On Fri, May 17, 2019 at 5:08 PM Orion Poplawski <[log in to unmask]> wrote:


> Probably related:
>
>        --tftp-secure
>               Enable  TFTP  secure  mode:  without this, any file which is
>               readable by the dnsmasq process under  normal  unix  access-
>               control  rules is available via TFTP. When the --tftp-secure
>               flag is given, only files owned by the user running the dns‐
>               masq  process  are  accessible.  If  dnsmasq is being run as
>               root, different rules apply: --tftp-secure  has  no  effect,
>               but  only  files  which  have the world-readable bit set are
>               accessible. It is not recommended to  run  dnsmasq  as  root
>               with  TFTP  enabled,  and  certainly  not without specifying
>               --tftp-root. Doing so can expose any world-readable file  on
>               the server to any host on the net.

Just read and sent the same :)


> I'm still surprised it made a difference starting it by hand or by systemd.

+1

dnsmasq runs as "nobody" if "/etc/dnsmasq.conf" doesn't have
"user=foo" or dnsmasq isn't started with "--user=foo" (or "-u foo").