[Dnsmasq-discuss] a little feedback on the new dnssec startup method in openwrt
Dave Taht
dave.taht at gmail.com
Thu Apr 2 19:41:04 BST 2015
A) Not clear what happens if it tries to write it while the jffs
filesystem is still being cleaned
B) the dnssec_timestamp file needs to go somewhere that can be
written by nobody.
B1) trying to create it to /etc/ fails and fails to startup dnsmasq (see A)
Thu Apr 2 18:31:52 2015 daemon.info dnsmasq[3705]: started, version
2.73rc3 cachesize 150
Thu Apr 2 18:31:52 2015 daemon.info dnsmasq[3705]: compile time
options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua
TFTP no-conntrack ipset auth DNSSEC loop-detect inotify
Thu Apr 2 18:31:52 2015 daemon.info dnsmasq[3705]: DNS service
limited to local subnets
Thu Apr 2 18:31:52 2015 daemon.crit dnsmasq[3705]: cannot create
timestamp file /etc/dnssec_timestamp: Permission denied
Thu Apr 2 18:31:52 2015 daemon.crit dnsmasq[3705]: FAILED to start up
Thu Apr 2 18:31:57 2015 daemon.info dnsmasq[3706]: started, version 2.73
B2) creating it as root, but not chowning it to nobody, fails.
In this second case, failure to update mtime is ok and dnsmasq startup
Thu Apr 2 18:32:07 2015 daemon.err dnsmasq[3751]: failed to update
mtime on /etc/dnssec_timestamp: Permission denied
Thu Apr 2 18:32:07 2015 daemon.info dnsmasq[3751]: DNSSEC validation enabled
C) making it writable by nobody of course makes it vulnerable to other
users running as nobody
root at OpenWrt:/etc/config# ls -l /etc/dnssec_timestamp
-rw-r--r-- 1 nobody root 0 Apr 2 18:32 /etc/dnssec_timestamp
--
Dave Täht
Let's make wifi fast, less jittery and reliable again!
https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb
More information about the Dnsmasq-discuss
mailing list