Support privilege dropping?

[mperham]

Since RubyDNS will often bind to privileged port 53, it will be run as root. Ideally it will drop after binding.

http://timetobleed.com/5-things-you-dont-know-about-user-ids-that-will-destroy-you/

uid = Etc.getpwnam("nobody").uid
Process::Sys.setuid(uid)

Pseudocode:

RubyDNS.run_server(INTERFACES, user: 'nobody') do
  ...
end

[ioquatix]

https://github.com/socketry/rubydns/blob/master/examples/fortune-dns.rb has an example of how to do this.

[ioquatix]

However, it's quite an old example. Maybe can be improved somewhat by combining it with a real command processor (e.g. samovar optimist, etc).

[fa11enangel]

I've launched rubydns on an un privileged port (5300) and added port forwarding through iptables from port 53. This way I don't need any privileges for the server to run/restart/update/...

This is an example for iptables rules:

iptables -t nat -I PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 5300
iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-port 5300

For UFW I've created a rule too:

#  /etc/ufw/before.rule
# Forward port 53 to 5300
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 5300
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 5300
COMMIT

and for IPv6 in UFW:

# /etc/ufw/before6.rules
# Forward port 53 to 5300
*nat
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p tcp --dport 53 -j REDIRECT --to-port 5300
:PREROUTING ACCEPT [0:0]
-A PREROUTING -p udp --dport 53 -j REDIRECT --to-port 5300
COMMIT