0

I would like for dnscrypt-proxy to run as a dynamic user instead of as root. But I would also like to use a firewall rule in nftables where I specify the user dnscrypt-proxy, to allow it to connect to the upstream dns provider.

Now the problem is that nftables wants to run before the network is up, which is good and needed, but it complains that the dnscrypt-proxy user doesn't exist.

The dnscrypt-proxy service only runs after the network is up, and thus the user only gets created after the network is up. What would be the standard/best way to deal with it?

  • Should I try to specify a fixed user for the dnscrypt-proxy instead of a dynamic one and set the other security options mentioned here manually?

  • Should I detect the service by some other means than it's user name in nftables?

  • Could I just manually create the dnscrypt-proxy user on my system and will systemd just use it without deleting it because it already existed?

  • Should I create a service that runs before nftables on every boot and creates that user, which would then be deleted by systemd when the dnscrypt service stops?

What would happen if the firewall is already running and dnscrypt service is stopped? Would the firewall crash or get into some kind of trouble because a user-id mentioned in it's ruleset no longer exists?

1 Answers1

0

I think I found the answer in man 5 systemd.exec. The DynamicUser= setting is happy to run with a pre-existing static user on the system:

If a statically allocated user or group of the configured name already exists, it is used and no dynamic user/group is allocated.

This would seem to allow setting all security settings implied by DynamicUser in one go and have the user persistent. Since I want to refer to this user in nftables, this seems to make sense.

So what I did:

# systemctl stop dnscrypt-proxy.socket
# systemctl stop dnscrypt-proxy.service
# useradd --user-group --system dnscrypt-proxy
# systemctl edit dnscrypt-proxy.service

and add:

[Service]

   DynamicUser   = yes
   User          = dnscrypt-proxy
   Group         = dnscrypt-proxy

Save the configuration file and restart the service and the socket.

# systemctl daemon-reload 
# systemctl start dnscrypt-proxy.service