Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: dnscrypt-proxy: listen udp 127.0.0.1:53: bind: permission denied_ (Read 3406 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

dnscrypt-proxy: listen udp 127.0.0.1:53: bind: permission denied_

So apparently if one tries to start the dnscrypt-proxy program as the dnscrypt user and group, it gets  a "listen udp 127.0.0.1:53: bind: permission denied_" error.

I then tested my hypothesis by deleting the following line in the dnscrypt-proxy service file:
Quote
command_user="${DNSCRYPT_PROXY_USER:-dnscrypt}:${DNSCRYPT_PROXY_GROUP:-dnscrypt}"

I then started the dnscrypt-proxy program and it ran fine as the root user and group, however I would like it to run as the dncsrypt user and group on the principle of least privilege.

What should I try in order to fix this "permission denied" error when running the dnscrypt-proxy program as the dnscrypt user and group?

Re: dnscrypt-proxy: listen udp 127.0.0.1:53: bind: permission denied_

Reply #1
The following is the entire content of the dnscrypt-proxy service file:
Code: [Select]
#!/usr/bin/openrc-run
# Copyright 1999-2019 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2

supervisor=supervise-daemon
command="/usr/bin/dnscrypt-proxy"
command_args="${DNSCRYPT_PROXY_OPTS:--config /etc/dnscrypt-proxy/dnscrypt-proxy.toml}"
command_user="${DNSCRYPT_PROXY_USER:-dnscrypt}:${DNSCRYPT_PROXY_GROUP:-dnscrypt}"

depend() {
use logger net
provide dns
}

start_pre() {
checkpath -q -d -m 0775 -o "${command_user}" /var/cache/"${RC_SVCNAME}"
checkpath -q -d -m 0775 -o "${command_user}" /var/log/"${RC_SVCNAME}"
}

 

Re: dnscrypt-proxy: listen udp 127.0.0.1:53: bind: permission denied_

Reply #2
I managed to partially solve the problem.

The dnscrypt-proxy config file (dnscrypt-proxy.toml) has the following option:
Code: [Select]
## Switch to a different system user after listening sockets have been created.
## Note (1): this feature is currently unsupported on Windows.
## Note (2): this feature is not compatible with systemd socket activation.
## Note (3): when using -pidfile, the PID file directory must be writable by the new user

# user_name = 'nobody'

Enabling it caused the dnscrypt-proxy program to run as the nobody user and group.

However the main issue still persists in that other people like me will get a "permission denied" error if they try to run the dnscrypt-proxy service with no modifications.

Re: dnscrypt-proxy: listen udp 127.0.0.1:53: bind: permission denied_

Reply #3
I tried having dnscrypt-proxy up and running on my runit system but it's next to impossible. From what i read it can't open ports because dnscrypt tries to do that as user and polkit doesn't allow to do that unless your root. You might have a chance by using something like firewalld that allows user open ports but properly using firewalld is a challenge on its own. Anyway i don't think dnscrypt-proy is a reliable software even on ubuntu. It's simply badware trying to do so many things and ends doing everything just poor if at all.

Re: dnscrypt-proxy: listen udp 127.0.0.1:53: bind: permission denied_

Reply #4
>It's simply badware trying to do so many things and ends doing everything just poor if at all.

It's not, it does it's job and from what you described, that sounds like polkits fault, not dnscrypt-proxy.

Re: dnscrypt-proxy: listen udp 127.0.0.1:53: bind: permission denied_

Reply #5
However the main issue still persists in that other people like me will get a "permission denied" error if they try to run the dnscrypt-proxy service with no modifications.

If it works it means this topic should be marked as solved but from your post you said there's still a problem. If you managed to fix it 100% would be cool if you can share the trick. I personally think it has deep systemd only requirements so you can't really make it work 100%.

I managed to make it work meaning it encrypted my dns queries but the method i used was so twisted that i preferred to  dump the idea having dnscrypt  altogether. The 'fix' in my case was connecting to internet as root with the help of dhclient otherwise it wouldn't worked.


Re: dnscrypt-proxy: listen udp 127.0.0.1:53: bind: permission denied_

Reply #6
Another thing I've noticed is dnscrypt-proxy giving me permission denied errors for /var/cache/dnscrypt-proxy. I will post a fix here if I find it.

Re: dnscrypt-proxy: listen udp 127.0.0.1:53: bind: permission denied_

Reply #7
So the fix is to first allow dnscrypt-proxy to run as root so it can create it's necessary files in /var/cache/dnscrypt-proxy, let it run for some time so it can collect the information about the nameservers, only stop it once it reaches "dnscrypt-proxy is ready - live servers: xx".

Then change the permission of the entire /var/cache/dnscrypt-proxy directory to the user and group that dnscrypt-proxy will drop privileges to with the command chown -R user:group /var/cache/dnscrypt-proxy.

Then activate the above mentioned option and now dnscrypt-proxy should run without giving "permission denied" errors for /var/cache/dnscrypt-proxy.

Re: dnscrypt-proxy: listen udp 127.0.0.1:53: bind: permission denied_

Reply #8
So apparently if one tries to start the dnscrypt-proxy program as the dnscrypt user and group, it gets  a "listen udp 127.0.0.1:53: bind: permission denied_" error.

I then tested my hypothesis by deleting the following line in the dnscrypt-proxy service file:
Quote
command_user="${DNSCRYPT_PROXY_USER:-dnscrypt}:${DNSCRYPT_PROXY_GROUP:-dnscrypt}"

I then started the dnscrypt-proxy program and it ran fine as the root user and group, however I would like it to run as the dncsrypt user and group on the principle of least privilege.

What should I try in order to fix this "permission denied" error when running the dnscrypt-proxy program as the dnscrypt user and group?

The following solution worked for me:
Code: [Select]
# setcap cap_net_bind_service=+ep /usr/bin/dnscrypt-proxy