Skip to content

Instantly share code, notes, and snippets.

@mhofman
Created January 20, 2019 04:32
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mhofman/cdd85a6baa4b9206830b254d0ab9bb89 to your computer and use it in GitHub Desktop.
Save mhofman/cdd85a6baa4b9206830b254d0ab9bb89 to your computer and use it in GitHub Desktop.
DNSMasq docker without root nor capabilites
FROM alpine:edge
COPY files /
ARG DNSMASQ_UID=100
ARG DNSMASQ_GID=101
ARG user=dnsmasq
ARG capabilities=cap_net_raw,cap_net_bind_service
# Because Synology is dumb
ENV DNSMASQ_UID="${DNSMASQ_UID}"
ENV DNSMASQ_GID="${DNSMASQ_GID}"
ENV user="${user}"
ENV capabilities="${capabilities}"
RUN addgroup -g $DNSMASQ_GID -S $user
RUN adduser -u $DNSMASQ_UID -S -D -H -h /dev/null -s /sbin/nologin -G $user -g $user $user
RUN apk --no-cache add dnsmasq libcap
EXPOSE 53 53/udp
ENTRYPOINT ["/entrypoint.sh", "dnsmasq", "-k"]
#!/bin/sh
# Output syslog to stdout
#syslogd -O /proc/1/fd/1
case "$user" in
"0"|"root"|"") exec $*;;
# exec will never return so only other values execute below
esac
dnsmasq_capabilities_allowed="cap_net_raw,cap_net_bind_service,cap_net_admin"
/usr/sbin/setcap ${dnsmasq_capabilities_allowed}=ie /usr/sbin/dnsmasq
#Make sure the capabilities are separated by comma with no spaces
capabilities=$(echo ${capabilities:-"cap_net_bind_service"} | sed -e 's/,/ /g' -e 's/[ \t]\+/,/g')
echo Starting \"$*\" as user \"$user\" with inherited capabilities "$capabilities"
# 1. Keep permitted, requested + temp capabilities when setuid
# 2. Setuid to user/group
# 3. Make sure requested capabilities can be inherited and enable setpcap capability
# 4. Drop bound capabilities
exec /usr/sbin/capsh --keep=1 --caps="${capabilities}+p cap_setgid,cap_setuid,cap_setpcap+ep" --user=$user --caps="${capabilities}+i cap_setpcap+ep" --drop="all" -- $*
#!/bin/sh
# special "bash" called by capsh which will actually execute the parameters or invoke the shell if nothing provided
exec ${*:-/bin/sh}
listen-address=192.168.1.1
bind-interfaces
# Not needed since setuid before launch
#user=dnsmasq
#group=dnsmasq
dhcp-broadcast # avoid ARP injection when lack of NET_ADMIN capability
no-ping # ICMP requires NET_RAW capability
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment