On 2025-10-31 20:00, Solar Designer wrote: > On Fri, Oct 31, 2025 at 09:06:09PM +0000, Art Manion wrote:
>> Does dnsmasq read the config file before dropping privileges? I >> think so, since dnsmasq needs to know what interfaces and ports to >> bind to? >> >> Does dnsmasq check that the config file is root-owned and not user- >> writable? In my brief testing, no. >> >> Can a regular user call dnsmasq with '-C dnsmasq_malicious.conf' >> and achieve memory corruption under root privileges? Even if it's >> unlikely to result in code execution, that privilege escalation >> may qualify as a CVE-worthy vulnerability. > I don't think a "check that the config file is root-owned and not > user-writable" would be relevant since a maybe-relevant threat model > involves config files intentionally created by other software such as a > web UI, which would set permissions such that the file is processed, and > since such checks are uncommon and the lack of them does not mean the > software supports untrusted config files. About an hour after posting this I slightly regretted it, my line of thinking was along the lines of dnsmasq being setuid (it is not on the systems I have at hand). A agree that some other system that uses dnsmasq should be responsible for managing privilege separation if that system allowed low-privileged users to modify config files that influenced the behavior of privileged programs. - Art
