Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: dnsmasq dependency on dbus? (Read 3362 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

dnsmasq dependency on dbus?

With the default dnsmasq s6 scripts, some boots result in an endless stream of

> Dec  8 19:27:22 [daemon|warning] dnsmasq[1129]: DBus error: Connection ":1.0" is not allowed to own the service "uk.org.thekelleys.dnsmasq" due to security policies in the configuration file

This doesn't stop until I restart dnsmasq. I'm thinking this has to do with dnsmasq being started with --enable-dbus?

> exec dnsmasq -k --enable-dbus -u dnsmasq -g dnsmasq

Doesn't that imply a dbus dependency? I did try to add a 'dependencies' (with dbus in it...) file under /etc/s6/sv/dnsmasq (and rebuilt the database), but it didn't seem to help. Not sure if the problem isn't that dnsmasq is being started before dbus, or if I didn't add the dependency correctly...

Re: dnsmasq dependency on dbus?

Reply #1
Someone noted this same behavior as well in this thread. A workaround for now is:

Quote
2. If running 'dnsmasq', you'll find hundreds of Dbus error messages in the console log. These can be eliminated by editing /usr/share/dbus-1/system.d/dnsmasq.conf to have an extra 'allow' policy for user 'dnsmasq' (don't delete the 'root' one).

Now as to whether or not dbus should be an explicit dependency on the dnsmasq server. If I'm interpreting the man page correctly, I think the answer is "no" here. Like Arch, Artix builds dnsmasq with dbus support and launches it with --enable-dbus by default, but that option doesn't require the use of dbus. It just uses dbus if the daemon can be found on the system.

The default dnsmasq conf should be changed though. I believe running the service as the dnsmasq user/group is correct and makes sense. Therefore, the default configuration should reflect this to avoid spamming a bunch of errors. I need to double check how the other inits handle this. They might use some conf settings within the init script itself or something.

Re: dnsmasq dependency on dbus?

Reply #2
Ah, I somehow missed that while reading through the other threads here. Sorry about that.

I checked an OpenRC-based artix installation, and dnsmasq runs as the dnsmasq user/group, so that shouldn't be changed. I didn't see a direct, explicit dependency on dbus, but perhaps there's an implicit one. I didn't see any other command line options either.

Perhaps dnsmasq is the wrong place to look? Maybe dbus is where the problem is?

Re: dnsmasq dependency on dbus?

Reply #3
I checked runit and it doesn't give me that error when I enable the service (it connects nicely to dbus). This means that something in s6 is misconfigured/not-configured the same way. The " /usr/share/dbus-1/system.d/dnsmasq.conf" file doesn't set any policy users other than root by default, so it must be something else that grants permissions (not sure what).

Re: dnsmasq dependency on dbus?

Reply #4
so it must be something else that grants permissions (not sure what).
Hi, Dudemanguy and everybody,  I think any text editor is a great solution to this problem.
Code: [Select]
[tester@vm-test ~]$ cat /etc/passwd | grep dns
dnsmasq:x:979:979:dnsmasq daemon:/:/sbin/nologin
[tester@vm-test ~]$ cat /etc/group | grep dns
dnsmasq:x:979:
Look at my file:
Code: [Select]
[tester@vm-test ~]$ cat /usr/share/dbus-1/system.d/dnsmasq.conf
It's just work on my runit mashine:
Code: [Select]
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="uk.org.thekelleys.dnsmasq"/>
<allow send_destination="uk.org.thekelleys.dnsmasq"/>
</policy>
        <policy user="dnsmasq">
<allow own="uk.org.thekelleys.dnsmasq"/>
<allow send_destination="uk.org.thekelleys.dnsmasq"/>
</policy>
<policy context="default">
                <deny own="uk.org.thekelleys.dnsmasq"/>
                <deny send_destination="uk.org.thekelleys.dnsmasq"/>
        </policy>
</busconfig>


Re: dnsmasq dependency on dbus?

Reply #5
Yes, editing that file does work as noted above. However on runit, you don't need to edit that file in order to get a working dbus connection. It works with the default below:
Code: [Select]
<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<policy user="root">
<allow own="uk.org.thekelleys.dnsmasq"/>
<allow send_destination="uk.org.thekelleys.dnsmasq"/>
</policy>
<policy context="default">
                <deny own="uk.org.thekelleys.dnsmasq"/>
                <deny send_destination="uk.org.thekelleys.dnsmasq"/>
        </policy>
</busconfig>

I haven't figured out why you don't need to edit the file just yet. Of course, I haven't tried openrc yet. Maybe that one has the same error message.

Re: dnsmasq dependency on dbus?

Reply #6
I remember having seen the dbus error on openrc some time in the past, although I don't remember what exactly I had edited to fix it. A quick google search reveals same reports from other distributions too, including Redhat.

Re: dnsmasq dependency on dbus?

Reply #7
Hmm, interesting. I've been running three OpenRC-based installation (two of which now are s6...) and don't remember ever seeing it. The fact that it doesn't happen every time, with s6, is also weird.

In a way, it's strange that it works at all, given that the policy only allows "root", while we run dnsmasq with the dnsmasq user/group...

Re: dnsmasq dependency on dbus?

Reply #8
Dudemanguy
OK, here is log on my runit mashine after reboot with default /usr/share/dbus-1/system.d/dnsmasq.conf:
Code: [Select]
[tester@vm-test ~]$ tail -f /var/log/socklog/daemon/current
daemon.warn: Dec 10 22:20:09 dnsmasq[1065]: DBus error: Connection ":1.1" is not allowed to own the service "uk.org.thekelleys.dnsmasq" due to security policies in the configuration file
daemon.warn: Dec 10 22:20:09 dnsmasq[1065]: DBus error: Connection ":1.1" is not allowed to own the service "uk.org.thekelleys.dnsmasq" due to security policies in the configuration file
daemon.warn: Dec 10 22:20:09 dnsmasq[1065]: DBus error: Connection ":1.1" is not allowed to own the service "uk.org.thekelleys.dnsmasq" due to security policies in the configuration file
daemon.warn: Dec 10 22:20:10 dnsmasq[1065]: DBus error: Connection ":1.1" is not allowed to own the service "uk.org.thekelleys.dnsmasq" due to security policies in the configuration file
daemon.warn: Dec 10 22:20:10 dnsmasq[1065]: DBus error: Connection ":1.1" is not allowed to own the service "uk.org.thekelleys.dnsmasq" due to security policies in the configuration file
daemon.warn: Dec 10 22:20:10 dnsmasq[1065]: DBus error: Connection ":1.1" is not allowed to own the service "uk.org.thekelleys.dnsmasq" due to security policies in the configuration file
daemon.warn: Dec 10 22:20:10 dnsmasq[1065]: DBus error: Connection ":1.1" is not allowed to own the service "uk.org.thekelleys.dnsmasq" due to security policies in the configuration file
daemon.warn: Dec 10 22:20:11 dnsmasq[1065]: DBus error: Connection ":1.1" is not allowed to own the service "uk.org.thekelleys.dnsmasq" due to security policies in the configuration file
daemon.warn: Dec 10 22:20:11 dnsmasq[1065]: DBus error: Connection ":1.1" is not allowed to own the service "uk.org.thekelleys.dnsmasq" due to security policies in the configuration file
and so on ....
I don't understand, why we talking about runit, s6, OpenRC and what else? systemd? (oh, no). It's not a dependency problem at all. User should change the default config /usr/share/dbus-1/system.d/dnsmasq.conf
sorry, English is not my native lang

Re: dnsmasq dependency on dbus?

Reply #9
A debian bug report says the policy should allow both root and dnsmasq:
Quote
You should have a file /etc/dbus-1/system.d/dnsmasq.conf which
configures the system dbus-daemon to allow either root or dnsmasq to own
the name uk.org.thekelleys.dnsmasq; it's part of dnsmasq-base.
Please reinstall dnsmasq-base if necessary.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773001#15

Re: dnsmasq dependency on dbus?

Reply #10
Finally, if I read the default systemd script from the dnsmasq package correctly, it is run as root:root there.

Re: dnsmasq dependency on dbus?

Reply #11
Dudemanguy
OK, here is log on my runit mashine after reboot with default /usr/share/dbus-1/system.d/dnsmasq.conf:

Well that settles it in my mind then. I don't know why I'm not able to see those errors, but maybe my logging is not configured correctly in runit (wouldn't be the first time).

Quote
I don't understand, why we talking about runit, s6, OpenRC and what else? systemd? (oh, no).

Apparently this error isn't always seen (only sometimes) which made me wonder if I just was doing something wrong in s6. It's probably safe to assume that all init systems have this error even if logs don't always catch it for some reason.

Finally, if I read the default systemd script from the dnsmasq package correctly, it is run as root:root there.

Arch runs it as dnsmasq:dnsmasq. I'll go with that. It seems like a dnsmasq 2.80-5 package needs to be made here.

Re: dnsmasq dependency on dbus?

Reply #12
I looked at the dnsmasq sources to try to find out why it works sometimes at boot, and/or with other init systems, and always when I manually restart it on an already booted system.

And it soon became obvious. When initially started, it runs as root:root. As part of it's initialization, it drops privileges to the dnsmasq user.

But before that, it does its first dbus connection attempt. At this point we're still root and the default policy works. If this works, we're all good. No log spamming.

If it fails (because dbus either hasn't started, or just started but isn't accepting connections yet), it will retry later. But, when it does, it will have dropped the root privileges. And now the default policy prevents the connection. This is where it starts spamming the log, because it will keep retrying over and over again.

So in a way, this is a dependency problem. Or a configuration issue. It depends on where you're coming from I guess. It can also be seen as a bug in dnsmasq.

S6 has no way of knowing when dbus is ready; as soon as the process has been started, it considers the service ready. This explains why adding a dbus dependency to dnsmasq didn't work.

Re: dnsmasq dependency on dbus?

Reply #13
So wait, you're telling me that dbus doesn't accept connections immediately upon starting the daemon? Yikes, this sounds like bad dbus design to me actually. :P

Thanks for investigating this. I think just having dnsmasq be a part of the configuration by default is the best and cleanest way to solve this. I don't think anybody wants to add "sleep 1" hacks into the init scripts. That brings back all the crappy things about sysvinit. I've pushed dnsmasq-2.80-5 to testing right now (which comes with dnsmasq as a valid user in the default configuration). I'll move it to the world repo later.

 

Re: dnsmasq dependency on dbus?

Reply #14
Quote
So wait, you're telling me that dbus doesn't accept connections immediately upon starting the daemon?
From a human perspective it does. But it has to execute X number of instructions to get there. This creates a small window where the process is running but the service hasn't fully started up. More or less all services have this problem.

So, it's a race; sometimes dnsmasq is started and tries to connect to dbus before it is accepting connections. Other times dbus wins the race.

PID-file based service managers are actually better off since they effectively let the services decide when they've started. Dbus, for example, can hold off with writing its PID-file until after it has started accepting connections.

Quote
I don't think anybody wants to add "sleep 1" hacks into the init scripts.
God no!

Quote
I think just having dnsmasq be a part of the configuration by default is the best and cleanest way to solve this
Agreed.