Warning
This page is intended for experienced users only. If you follow these instructions, you are not protected from footguns elimited with the introduction of the kres-manager
. However, if you want to continue using Knot Resolver the same as before the version 6.0.0
this is a chapter for you.
For new and less experienced users, we recommend using the newer approach starting in the Getting Started chapter.
Privileges and capabilities¶
The kresd daemon requires privileges when it is configured to bind to well-known ports. There are multiple ways to achieve this.
Using capabilities¶
The most secure and recommended way is to use capabilities and execute kresd as an unprivileged user.
CAP_NET_BIND_SERVICE
is required to bind to well-known ports.CAP_SETPCAP
when this capability is available, kresd drops any extra capabilities after the daemon successfully starts when running as a non-root user.
Running as non-privileged user¶
Another possibility is to start the process as privileged user and then switch to a non-privileged user after binding to network interfaces.
- user(name[, group])¶
- Parameters:
name (string) – user name
group (string) – group name (optional)
- Returns:
boolean
Drop privileges and start running as given user (and group, if provided).
Tip
Note that you should bind to required network addresses before changing user. At the same time, you should open the cache AFTER you change the user (so it remains accessible). A good practice is to divide configuration in two parts:
-- privileged net.listen('127.0.0.1') net.listen('::1') user('knot-resolver', 'netgrp') -- unprivileged cache.size = 100*MB
Example output:
> user('baduser') invalid user name > user('knot-resolver', 'netgrp') true > user('root') Operation not permitted
Running as root¶
Warning
Executing processes as root is generally insecure, as these processes have unconstrained access to the complete system at runtime.
While not recommended, it is also possible to run kresd directly as root.