What is the purpose of dnsmasq and dnsproxy daemons having a user-like passwords?

alive-one · October 17, 2025, 12:26pm

I am probably mistaken, but as I see in /etc/passwd

root:x:0:0:root:/root:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
ntp:x:123:123:ntp:/var/run/ntp:/bin/false
dnsmasq:x:453:453:dnsmasq:/var/run/dnsmasq:/bin/false
dnsproxy:x:411:411:dnsproxy:/var/run/dnsproxy:/bin/false
logd:x:514:514:logd:/var/run/logd:/bin/false
nfs:x:32768:32768:nfs:/var/run/nfs:/bin/false
rpc:x:65533:65533:rpc:/var/run/rpc:/bin/false
transmission:x:224:224:transmission:/var/run/transmission:/bin/false
ubus:x:81:81:ubus:/var/run/ubus:/bin/false

users dnsmasq and dnsproxy have a user-like passwords instead of no password like ordinary deamon users like ftp or network ot ubus

What is the purpose of this?

xize · October 17, 2025, 12:40pm

Usually under traditional linux it is for security reasons, if a hacker exploits an vulnerability the attack is isolated to that user and has no rights for directories which are made by root.

For linux it is common sense to not use root, however since OpenWrt doesn't have a real 'user' system due to busybox, often it is normal to use root, also because a router isn't open as a server to wan, unlike linux.

I guess it is more an remnant from porting from normal Linux, not a big deal.

You could also use this methodology on Windows, Windows also protect processes by an SID this acts as some sandbox between users.

eduperez · October 18, 2025, 7:55am

The real passwords are at “/etc/shadow”, and it's empty there.

dave14305 · October 18, 2025, 11:01am

For reference, here’s the code that populates the x as the password value for user IDs included with packages. Are you asking why it isn’t an asterisk instead?

github.com/openwrt/openwrt

package/base-files/files/lib/functions.sh

010c08ceb


      
          	[ -z "$uid" ] && {
          		uids=$(cut -d: -f3 ${IPKG_INSTROOT}/etc/passwd)
          		uid=32768
          		while echo "$uids" | grep -q "^$uid$"; do
          			uid=$((uid + 1))
          		done
          	}
          	[ -z "$gid" ] && gid=$uid
          	[ -f "${IPKG_INSTROOT}/etc/passwd" ] || return 1
          	[ -n "$IPKG_INSTROOT" ] || lock /var/lock/passwd
          	echo "${name}:x:${uid}:${gid}:${desc}:${home}:${shell}" >> ${IPKG_INSTROOT}/etc/passwd
          	echo "${name}:x:0:0:99999:7:::" >> ${IPKG_INSTROOT}/etc/shadow
          	[ -n "$IPKG_INSTROOT" ] || lock -u /var/lock/passwd
          }
          
          user_exists() {
          	grep -qs "^${1}:" ${IPKG_INSTROOT}/etc/passwd
          }
          
          board_name() {
          	[ -e /tmp/sysinfo/board_name ] && cat /tmp/sysinfo/board_name || echo "generic"

alive-one · October 20, 2025, 3:39am

Yes, I was just wondering why there isn’t asterisk, for I was thinking that users with * instead of password are most protected and secure way to ensure safety of a system. Many thanks to all for their answers!

alive-one · October 20, 2025, 3:41am

Doest it mean that for example dnsmasq user has blank insecure password?

eduperez · October 20, 2025, 2:21pm

No, it means that no password will work… but you can try it for yourself.