stubby icon indicating copy to clipboard operation
stubby copied to clipboard

Published 20 hours ago verified publisher icon getdnsapi

Run stubby as unprivileged user

Open santiagorr opened this issue 8 years ago • 10 comments

Hi,

AFAICS, stubby can only run as root. I'd great if it could bind to the 53 port as an unprivileged user.

Thanks for your great work,

Santiago

santiagorr avatar Nov 02 '17 13:11 santiagorr

Noted - we need to improve how the daemonization occurs - we should really have a stubby user and drop privileges after binding....

saradickinson avatar Nov 02 '17 13:11 saradickinson

When using systemd stubby is ran as stubby user and just given BIND capacities instead of being root. Do you plan to change that?

ArchangeGabriel avatar Nov 11 '17 18:11 ArchangeGabriel

No, but we should cater for other environments besides systemd too

wtoorop avatar Nov 21 '17 15:11 wtoorop

Not sure if this helps but it might if you want to run stubby at a reduced privilege you can do

/sbin/setcap 'cap_net_bind_service=+ep' /usr/bin/stubby

then run stubby as normal without privs'

/usr/bin/stubby

I use this in my systemd stubby service file works well and should for other inits that are not systemd.

http://man7.org/linux/man-pages/man7/capabilities.7.html

konomikitten avatar Feb 20 '18 06:02 konomikitten

Good solution, but not on embedded devices, where there is no 'setcap'...

pedro0311 avatar Sep 25 '18 18:09 pedro0311

Would like to see this feature, too.

On OSX, provided you have configured stubby to run on a non privileged port (>1024) there is the posibility to run it as a non-root daemon (as 'nobody' but you can, of course, create a dedicated user). If a privileged port is a must, replace 'nobody' by 'root' in the plist file below.

Edit file org.dnsprivacy.stubby.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>KeepAlive</key>
	<dict>
		<key>SuccessfulExit</key>
		<false/>
	</dict>
        <key>UserName</key>
        <string>nobody</string>
	<key>Label</key>
	<string>org.dnsprivacy.stubby</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/local/bin/stubby</string>
		<string>-v3</string>
	</array>
	<key>RunAtLoad</key>
	<true/>
</dict>
</plist>

then do

sudo cp org.dnsprivacy.stubby.plist /Library/LaunchDaemons sudo chown root:admin /Library/LaunchDaemons/org.dnsprivacy.stubby.plist sudo chmod 644 /Library/LaunchDaemons/org.dnsprivacy.stubby.plist

This will start stubby right after booting up, no login necessary.

You can start / stop it w/o reboot thusly: sudo launchctl load /Library/LaunchDaemons/org.dnsprivacy.stubby.plist sudo launchctl unload /Library/LaunchDaemons/org.dnsprivacy.stubby.plist

efficientbaxter avatar Jul 22 '19 15:07 efficientbaxter

Someone is working on it? 2 and a half year...

pedro0311 avatar May 06 '20 18:05 pedro0311

@pedro0311 What system? With systemd this has been solved long ago by using a DynamicUser.

ArchangeGabriel avatar May 06 '20 19:05 ArchangeGabriel

No systemd, I meant embedded system, like FW for routers; FreshTomato to be precise. https://bitbucket.org/pedro311/freshtomato-arm/

pedro0311 avatar May 10 '20 10:05 pedro0311

Curious on if this is being worked on. On MacOS with no setcap. Having stubby sitting there as root permanently just feels wrong.

jspv avatar Aug 29 '21 14:08 jspv