
> diff --git a/package/network/services/dnsmasq/files/dnsmasq.init b/package/network/services/dnsmasq/files/dnsmasq.init
> index 61ded6a..83fcbb0 100644
> --- a/package/network/services/dnsmasq/files/dnsmasq.init
> +++ b/package/network/services/dnsmasq/files/dnsmasq.init
> @@ -218,6 +218,8 @@ dnsmasq() {
> mkdir -p /tmp/hosts /tmp/dnsmasq.d
> xappend "--addn-hosts=/tmp/hosts"
> xappend "--conf-dir=/tmp/dnsmasq.d"
> + xappend "--user=dnsmasq"
> + xappend "--group=dnsmasq"
>
> echo >> $CONFIGFILE
>
> @@ -589,7 +591,7 @@ start_service() {
>
> if [ ! -f "$TIMESTAMPFILE" ]; then
> touch "$TIMESTAMPFILE"
> - chown nobody.nogroup "$TIMESTAMPFILE"
> + chown dnsmasq.dnsmasq "$TIMESTAMPFILE"
> fi
>
> echo "# auto-generated config file from /etc/config/dhcp" > $CONFIGFILE
>
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list