Max Kirillov wrote:
Package: dnsmasq
Version: 2.45-1
Severity: important
If setcap() call at startup fail (for example, under
OpenVZ), dnsmasq reports an error and do not start:
# /etc/init.d/dnsmasq start
Starting DNS forwarder and DHCP server: dnsmasq
dnsmasq: setting capabilities failed: Operation not permitted
failed (warning).
failed!
#
in strace the error is:
capset(0x19980330, 0, {CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW,
CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW, CAP_SETUID|CAP_NET_ADMIN|CAP_NET_RAW}) =
-1 EPERM (Operation not permitted)
I think it should only warn about error and continue to
work. Different security solutions is quite popular and some
of them will not allow something that works on plain unix.
It's better to be tolerant to such failures.
I did not found how to fix it in configuration.
The capabilities are needed so that dnsmasq can function when it is not
running as root: the default behaviour is to drop root privileges once
dnsmasq has started up. The behaviour you advocate (warn, but continue)
used to be in place, but to work in this case dnsmasq has to continue to
run as root and this behaviour (run as root, even if configured to do
something else) was considered a security problem.
To fix the problem in your case, simply tell dnsmasq to run as root by
adding
user=root
to /etc/dnsmasq.conf
If you tell dnsmasq to do this it will not set capabilities and will
work fine.
Please let me know if this workaround fixes the problem so that I can
close this bug.
Cheers,
Simon.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
