Skip to main content
Topic solved
This topic has been marked as solved and requires no further attention.
Topic: [SOLVED] create s6 service - how to manage permissions? (Read 988 times) previous topic - next topic
0 Members and 1 Guest are viewing this topic.

[SOLVED] create s6 service - how to manage permissions?

I tried to create my own s6 service for coredns by copy pasting some stuff, but in the log it says it doesn't have enough permissions:
Code: [Select]
2021-12-02 14:24:28.804505739  Listen: listen tcp :53: bind: permission denied

In systemd it was solved like this:
Code: [Select]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

My srv-run file looks like this:
Code: [Select]
#!/bin/execlineb -P
fdmove -c 2 1
s6-setuidgid coredns exec coredns -conf=/etc/coredns/Corefile

If needed, I can provide more information.

Re: create s6 service - how to manage permissions?

Reply #1
Any other DNS resolver is running in your system? If you use connmand, the DNS cacher is up by default.

Re: create s6 service - how to manage permissions?

Reply #2
Quote
Any other DNS resolver is running in your system? If you use connmand, the DNS cacher is up by default.
I use connman, but I disabled the DNS resolver with OPTS="--nodnsproxy" in /etc/s6/config/connman.conf.
Code: [Select]
sudo ss -tulpn | grep LISTEN
also didn't show that the port 53 is used.
The log says "permission denied", so I guess it's a permission issue.

Re: create s6 service - how to manage permissions?

Reply #3
I am not using s6, so I can not check it for you. Logically, you could check dnsmasq's service file to see how it manages to run on port 53.

Re: create s6 service - how to manage permissions?

Reply #4
The only difference I'm not sure about is that coredns's sysusers.d file looks like this
Code: [Select]
u coredns - "CoreDNS is a DNS server that chains plugins "
and that of dnsmasq has a / at the end:
https://gitea.artixlinux.org/packagesD/dnsmasq/src/branch/master/x86_64/extra/dnsmasq-sysusers.conf

But I can't really believe that this would be the reason for the missing permissions.

Re: create s6 service - how to manage permissions?

Reply #5
DNSmasq can do because it starts as root, binds port 53, and then drops root (notice the run file has dnsmasq -u dnsmasq rather than s6-setuidgid dnsmasq dnsmasq - the user is an option to dnsmasq, not to s6-setuidgid).
On the other hand, your coredns service drops root with s6-setuidgid before even starting coredns itself.

Maybe CoreDNS can do the same thing as dnsmasq but you haven't looked into the right part of the documentation yet.

If it really can't start as root, then change to a normal user on its own, you can:

1. Run sudo setcap cap_net_bind_service+eip /path/to/coredns so it acquires net_bind_service powers. This will make your current script work unchanged.
2. replace s6-setuidgid with setpriv (different syntax, though). My forum post at https://forum.artixlinux.org/index.php/topic,3360.new.html has more details.

Both will give you a similar effect to what you've done on systemd (adding capabilities).

 

Re: create s6 service - how to manage permissions?

Reply #6
Thanks! This explanation makes a lot of sense.  :) I decided to go with the setpriv solution, and it works like a charm.