Subject: | |
From: | |
Reply To: | |
Date: | Fri, 17 May 2019 17:33:28 +0200 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
On Fri, May 17, 2019 at 3:07 PM Teh, Kenneth M.
<[log in to unmask]> wrote:
> On 5/16/19 9:23 PM, Orion Poplawski wrote:
>> On 5/16/19 1:23 PM, Teh, Kenneth M. wrote:
>>>
>>> Systemd continues to baffle me.
>>>
>>> I've set up a router machine that provides pxe boot and tftp
>>> services on a private network with dnsmasq. Pxeboot works if I
>>> run dnsmasq manually, but not when I turn on the service with
>>> systemctl.
>>>
>>> I can't think through its layers of obtuseness and would
>>> appreciate someone with a fresher brain to point me in the right
>>> direction.
>>
>> You don't give us much to work with. When you start it manually,
>> what exactly do you run? What does 'journalctl -u dnsmasq' report?
>> Anything else that might be relevant?
>
> Sorry. You're right. A moment of exasperation and frustration with
> systemd whose bits of config/info are strewn all over the place
> instead of everything in init.d. I guess I resent learning new ways
> of doing old things. Must be my age. :)
>
> Turned out the problem is dnsmasq's tftp module has no permission
> to read pxelinux.0 even though the file is 0644. Checked audit.log
> for possible selinux problem. Nothing.
>
> Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except
> for pxelinux.0 (plus a few more) which are cobbler_var_lib_t. Tried
> an semanage fcontext/restorecon to change it just to see if dnsmasq
> would read it. Doesn't change. Nothing in journalctl. Used chcon.
> Changes it. But dnsmasq still cannot read the file.
>
> Finally set dnsmasq to run as root in its config. Works. Only thing
> I can think of is dnsmasq which apparently runs as nobody when
> started from systemd cannot read files it does not own.
1) From the manpage
--tftp-secure
Enable TFTP secure mode: without this, any file which is readable by
the dnsmasq process under normal unix access-control rules is
available via TFTP. When the --tftp-secure flag is given, only files
owned by the user running the dnsmasq process are accessible. If
dnsmasq is being run as root, different rules apply: --tftp-secure
has no effect, but only files which have the world-readable bit set
are accessible. It is not recommended to run dnsmasq as root with
TFTP enabled, and certainly not without specifying --tftp-root. Doing
so can expose any world-readable file on the server to any host on
the net.
Are you using this option?
2) When you were testing and running it manually, were you setting
command-line options or were you simply using the options in
"/etc/dnsmasq.conf" like the systemd unit?
|
|
|