Dropping privileges [FATAL] Unable to drop additional groups: [function not implemented]

[jumpsmm7]

Who is the bug affecting?

Linux-arm branch

What is affected by this bug?

Dropping privileges

When does this occur?

on loading of dnscrypt-proxy 2 with user selected as nobody

Where does it happen?

on RMerlin Asuswrt arm7l

How do we replicate the issue?

Loading dnscrypt-proxy on arm7l with user selected as nobody.

Expected behavior (i.e. solution)

privileges to properly drop.

Other Comments

[jedisct1]

Maybe this helps?

Was it just installed with dnscrypt-proxy -service install or do you have custom stuff in the systemd startup file to explicitly break that feature?

[jumpsmm7]

Maybe this helps?

Was it just installed with dnscrypt-proxy -service install or do you have custom stuff in the systemd startup file to explicitly break that feature?

It is ran in JFFS on Asus-WRT Merlin Firmware Routers Flash Memory. It is without a service install. the service is invoked from a shell script with linux-arm build using nobody as the username within the .toml setup using your prebuilt linux-arm for the latest release. User nobody is chosen for its limited and more secure footprint on the Router. The Kernel having the issue is kernel 4.1. The Kernel is built with the correct CONFIG_MULTIUSER=y flag

[jumpsmm7]

I have opened an issue with Asuswrt-Merlin Dev to try to figure out the issue, but we have looked at all possible angles from the firmware end. https://github.com/RMerl/asuswrt-merlin.ng/issues/728

[jumpsmm7]

To be more specific, the kernel is 4.1.52
Linux/arm 4.1.52 Kernel Configuration
An example of the build configuration is as follows.
https://raw.githubusercontent.com/RMerl/asuswrt-merlin.ng/master/release/src-rt-5.02axhnd.675x/kernel/linux-4.1/config_base.6a.6750

[jedisct1]

So, on your setup, this also happened when the ./dnscrypt-proxy -list command is run interactively, right?

Can you provide the exact system call returning this error as well the actual return code?

[jumpsmm7]

[2021-03-25 14:05:47] [NOTICE] dnscrypt-proxy 2.0.45
[2021-03-25 14:05:47] [NOTICE] Dropping privileges
[2021-03-25 14:05:47] [FATAL] Unable to drop additional groups: [function not implemented]

is the entire output from running

./dnscrypt-proxy -list

the username in the .toml file is nobody

According to RMerl the dev of AsusWrt-Merlin Firmware

I also confirmed that privileges dropping worked fine, with the following test program:

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <grp.h>

int main(){
	printf("start\n");
	printf("sleep\n"); usleep(5 * 1000 * 1000);

	uid_t uid = 65534; // user
	gid_t gid = 65534;  // group

        printf("setgroups()\n");
        printf("%d\n",setgroups(0, NULL));
        printf("setgid: %d\n", gid);
        printf("%d\n",setgid(gid));

        printf("setuid: %d\n", uid);
        printf("%d\n",setuid(uid));

	usleep(20*1000*1000);
	printf("exit\n");
}

If I examine the process during that 20 secs pause, it does show gid and uid of 65534 (both of which are nobody), and both calls return "0".

[pannal]

Can confirm, privilege dropping works on that kernel (see dnsmasq), just DNSCrypt-proxy doesn't seem to do it:

12475 nobody    4584 S    dnsmasq --log-async
12476 admin     4584 S    dnsmasq --log-async
17076 admin    10008 S    networkmap
21511 admin     783m S    /jffs/dnscrypt/dnscrypt-proxy -syslog -config /jffs/dnscrypt/dnscrypt-proxy.toml

Edit: It runs currently as admin, explicitly.

[jedisct1]

Once again: can you provide the exact system call returning this error as well the actual return code?

[pannal]

Sure, if you tell me how, I'll gladly do that.

[jedisct1]

Unfortunately I neither use Linux nor this router.

[RMerl]

According to the error message, the failure would be on setgroups(), which did work fine in my test program.

dnscrypt does its privilege drops here:

https://github.com/DNSCrypt/dnscrypt-proxy/blob/master/dnscrypt-proxy/privilege_linux.go#L58

Could be a GoLang issue or a compile issue rather than a dnscrypt code issue, assuming the three calls seen in that link above do map to the three calls I used in my test program.

[jedisct1]

RawSyscall really doesn't do anything more than a syscall() call.

Since it doesn't use the C library, could the Go library use the wrong constant on that platform? That would be quite surprising, especially since this is the first time this issue is reported.

Having the actual syscall (with strace or watever is used on Linux these days) would be very useful.

[RMerl]

I can`t help you any further on this, I don't know anything about Go myself, sorry.

[pannal]

Is strace available on asuswrt-merlin? Then I'll try to get you that info.

[RMerl]

It can be installed through Entware, however once the second thread is spawned, it won't see the syscalls done to drop privileges.

[pannal]

Any hints on how I can assist with this then? (I'm the original reporter in the forum)

[jumpsmm7]

I have feeling this is due to it being incompatible to linux kernel 4.1.

[jedisct1]

https://github.com/golang/go/wiki/MinimumRequirements

For little-endian MIPS64, kernel version 4.1 is known to fail, and 4.8 works.

[jedisct1]

And that was also mentioned in the dnscrypt-proxy documentation, right in the first paragraph https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux#installation-on-linux-overview

[RMerl]

The failing router is on ARM V7, not MIPS64.

[pannal]

Yep, please reopen.

[jedisct1]

Can you check if this still happens with a more recent kernel? The minimum requirement page may not be up to date, with the same issue affecting ARMv7 platforms as well.

There's not much to be done in dnscrypt-proxy itself. Maybe hack a custom build with the correct system call for that kernel; doing this upstream is likely to break on all other kernels. If the issue is in the Go compiler, this is where it should be fixed, or at least documented.

If a more recent kernel fixes it, the documentation should definitely be updated here as well. Kernel 4.1 was released circa 2015, it's a little bit dated right now.

[RMerl]

The router kernel cannot be upgraded, it's tied to Broadcom's SDK.

I agree however that there isn't much that could be done from the dnscrypt devs at this point, and I also suspect it's a bug within Go itself. The code that I pointed earlier looks fine to me.

Just another reason while personally I much prefer C over higher level languages, which may introduce their own set of issues.

[jumpsmm7]

@jedisct1 //// Dnscrypt-proxy2 works fine for all other model Asuswrt-Merlin Routers that use ARM7, the main differences though is that these newer ARM7 models(RTAX56U and RTAX58U) use a kernel that has been known to sometimes have operational issues with GO. From what I understand, the Devs of GO know about some of these unsupported Kernel Issues. Thank you for your continued efforts to keep Dnscrypt-proxy 2 a viable DNS privacy solution.