daemon: don't drop capabilities when running as root

When the effective user is root, no capabilities are dropped. This
change has no effect when running as non-privileged user or when
switching to non-privileged user via user() in config.

Dropping capabilities as a root user resulted in the following
unexpected behaviour:

1. When using trust anchor update, r/w access to root keys is neeeded.
   These are typically owned by knot-resolver user. When kresd is
   executed as root and capabilities are dropped, this file was no longer
   writable, because it is owned by knot-resolver, not root.
2. It is impossible to recreate/resize cache due to the same permission
   issue as above.

If you want to drop capabilities when starting kresd as a root user,
you can switch the user with the `user()` command. This changes the
effective user ID and drops any capabilities as well.

diff --git a/NEWS b/NEWS
index 287c7ea1f42ebfac1d8fd8b9373f12c5841fe0a6..35605d72e1521b8cd47d8915bff0b98a7a5f74d1 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+Knot Resolver 5.2.0 (2020-0m-dd)
+================================
+
+Improvements
+------------
+- capabilities are no longer constrained when running as root (!1012)
+
+
 Knot Resolver 5.1.2 (2020-07-01)
 ================================
 

diff --git a/daemon/main.c b/daemon/main.c
index f936c645cd1e48fde96788e387ac083c7ab18de9..b7306c773588638892bb2b5616910baeeb467df4 100644 (file)
--- a/daemon/main.c
+++ b/daemon/main.c
@@ -491,7 +491,11 @@ static int start_listening(struct network *net, flagged_fd_array_t *fds) {
 static void drop_capabilities(void)
 {
 #ifdef ENABLE_CAP_NG
-       /* Drop all capabilities. */
+       /* Drop all capabilities when running under non-root user. */
+       if (geteuid() == 0) {
+               kr_log_verbose("[system] running as root, no capabilities dropped\n");
+               return;
+       }
        if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
                capng_clear(CAPNG_SELECT_BOTH);
 
@@ -499,9 +503,12 @@ static void drop_capabilities(void)
                if (capng_apply(CAPNG_SELECT_BOTH) < 0) {
                        kr_log_error("[system] failed to set process capabilities: %s\n",
                                  strerror(errno));
+               } else {
+                       kr_log_verbose("[system] all capabilities dropped\n");
                }
        } else {
-               kr_log_info("[system] process not allowed to set capabilities, skipping\n");
+               /* If user() was called, the capabilities were already dropped along with SETPCAP. */
+               kr_log_verbose("[system] process not allowed to set capabilities, skipping\n");
        }
 #endif /* ENABLE_CAP_NG */
 }

diff --git a/doc/config-no-systemd-privileges.rst b/doc/config-no-systemd-privileges.rst
index 9503a456f30bba28574da2578a97968375ca50a8..86a9c3d701eafd522554cfe61c548293eadadc1f 100644 (file)
--- a/doc/config-no-systemd-privileges.rst
+++ b/doc/config-no-systemd-privileges.rst
@@ -14,7 +14,8 @@ an unprivileged user.
 
 * ``CAP_NET_BIND_SERVICE`` is required to bind to well-known ports.
 * ``CAP_SETPCAP`` when this capability is available, kresd drops any extra
-  privileges after the daemon successfully starts.
+  capabilities after the daemon successfully starts when running as
+  a non-root user.
 
 Running as non-privileged user
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -62,7 +63,3 @@ Running as root
    proccesses have unconstrained access to the complete system at runtime.
 
 While not recommended, it is also possible to run kresd directly as root.
-
-Please note the process will still attempt to drop capabilities after startup.
-Among other things, this means the cache directory should belong to root to
-have write access.