Privileges and capabilities¶
The kresd daemon requires privileges when it is configured to bind to well-known ports. There are multiple ways to achieve this.
The most secure and recommended way is to use capabilities and execute kresd as an unprivileged user.
CAP_NET_BIND_SERVICEis required to bind to well-known ports.
CAP_SETPCAPwhen this capability is available, kresd drops any extra privileges after the daemon successfully starts.
Running as non-privileged user¶
Another possibility is to start the process as privileged user and then switch to a non-privileged user after binding to network interfaces.
- name (string) – user name
- group (string) – group name (optional)
Drop privileges and start running as given user (and group, if provided).
Note that you should bind to required network addresses before changing user. At the same time, you should open the cache AFTER you change the user (so it remains accessible). A good practice is to divide configuration in two parts:
-- privileged net.listen('127.0.0.1') net.listen('::1') user('knot-resolver', 'netgrp') -- unprivileged cache.size = 100*MB
> user('baduser') invalid user name > user('knot-resolver', 'netgrp') true > user('root') Operation not permitted
Running as root¶
Executing processes as root is generally insecure, as these proccesses have unconstrained access to the complete system at runtime.
While not recommended, it is also possible to run kresd directly as root.
Please note the process will still attempt to drop capabilities after startup. Among other things, this means the cache directory should belong to root to have write access.