[Dnsmasq-discuss] a little feedback on the new dnssec startup method in openwrt

Dave Taht dave.taht at gmail.com
Thu Apr 2 19:41:04 BST 2015


A) Not clear what happens if it tries to write it while the jffs
filesystem is still being cleaned

B)  the dnssec_timestamp file needs to go somewhere that can be
written by nobody.

B1) trying to create it to /etc/ fails and fails to startup dnsmasq (see A)

Thu Apr  2 18:31:52 2015 daemon.info dnsmasq[3705]: started, version
2.73rc3 cachesize 150
Thu Apr  2 18:31:52 2015 daemon.info dnsmasq[3705]: compile time
options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua
TFTP no-conntrack ipset auth DNSSEC loop-detect inotify
Thu Apr  2 18:31:52 2015 daemon.info dnsmasq[3705]: DNS service
limited to local subnets
Thu Apr  2 18:31:52 2015 daemon.crit dnsmasq[3705]: cannot create
timestamp file /etc/dnssec_timestamp: Permission denied
Thu Apr  2 18:31:52 2015 daemon.crit dnsmasq[3705]: FAILED to start up
Thu Apr  2 18:31:57 2015 daemon.info dnsmasq[3706]: started, version 2.73

B2) creating it as root, but not chowning it to nobody, fails.

In this second case, failure to update mtime is ok and dnsmasq startup

Thu Apr  2 18:32:07 2015 daemon.err dnsmasq[3751]: failed to update
mtime on /etc/dnssec_timestamp: Permission denied
Thu Apr  2 18:32:07 2015 daemon.info dnsmasq[3751]: DNSSEC validation enabled

C) making it writable by nobody of course makes it vulnerable to other
users running as nobody

root at OpenWrt:/etc/config# ls -l /etc/dnssec_timestamp
-rw-r--r--    1 nobody   root             0 Apr  2 18:32 /etc/dnssec_timestamp



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb



More information about the Dnsmasq-discuss mailing list