Privileges and capabilities

The kresd daemon requires privileges when it is configured to bind to well-known ports. There are multiple ways to achieve this.

Using capabilities

The most secure and recommended way is to use capabilities and execute kresd as an unprivileged user.

  • CAP_NET_BIND_SERVICE is required to bind to well-known ports.

  • CAP_SETPCAP when this capability is available, kresd drops any extra capabilities after the daemon successfully starts when running as a non-root user.

Running as non-privileged user

Another possibility is to start the process as privileged user and then switch to a non-privileged user after binding to network interfaces.

user(name[, group])
Parameters
  • name (string) – user name

  • group (string) – group name (optional)

Returns

boolean

Drop privileges and start running as given user (and group, if provided).

Tip

Note that you should bind to required network addresses before changing user. At the same time, you should open the cache AFTER you change the user (so it remains accessible). A good practice is to divide configuration in two parts:

-- privileged
net.listen('127.0.0.1')
net.listen('::1')
user('knot-resolver', 'netgrp')
-- unprivileged
cache.size = 100*MB

Example output:

> user('baduser')
invalid user name
> user('knot-resolver', 'netgrp')
true
> user('root')
Operation not permitted

Running as root

Warning

Executing processes as root is generally insecure, as these processes have unconstrained access to the complete system at runtime.

While not recommended, it is also possible to run kresd directly as root.