How to set a per-user resolv.conf

Question

Is there a way to specify a per-user resolv.conf?

What I found are vague references to the possibility of having a per-user host file, but I'm not interested in that, I'm actually interested in a full resolv.conf, because I want to set different nameservers.

If you're asking why the point is testing cjdns nameserver(s) on a multi-user environment in which I don't want to affect other users of the system.

Would it be possible to perhaps abuse the nsswitch system?

I'm trying to have some users use different dns servers than the ones specified in resolv.conf. I'm root, if that matters — miniBill, May 22 '13 at 20:16
Specifically why? What specific problem are you attempting to solve? — mdpc, May 22 '13 at 20:17
It's written in the question... to test nameservers for cjdns without affecting the other users — miniBill, May 22 '13 at 20:17
Because 1) the machine has no hardware virtualization support 2) I don't really want to maintain yet another machine — miniBill, May 22 '13 at 20:19
I imagine this may be theoretically possible using some dark LD_PRELOAD magic replace the *getaddr*() system calls. But I am not aware of any tool/program that already permits this. You would probably have to hack this together yourself. — Zoredache, May 22 '13 at 22:35
This was closed as off topic, but why that? Would have been better posting to superuser or what? — miniBill, May 23 '13 at 09:41
This does not help the OP, but I got here after a Google search. For me, I just wanted to be lazy and ssh without using the FQDN every time. I created a script and made an ssh alias to it (pretend | is a line break): #!/bin/bash | /usr/bin/ssh $1 2> /dev/null | if [ $? != 0 ]; then | /usr/bin/ssh $1.example.com | fi — theglossy1, Oct 13 '17 at 17:11
@theglossy1, if that's what you want to do, you don't need a shell script -- just create an entry in `~/.ssh/config`. BTW, better to write `if ! foo; then` rather than `foo; if [ $? != 0 ]; then`. And quote your expansions as http://shellcheck.net/ directs if you paste the script in. — Charles Duffy, Jan 26 '18 at 13:27

Charles Duffy · Answer 1 · 2016-03-09T21:41:45.210

Local filesystem namespaces are your friend, though they do require root permissions to set up.

sudo unshare --mount bash -s <<'EOF'
  mount --bind /path/to/your/resolv.conf /etc/resolv.conf
  sudo -u username-to-run-as command-to-run-with-alternate-resolv-conf 
EOF

If you want a script which will run an arbitrary command with your updated resolv.conf, consider:

#!/bin/bash
## usage: with-custom-resolver /path/to/resolv.conf cmd arg1 arg2 ...
## ...note that this requires root.

script=""
add_cmd() {
  local cmd_str
  printf -v cmd_str '%q ' "$@"
  script+="$cmd_str"$'\n'
}

resolv_conf=$1; shift

[[ $EUID = 0 ]] || { echo "Must be run as root" >&2; exit 1; }
[[ -e $resolv_conf ]] || { echo "No file found at: $resolv_conf" >&2; exit 1; }

add_cmd mount --bind "$resolv_conf" /etc/resolv.conf
add_cmd exec "$@"
unshare --mount sh -e -c "$script"

Thus, this could be used as:

with-custom-resolver your-resolv.conf sudo -u someuser some-command arg1

This is a nice idea. Wouldn't work in my case because I don't give root access to my users, but it's a nice idea, as it applies to any file — miniBill, Mar 09 '16 at 23:19
You can have a setuid program that applies this, and then drops permissions back down to the account of the user in question, assuming a fair bit of auditing and defensive programming. :) — Charles Duffy, Mar 09 '16 at 23:24

score 3 · Answer 2 · answered May 22 '13 at 20:14

3

Simple answer -- NO....

However, if you were to setup a different virual machine for each user, you might have a chance at doing what you want.

Seems a little pointless however.

answered May 22 '13 at 20:14

mdpc

11,856
28
53
67

1

Why not? It doesn't really make sense to me... – miniBill May 22 '13 at 20:15
Uh no, a VM per user isn't doable [think ~200 users] – miniBill May 22 '13 at 20:15
1

Then refer to simple answer..... – mdpc May 22 '13 at 20:16
Doesn't have to be a VM -- a chroot environment would suffice. – Charles Duffy Dec 30 '16 at 23:44
Given that there are two answers (one speculative but likely to work, another actually tested) showing how to do it, an answer saying it can't be done is clearly incorrect. – Charles Duffy Apr 07 '20 at 12:38

score 1 · Answer 3 · answered Aug 22 '13 at 20:41

1

To test a DNS server, you do not need to change the resolver configuration. You just need to change the DNS server in the host, nslookup or dig command.

host www.google.com 8.8.8.8

You can also use a chroot environment or Linux Containers (LXC) to have a different resolv.conf file.

answered Aug 22 '13 at 20:41

Mircea Vutcovici

17,619
4
56
83

This wouldn't work in my case, because I'm not testing a DNS server, but using other software (think links, irssi). With regards to chroots or linux containers, I've got a lot of users and a tiny machine, so I don't think it's feasible. Plus I run a grsec kernel and if I recall correctly lxc was incompatible with it – miniBill Aug 23 '13 at 12:26
But maybe I could work on the chroot idea... – miniBill Aug 23 '13 at 13:08

score 1 · Accepted Answer · answered Feb 11 '14 at 18:35

1

I might be able to solve this by adding a service to NSS.

answered Feb 11 '14 at 18:35

miniBill

248
2
12

Were you successful at this? – Charles Duffy Mar 09 '16 at 20:54
I hadn't got the time to try, sorry. But if you do manage to do it please edit my answer, or post a new answer, and I'll gladly accept it. – miniBill Mar 09 '16 at 21:14

How to set a per-user resolv.conf

4 Answers4