Issue
Im trying to sandbox my dnsmasq on a CentOS9 machine. I have this exact config running on a CentOS8 (with all the sandbox parameters uncommented), but the upgrade to CentOS9 seems to break it. I have a dnscrypt-proxy running aswell on port 2053.
When I have dnsmasq not sandboxed, everything starts and runs fine. But as soon as I create a simple sandbox for dnsmasq, the dnsmasq startup fails, complaining that the DNS server cant start.
/etc/dnsmasq.conf
/etc/systemd/system/dnsmasq.service.d/01-sandboxing.conf
systemctl status dnsmasq output
I have also seen a "couldnt bind port 53: Permissions denied" error. When checking whether anything is listening on port 53, nothing appears. So I guss this must be caused by the sandbox but Im not sure what exactly.
I tried commenting out lines of the sandbox but it seems to fail no matter how much I comment out.
Thanks in advance for any help!
Solution
I found the issue, I think. By removing the user and group line from the sandboxing.conf, dnsmasq properly starts up. I do not think we changed anything about the dnsmasq user, so I assume that dnsmasq first starts as root, then tries to change its user but fails because it already is the user dnsmasq. Or because dnsmasq first does setup as root, and fails because it already got assigned to the dnsmasq user. Either one.
I cant be 100% sure, but thats my theory.
I'm gonna look into potential security concerns by letting dnsmasq change its user by itself, and generally if I can find a way for it to work even with the user parameter, but for now I will just leave these two lines out
Answered By - Elekam Answer Checked By - Robin (WPSolving Admin)