[SOLVED] create s6 service - how to manage permissions?

Topic: [SOLVED] create s6 service - how to manage permissions? (Read 985 times) previous topic - next topic

0 Members and 2 Guests are viewing this topic.

[SOLVED] create s6 service - how to manage permissions?

02 December 2021, 15:55:09

I tried to create my own s6 service for coredns by copy pasting some stuff, but in the log it says it doesn't have enough permissions:

Code: [Select]

2021-12-02 14:24:28.804505739  Listen: listen tcp :53: bind: permission denied

In systemd it was solved like this:

Code: [Select]

CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

My srv-run file looks like this:

Code: [Select]

#!/bin/execlineb -P
fdmove -c 2 1
s6-setuidgid coredns exec coredns -conf=/etc/coredns/Corefile

If needed, I can provide more information.

Re: create s6 service - how to manage permissions?

Reply #1 – 02 December 2021, 16:33:43

Any other DNS resolver is running in your system? If you use connmand, the DNS cacher is up by default.

Re: create s6 service - how to manage permissions?

Reply #2 – 02 December 2021, 16:47:38

Quote

Any other DNS resolver is running in your system? If you use connmand, the DNS cacher is up by default.

I use connman, but I disabled the DNS resolver with OPTS="--nodnsproxy" in /etc/s6/config/connman.conf.

Code: [Select]

sudo ss -tulpn | grep LISTEN

also didn't show that the port 53 is used.
The log says "permission denied", so I guess it's a permission issue.

Re: create s6 service - how to manage permissions?

Reply #3 – 02 December 2021, 16:58:51

I am not using s6, so I can not check it for you. Logically, you could check dnsmasq's service file to see how it manages to run on port 53.

Re: create s6 service - how to manage permissions?

Reply #4 – 02 December 2021, 17:32:18

The only difference I'm not sure about is that coredns's sysusers.d file looks like this

Code: [Select]

u coredns - "CoreDNS is a DNS server that chains plugins "

and that of dnsmasq has a / at the end:
https://gitea.artixlinux.org/packagesD/dnsmasq/src/branch/master/x86_64/extra/dnsmasq-sysusers.conf

But I can't really believe that this would be the reason for the missing permissions.

Re: create s6 service - how to manage permissions?

Reply #5 – 02 December 2021, 19:17:30

DNSmasq can do because it starts as root, binds port 53, and then drops root (notice the run file has dnsmasq -u dnsmasq rather than s6-setuidgid dnsmasq dnsmasq - the user is an option to dnsmasq, not to s6-setuidgid).
On the other hand, your coredns service drops root with s6-setuidgid before even starting coredns itself.

Maybe CoreDNS can do the same thing as dnsmasq but you haven't looked into the right part of the documentation yet.

If it really can't start as root, then change to a normal user on its own, you can:

1. Run sudo setcap cap_net_bind_service+eip /path/to/coredns so it acquires net_bind_service powers. This will make your current script work unchanged.
2. replace s6-setuidgid with setpriv (different syntax, though). My forum post at https://forum.artixlinux.org/index.php/topic,3360.new.html has more details.

Both will give you a similar effect to what you've done on systemd (adding capabilities).

Re: create s6 service - how to manage permissions?

Reply #6 – 02 December 2021, 19:51:59

Thanks! This explanation makes a lot of sense.

I decided to go with the setpriv solution, and it works like a charm.