File: resolvconf-admin.1.md.in

package info (click to toggle)
resolvconf-admin 0.3-1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, bullseye, buster, sid, trixie
  • size: 128 kB
  • sloc: ansic: 337; sh: 41; makefile: 35
file content (84 lines) | stat: -rw-r--r-- 2,632 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
 
---
title: RESOLVCONF-ADMIN
section: 1
author: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
date: 2017 September
---

NAME
====

resolvconf-admin - a setuid program for setting up DNS resolution

SYNOPSIS
========
 
resolvconf-admin add NETIF [-s SEARCH] [-d DOMAIN] NAMESERVER [...]

resolvconf-admin del NETIF

DESCRIPTION
===========

This setuid program allows specific non-privileged users to invoke
`@SBINRESOLVCONF@` (if it is present) with a constrained argument to add
or remove DNS resolvers; or, if `@SBINRESOLVCONF@` is not executable, it
can replace `@ETCRESOLVCONF@`.

This is useful, for example, for running a DHCP client as a
non-privileged user.

When the non-privileged user wants to set up the DNS resolvers due to
information it learned from interface NETIF, it should invoke:

    resolvconf-admin add NETIF [-s SEARCH] [-d DOMAIN] NAMESERVER [...]

Note that DNS search path and domain name are optional.  However, at
least one nameserver is required.

When the non-privileged user wants to tear down the DNS resolver
information that it had previously set for interface NETIF, it should
invoke:

    resolvconf-admin del NETIF

WARNING
=======

A better (non-suid) approach for setting up the DNS in a
non-privileged way is to make an authenticated IPC call to some
running daemon that already manages the local DNS resolution
configuration (e.g., `systemd-resolved(8)`).  However, some systems do
not run such a daemon, so we offer this setuid approach instead, for
those limited systems only.

This setuid program *should not* be installed on systems that already run
such a daemon, because every setuid program increases the attack surface of
the operating system.

*DO NOT INSTALL THIS TOOL IF YOU HAVE BETTER OPTIONS AVAILABLE TO YOU!*

INTERLEAVED OPERATION WITHOUT RESOLVCONF(8)
===========================================

On a system where `resolvconf(8)` is not installed, the behavior is
not very sophisticated.  On these systems:

 * The first time `resolvconf-admin add` is invoked, the old
   `@ETCRESOLVCONF@` is backed up to
   `@ETCRESOLVCONF@.bak.resolvconf-admin`.

 * The first time `resolvconf-admin del` is invoked, the backed up
   file is restored.

If multiple daemons (or a single daemon monitoring multiple sources of
DNS resolver information) invokes `resolvconf-admin` in an interleaved
fashion (e.g. two `add`s before a `del`), this will almost certainly
not be the behavior that you want.  If your system is likely to have
this kind of interleaved operation, it should also have
`resolvconf(8)` installed.

SEE ALSO
========

resolvconf(8), resolv.conf(5), systemd-resolved(8)