.\" Automatically generated by Pandoc 1.19.2.4 .\" .TH "RESOLVCONF\-ADMIN" "1" "2017 September" "" "" .hy .SH NAME .PP resolvconf\-admin \- a setuid program for setting up DNS resolution .SH SYNOPSIS .PP resolvconf\-admin add NETIF [\-s SEARCH] [\-d DOMAIN] NAMESERVER [...] .PP resolvconf\-admin del NETIF .SH DESCRIPTION .PP This setuid program allows specific non\-privileged users to invoke \f[C]/sbin/resolvconf\f[] (if it is present) with a constrained argument to add or remove DNS resolvers; or, if \f[C]/sbin/resolvconf\f[] is not executable, it can replace \f[C]/etc/resolv.conf\f[]. .PP This is useful, for example, for running a DHCP client as a non\-privileged user. .PP When the non\-privileged user wants to set up the DNS resolvers due to information it learned from interface NETIF, it should invoke: .IP .nf \f[C] resolvconf\-admin\ add\ NETIF\ [\-s\ SEARCH]\ [\-d\ DOMAIN]\ NAMESERVER\ [...] \f[] .fi .PP Note that DNS search path and domain name are optional. However, at least one nameserver is required. .PP When the non\-privileged user wants to tear down the DNS resolver information that it had previously set for interface NETIF, it should invoke: .IP .nf \f[C] resolvconf\-admin\ del\ NETIF \f[] .fi .SH WARNING .PP A better (non\-suid) approach for setting up the DNS in a non\-privileged way is to make an authenticated IPC call to some running daemon that already manages the local DNS resolution configuration (e.g., \f[C]systemd\-resolved(8)\f[]). However, some systems do not run such a daemon, so we offer this setuid approach instead, for those limited systems only. .PP This setuid program \f[I]should not\f[] be installed on systems that already run such a daemon, because every setuid program increases the attack surface of the operating system. .PP \f[I]DO NOT INSTALL THIS TOOL IF YOU HAVE BETTER OPTIONS AVAILABLE TO YOU!\f[] .SH INTERLEAVED OPERATION WITHOUT RESOLVCONF(8) .PP On a system where \f[C]resolvconf(8)\f[] is not installed, the behavior is not very sophisticated. On these systems: .IP \[bu] 2 The first time \f[C]resolvconf\-admin\ add\f[] is invoked, the old \f[C]/etc/resolv.conf\f[] is backed up to \f[C]/etc/resolv.conf.bak.resolvconf\-admin\f[]. .IP \[bu] 2 The first time \f[C]resolvconf\-admin\ del\f[] is invoked, the backed up file is restored. .PP If multiple daemons (or a single daemon monitoring multiple sources of DNS resolver information) invokes \f[C]resolvconf\-admin\f[] in an interleaved fashion (e.g. two \f[C]add\f[]s before a \f[C]del\f[]), this will almost certainly not be the behavior that you want. If your system is likely to have this kind of interleaved operation, it should also have \f[C]resolvconf(8)\f[] installed. .SH SEE ALSO .PP resolvconf(8), resolv.conf(5), systemd\-resolved(8) .SH AUTHORS Daniel Kahn Gillmor .