From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Jason@zx2c4.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id eeab18db for ; Sun, 29 Oct 2017 17:05:02 +0000 (UTC) Received: from frisell.zx2c4.com (frisell.zx2c4.com [192.95.5.64]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 94086c66 for ; Sun, 29 Oct 2017 17:05:02 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 1f31c78a for ; Sun, 29 Oct 2017 17:05:02 +0000 (UTC) Received: by frisell.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 2e86e3d3 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128:NO) for ; Sun, 29 Oct 2017 17:05:01 +0000 (UTC) Received: by mail-oi0-f41.google.com with SMTP id j126so17806491oib.8 for ; Sun, 29 Oct 2017 10:07:08 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <801971811.33026.1509279684633@ichabod.co-bxl> References: <3a761178-19bc-1d01-b6a8-9fb801312d47@solidadmin.com> <44ac12fe-685b-730e-8afd-e4081daf038d@solidadmin.com> <92b6b9c5-b07c-52fa-a72a-0fc2dcc253bc@solidadmin.com> <87she4fdol.fsf@fifthhorseman.net> <87ineze3x2.fsf@fifthhorseman.net> <801971811.33026.1509279684633@ichabod.co-bxl> From: "Jason A. Donenfeld" Date: Sun, 29 Oct 2017 18:07:07 +0100 Message-ID: Subject: Re: Fixing wg-quick's DNS= directive with a hatchet To: Geo Kozey Content-Type: multipart/alternative; boundary="001a114a23684e235f055cb28d22" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --001a114a23684e235f055cb28d22 Content-Type: text/plain; charset="UTF-8" On Oct 29, 2017 1:21 PM, "Geo Kozey" wrote: October 28, 2017 7:57:06 PM CEST "Jason A. Donenfeld" wrote: >On Oct 28, 2017 5:03 PM, "Daniel Kahn Gillmor" wrote: > >My concern with the resolvconf model (whether implemented by openresolv >or not) is that each daemon that needs to execute resolvconf needs to be >root. > >1) wg-quick isn't a daemon, though openvpn is. > >2) I can think of at least 5 ways to implement a resolvconf binary without requiring root, making your argument moot. There's nothing inherent in the resolvconf model that would require it. > >If you're interested in spending the time implementing this for openresolv, I can spec those out in detail for you. Alternatively, you can just wait for the systemd devs to add a resolvconf for controlling systemd-resolved, if that's the horse you're betting on. FYI you can already change DNS through resolvconf from non-root daemons with correct file permissions or ACLs but that's off-topic. Yep! Pretty straight forward. Yours sincerely G. K. --001a114a23684e235f055cb28d22 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable



On Oct 29, 2017 1:21 PM, "Geo Kozey" <geokozey@mailfence.com> wrote:
Octo= ber 28, 2017 7:57:06 PM CEST "Jason A. Donenfeld" <Jason@zx2c4.com> wrote:

>On Oct 28, 2017 5:03 PM, "Daniel Kahn Gillmor" <dkg@fifthhorseman.net> wrote:
>
>My concern with the resolvconf model (whether implemented by openresolv=
>or not) is that each daemon that needs to execute resolvconf needs to b= e
>root.
>
>1) wg-quick isn't a daemon, though openvpn is.
>
>2) I can think of at least 5 ways to implement a resolvconf binary with= out requiring root, making your argument moot. There's nothing inherent= in the resolvconf model that would require it.
>
>If you're interested in spending the time implementing this for ope= nresolv, I can spec those out in detail for you. Alternatively, you can jus= t wait for the systemd devs to add a resolvconf for controlling systemd-res= olved, if that's the horse you're betting on.

FYI you can already change DNS through resolvconf from non-root daemo= ns with correct file permissions or ACLs but that's off-topic.

Yep= ! Pretty straight forward.


Yours sincerely

G. K.

--001a114a23684e235f055cb28d22--