LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

May 2019

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS May 2019

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: dnsmasq and systemd
From:	Tom H <[log in to unmask]>
Reply To:	Tom H <[log in to unmask]>
Date:	Fri, 17 May 2019 17:33:28 +0200
Content-Type:	text/plain
Parts/Attachments:	text/plain (59 lines)

On Fri, May 17, 2019 at 3:07 PM Teh, Kenneth M.
<[log in to unmask]> wrote:
> On 5/16/19 9:23 PM, Orion Poplawski wrote:
>> On 5/16/19 1:23 PM, Teh, Kenneth M. wrote:
>>>
>>> Systemd continues to baffle me.
>>>
>>> I've set up a router machine that provides pxe boot and tftp
>>> services on a private network with dnsmasq. Pxeboot works if I
>>> run dnsmasq manually, but not when I turn on the service with
>>> systemctl.
>>>
>>> I can't think through its layers of obtuseness and would
>>> appreciate someone with a fresher brain to point me in the right
>>> direction.
>>
>> You don't give us much to work with. When you start it manually,
>> what exactly do you run? What does 'journalctl -u dnsmasq' report?
>> Anything else that might be relevant?
>
> Sorry. You're right. A moment of exasperation and frustration with
> systemd whose bits of config/info are strewn all over the place
> instead of everything in init.d. I guess I resent learning new ways
> of doing old things. Must be my age. :)
>
> Turned out the problem is dnsmasq's tftp module has no permission
> to read pxelinux.0 even though the file is 0644. Checked audit.log
> for possible selinux problem. Nothing.
>
> Everything in /var/lib/tftpboot is selinux type tftpdir_rw_t except
> for pxelinux.0 (plus a few more) which are cobbler_var_lib_t. Tried
> an semanage fcontext/restorecon to change it just to see if dnsmasq
> would read it. Doesn't change. Nothing in journalctl. Used chcon.
> Changes it. But dnsmasq still cannot read the file.
>
> Finally set dnsmasq to run as root in its config. Works. Only thing
> I can think of is dnsmasq which apparently runs as nobody when
> started from systemd cannot read files it does not own.

1) From the manpage

--tftp-secure
Enable TFTP secure mode: without this, any file which is readable by
the dnsmasq process under normal unix access-control rules is
available via TFTP. When the --tftp-secure flag is given, only files
owned by the user running the dnsmasq process are accessible. If
dnsmasq is being run as root, different rules apply: --tftp-secure
has no effect, but only files which have the world-readable bit set
are accessible. It is not recommended to run dnsmasq as root with
TFTP enabled, and certainly not without specifying --tftp-root. Doing
so can expose any world-readable file on the server to any host on
the net.

Are you using this option?

2) When you were testing and running it manually, were you setting
command-line options or were you simply using the options in
"/etc/dnsmasq.conf" like the systemd unit?

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV