New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dropping privileges [FATAL] Unable to drop additional groups: [function not implemented] #1646
Comments
Maybe this helps? Was it just installed with |
It is ran in JFFS on Asus-WRT Merlin Firmware Routers Flash Memory. It is without a service install. the service is invoked from a shell script with linux-arm build using nobody as the username within the .toml setup using your prebuilt linux-arm for the latest release. User nobody is chosen for its limited and more secure footprint on the Router. The Kernel having the issue is kernel 4.1. The Kernel is built with the correct CONFIG_MULTIUSER=y flag |
I have opened an issue with Asuswrt-Merlin Dev to try to figure out the issue, but we have looked at all possible angles from the firmware end. https://github.com/RMerl/asuswrt-merlin.ng/issues/728 |
To be more specific, the kernel is 4.1.52 |
So, on your setup, this also happened when the Can you provide the exact system call returning this error as well the actual return code? |
is the entire output from running
the username in the .toml file is According to RMerl the dev of AsusWrt-Merlin Firmware
|
Can confirm, privilege dropping works on that kernel (see dnsmasq), just DNSCrypt-proxy doesn't seem to do it:
Edit: It runs currently as admin, explicitly. |
Once again: can you provide the exact system call returning this error as well the actual return code? |
Sure, if you tell me how, I'll gladly do that. |
Unfortunately I neither use Linux nor this router. |
According to the error message, the failure would be on setgroups(), which did work fine in my test program. dnscrypt does its privilege drops here: https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/privilege_linux.go#L58 Could be a GoLang issue or a compile issue rather than a dnscrypt code issue, assuming the three calls seen in that link above do map to the three calls I used in my test program. |
Since it doesn't use the C library, could the Go library use the wrong constant on that platform? That would be quite surprising, especially since this is the first time this issue is reported. Having the actual syscall (with |
I can`t help you any further on this, I don't know anything about Go myself, sorry. |
Is strace available on asuswrt-merlin? Then I'll try to get you that info. |
It can be installed through Entware, however once the second thread is spawned, it won't see the syscalls done to drop privileges. |
Any hints on how I can assist with this then? (I'm the original reporter in the forum) |
I have feeling this is due to it being incompatible to linux kernel 4.1. |
https://github.com/golang/go/wiki/MinimumRequirements
|
And that was also mentioned in the dnscrypt-proxy documentation, right in the first paragraph https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux#installation-on-linux-overview |
The failing router is on ARM V7, not MIPS64. |
Yep, please reopen. |
Can you check if this still happens with a more recent kernel? The minimum requirement page may not be up to date, with the same issue affecting ARMv7 platforms as well. There's not much to be done in dnscrypt-proxy itself. Maybe hack a custom build with the correct system call for that kernel; doing this upstream is likely to break on all other kernels. If the issue is in the Go compiler, this is where it should be fixed, or at least documented. If a more recent kernel fixes it, the documentation should definitely be updated here as well. Kernel 4.1 was released circa 2015, it's a little bit dated right now. |
The router kernel cannot be upgraded, it's tied to Broadcom's SDK. I agree however that there isn't much that could be done from the dnscrypt devs at this point, and I also suspect it's a bug within Go itself. The code that I pointed earlier looks fine to me. Just another reason while personally I much prefer C over higher level languages, which may introduce their own set of issues. |
@jedisct1 //// Dnscrypt-proxy2 works fine for all other model Asuswrt-Merlin Routers that use ARM7, the main differences though is that these newer ARM7 models(RTAX56U and RTAX58U) use a kernel that has been known to sometimes have operational issues with GO. From what I understand, the Devs of GO know about some of these unsupported Kernel Issues. Thank you for your continued efforts to keep Dnscrypt-proxy 2 a viable DNS privacy solution. |
Who is the bug affecting?
Linux-arm branch
What is affected by this bug?
Dropping privileges
When does this occur?
on loading of dnscrypt-proxy 2 with user selected as nobody
Where does it happen?
on RMerlin Asuswrt arm7l
How do we replicate the issue?
Loading dnscrypt-proxy on arm7l with user selected as nobody.
Expected behavior (i.e. solution)
privileges to properly drop.
Other Comments
The text was updated successfully, but these errors were encountered: