datamodel/types/files.py: permission check succeeds if running under root privileges

author Aleš Mrázek <ales.mrazek@nic.cz>

Sun, 14 Sep 2025 21:06:32 +0000 (23:06 +0200)

committer Vladimír Čunát <vladimir.cunat@nic.cz>

Mon, 15 Sep 2025 12:37:51 +0000 (14:37 +0200)
author Aleš Mrázek <ales.mrazek@nic.cz>
Sun, 14 Sep 2025 21:06:32 +0000 (23:06 +0200)
committer Vladimír Čunát <vladimir.cunat@nic.cz>
Mon, 15 Sep 2025 12:37:51 +0000 (14:37 +0200)
diff --git a/NEWS b/NEWS

index 9becaf0b4038b394c01d1025af150d7d7a72ac97..519966d11e89715e8675460878111b376f9d5ff8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,7 @@ Bugfixes
  --------
  - /options/query-case-randomization: respect this even on TCP issues (!1732)
  - prometheus metrics: make the latency histogram cumulative (!1731, GH#117)
+- fix file permission checks when running as root (!1741)
  
  
  Knot Resolver 6.0.15 (2025-07-17)
diff --git a/python/knot_resolver/datamodel/types/files.py b/python/knot_resolver/datamodel/types/files.py

index 1e7cea04077d28043037441b09864fd388e9d59b..4ca9a39eb96783dc7f28477ee96eb87d3147053b 100644 (file)
--- a/python/knot_resolver/datamodel/types/files.py
+++ b/python/knot_resolver/datamodel/types/files.py
@@ -168,10 +168,15 @@ def _check_permission(dest_path: Path, perm_mode: _PermissionMode) -> bool:
          _PermissionMode.EXECUTE: [stat.S_IXUSR, stat.S_IXGRP, stat.S_IXOTH],
      }
  
+    # running outside the manager (client, ...)
      if get_permissions_default():
          user_uid = getpwnam(USER).pw_uid
          user_gid = getgrnam(GROUP).gr_gid
          username = USER
+    # running under root privileges
+    elif os.geteuid() == 0:
+        return True
+    # running normally under an unprivileged user
      else:
          user_uid = os.getuid()
          user_gid = os.getgid()
diff --git a/python/knot_resolver/manager/server.py b/python/knot_resolver/manager/server.py

index 8096f03cc6db82e913453abd5edf9679a0173e0c..815d4e3fbbf42dc3049ed0e9d6954eccb2df5681 100644 (file)
--- a/python/knot_resolver/manager/server.py
+++ b/python/knot_resolver/manager/server.py
@@ -559,6 +559,8 @@ async def start_server(config: List[str]) -> int:  # noqa: PLR0915
              f"Knot Resolver does not run as the default '{USER}' user, but as '{pw_username}' instead."
              " This may or may not affect the configuration validation and the proper functioning of the resolver."
          )
+    if os.geteuid() == 0:
+        logger.warning(" It is not recommended to run under root privileges unless there is no other option.")
  
      # before starting server, initialize the subprocess controller, config store, etc. Any errors during inicialization
      # are fatal
author	Aleš Mrázek <ales.mrazek@nic.cz>
	Sun, 14 Sep 2025 21:06:32 +0000 (23:06 +0200)
committer	Vladimír Čunát <vladimir.cunat@nic.cz>
	Mon, 15 Sep 2025 12:37:51 +0000 (14:37 +0200)
NEWS		patch \| blob \| blame \| history
python/knot_resolver/datamodel/types/files.py		patch \| blob \| blame \| history
python/knot_resolver/manager/server.py		patch \| blob \| blame \| history