blob: e2c2ab9c037c4766466089252ea3907442cf299a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
.. SPDX-License-Identifier: GPL-3.0-or-later
Privileges and capabilities
===========================
The kresd daemon requires privileges when it is configured to bind to
well-known ports. There are multiple ways to achieve this.
Using capabilities
^^^^^^^^^^^^^^^^^^
The most secure and recommended way is to use capabilities and execute kresd as
an unprivileged user.
* ``CAP_NET_BIND_SERVICE`` is required to bind to well-known ports.
* ``CAP_SETPCAP`` when this capability is available, kresd drops any extra
capabilities after the daemon successfully starts when running as
a non-root user.
Running as non-privileged user
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Another possibility is to start the process as privileged user and then switch
to a non-privileged user after binding to network interfaces.
.. function:: user(name, [group])
:param string name: user name
:param string group: group name (optional)
:return: boolean
Drop privileges and start running as given user (and group, if provided).
.. tip:: Note that you should bind to required network addresses before
changing user. At the same time, you should open the cache **AFTER** you
change the user (so it remains accessible). A good practice is to divide
configuration in two parts:
.. code-block:: lua
-- privileged
net.listen('127.0.0.1')
net.listen('::1')
user('knot-resolver', 'netgrp')
-- unprivileged
cache.size = 100*MB
Example output:
.. code-block:: lua
> user('baduser')
invalid user name
> user('knot-resolver', 'netgrp')
true
> user('root')
Operation not permitted
Running as root
^^^^^^^^^^^^^^^
.. warning:: Executing processes as root is generally insecure, as these
processes have unconstrained access to the complete system at runtime.
While not recommended, it is also possible to run kresd directly as root.
|