From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: dkg@fifthhorseman.net Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id c373d4c2 for ; Mon, 30 Oct 2017 12:14:18 +0000 (UTC) Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 896baced for ; Mon, 30 Oct 2017 12:14:18 +0000 (UTC) From: Daniel Kahn Gillmor To: "Jason A. Donenfeld" Subject: Re: Fixing wg-quick's DNS= directive with a hatchet In-Reply-To: References: <3a761178-19bc-1d01-b6a8-9fb801312d47@solidadmin.com> <44ac12fe-685b-730e-8afd-e4081daf038d@solidadmin.com> <92b6b9c5-b07c-52fa-a72a-0fc2dcc253bc@solidadmin.com> <87she4fdol.fsf@fifthhorseman.net> <87ineze3x2.fsf@fifthhorseman.net> Date: Mon, 30 Oct 2017 13:10:57 +0100 Message-ID: <87lgjsdeem.fsf@fifthhorseman.net> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Cc: WireGuard mailing list List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --=-=-= Content-Type: text/plain On Sat 2017-10-28 20:57:06 +0200, Jason A. Donenfeld wrote: > 1) wg-quick isn't a daemon, though openvpn is. wg-quick could be invoked from a network management daemon. Part of the brilliance of wireguard is that the in-kernel stuff *doesn't* try to integrate fancy configuration/setup policy. But that does mean that it's likely that there needs to be some user-space policy agent for system integration. > 2) I can think of at least 5 ways to implement a resolvconf binary without > requiring root, making your argument moot. There's nothing inherent in the > resolvconf model that would require it. > > If you're interested in spending the time implementing this for openresolv, > I can spec those out in detail for you. Please report these suggestions to openresolv or any other resolvconf implementations. My point is about what exists today, not about what is theoretically possible. This argument will be moot when any widely-used resolvconf implementation doesn't have to be executed as the superuser by default. Please, make it moot! :) > Alternatively, you can just wait for the systemd devs to add a > resolvconf for controlling systemd-resolved, if that's the horse > you're betting on. That'd be fine with me, thanks for pushing on it. --dkg --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEOCdgUepHf6PklTkyFJitxsGSMjcFAln3FtEACgkQFJitxsGS MjeS+A/+IYyiFqGSpSyvWbbTPAQYqdy7IORqnf9TAS/o+qqVl9UMec0Uxpqg1vA6 uMYGTVMen/PKnODgcn+pB/jNw7n8jjHg1bwZ8B2EN/pIP3Kz3uHNWaafH5wGekWz cfJchhGA8N/YURLxybWNY7Q49TzpQ3VTXv3roI9WPSzIMaDzzsnjfs8c5ApjtaKd LN/ezlRZlw3bU4xa3UvL0uh1eui3TdWBQ88u/idjj+in9mEgKDccKT1VgysCqTqB l9rILrtFcSjdOlBaDGt4nhuUeSvF+8RitsGRiDz/5E+8TG8fz4M2amD9tpvyVUFy aQKUIvCotDVKELh4mP47LE3eqNJFIHsJ3hy5KGkP8kYrCC6QySkhqyg8qBqgCD76 P/SiZwhTAwUeGtMmaxiFAPIumZ7fWj9oiQ6jcBiBo1sa5SXrLX8wYMCOF8Tz4ACm KSuQTffm0osyndE1325vwksb2PXObhCcNaRY/oj1DycetBJg0/jZKdJoAbbzoSh2 b17Aut5SixPncKn08roKGqx17OZlExIsIOBt65tbZg3yB4QxuOLKMid/aDWns7iF jdTKmt/ZYV51IevA7uSiE4IlmqTeaYretDO20bU9HkoFqt8ZkpnlbxrH6v1gTi3y e7lsLjmacxO6RD5am/BjO7K5hnfJydNrcOcgzyNwB8+qUXVsJBw= =FnRE -----END PGP SIGNATURE----- --=-=-=--