<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Chaps,<br>
    <br>
    If I may interject:<br>
    <br>
    <br>
    On 02/04/2015 22:21, Dave Taht wrote:<br>
    <span style="white-space: pre;">> On Thu, Apr 2, 2015 at 1:20 PM,
      Simon Kelley <a class="moz-txt-link-rfc2396E" href="mailto:simon@thekelleys.org.uk"><simon@thekelleys.org.uk></a> wrote:</span><br>
    <blockquote type="cite">On 02/04/15 19:41, Dave Taht wrote:<br>
      >>> A) Not clear what happens if it tries to write it
      while the jffs<br>
      >>> filesystem is still being cleaned<br>
      <br>
      Not sure I have anything sensible to add here.<br>
      <br>
      >>><br>
      >>> B)  the dnssec_timestamp file needs to go somewhere
      that can be<br>
      >>> written by nobody.<br>
      <br>
      This is documented in the manpage entry.<br>
      <br>
      nobody is the default, but you most systems have a "dnsmasq" user
      and<br>
      run with --user=dnsmasq<br>
    </blockquote>
    <br>
    I've been fiddling/meddling with Openwrt & dnsmasq RC's the past
    week or so.  I modded the openwrt package to create /etc/dnsmasq.d
    and the dnsmasq init script to chown nobody:nogroup /etc/dnsmasq.d
    (as I can't work out how to get the build scripts to change the
    owner at image build time)   That directory is used to store a
    dnsmasq timestamp file and is there specifically to survive
    reboots.....otherwise the timestamp mechanism is slightly pointless
    :-)    There is a security issue in the sense that 'nobody' can mess
    with the file if they so choose.  I considered a dnsmasq user, but I
    wonder on further knock ons with regard to 'luci' reading dhcp lease
    files and the like.<br>
    <br>
    There's some new secure computing options coming in (yet to be
    enabled by default AFAIK) that effectively partition the filesystems
    that each process can see to a per process view.  That may go some
    way to negating the need to create 'mr. dnsmasq' rather than keeping
    everything as 'nobody'.   I've yet to play with the secccomp option
    though I've done my best to update the init script to be seccomp,
    timestamp & customisable dhcp.leases aware  (sorry gone a bit
    openwrt there!)<br>
    <br>
    Ideally 'luci' needs to have the all the dnssec options exposed
    including the new timestamp file as a customisable location.<br>
    <br>
    <blockquote type="cite">> Well, if it is perpetually created in
      /tmp on boot, how does it detect<br>
      > the time slew?<br>
      <br>
      > It seemed to me that writing it to flash closed a
      vulnerability during<br>
      > a quick reboot cycle.<br>
    </blockquote>
    <br>
    I've even considered stopping the 'sysfixtime' service as this has
    the potential to confuse dnsmasq in the event it doesn't have the
    timestamp file to reference.<br>
    <br>
    Here's a plea/offer to the Openwrt aware people (John?):  I'm very
    new to Openwrt and the past week has been quite a learning curve on
    the build & packaging process.  I think I've probably logged an
    erroneous ticket due to my lack of experience.  What I would say is
    that there is a willing idiot here who would be glad to offer the
    tweaks & bits & pieces I've done so far.... I do need a bit
    of help, asking the odd idiot question or two to get me to a state
    where I can hopefully be more help than a hindrance.<br>
    <br>
    Maybe these will help:  <br>
    <br>
    <br>
    <br>
    <tt>diff --git a/package/network/services/dnsmasq/files/dnsmasq.init
      b/package/network/services/dnsmasq/files/dnsmasq.init<br>
      index 9795d1a..46bc698 100644<br>
      --- a/package/network/services/dnsmasq/files/dnsmasq.init<br>
      +++ b/package/network/services/dnsmasq/files/dnsmasq.init<br>
      @@ -15,6 +15,7 @@ ADD_LOCAL_HOSTNAME=1<br>
       CONFIGFILE="/var/etc/dnsmasq.conf"<br>
       HOSTFILE="/tmp/hosts/dhcp"<br>
       TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"<br>
      +TIMESTAMPFILE="/etc/dnsmasq.d/dnsmasq.timestamp"<br>
       <br>
       xappend() {<br>
              local value="$1"<br>
      @@ -202,6 +203,7 @@ dnsmasq() {<br>
       <br>
              config_get_bool dnssec "$cfg" dnssec 0<br>
              [ "$dnssec" -gt 0 ] && {<br>
      +               xappend "--dnssec-timestamp=$TIMESTAMPFILE"<br>
                      xappend "--conf-file=$TRUSTANCHORSFILE"<br>
                      xappend "--dnssec"<br>
                      append_bool "$cfg" dnsseccheckunsigned
      "--dnssec-check-unsigned"<br>
      @@ -554,10 +556,12 @@ start_service() {<br>
       <br>
              procd_add_jail dnsmasq ubus log<br>
              procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE
      $HOSTFILE /etc/passwd /dev/urandom /etc/dnsmasq.conf
      /tmp/dnsmasq.d /tmp/resolv.conf.auto /etc/hosts<br>
      -       procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases<br>
      +       procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
      $TIMESTAMPFILE<br>
              <br>
              procd_close_instance<br>
       <br>
      +       chown nobody:nogroup /etc/dnsmasq.d<br>
      +<br>
              # before we can call xappend<br>
              mkdir -p /var/run/dnsmasq/<br>
              mkdir -p $(dirname $CONFIGFILE)<br>
      @@ -575,6 +579,9 @@ start_service() {<br>
       <br>
              args=""<br>
              config_foreach dnsmasq dnsmasq<br>
      +<br>
      +       procd_add_jail_mount_rw $leasefile<br>
      +<br>
              config_foreach dhcp_host_add host<br>
              echo >> $CONFIGFILE<br>
              config_foreach dhcp_boot_add boot<br>
      <br>
      <br>
      <br>
      diff --git a/package/network/services/dnsmasq/Makefile
      b/package/network/services/dnsmasq/Makefile<br>
      index dcbb63a..597186a 100644<br>
      --- a/package/network/services/dnsmasq/Makefile<br>
      +++ b/package/network/services/dnsmasq/Makefile<br>
      @@ -8,17 +8,19 @@<br>
       include $(TOPDIR)/rules.mk<br>
       <br>
       PKG_NAME:=dnsmasq<br>
      -PKG_VERSION:=2.72<br>
      -PKG_RELEASE:=4<br>
      +PKG_VERSION:=2.73rc3<br>
      +PKG_RELEASE:=1<br>
       <br>
      -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz<br>
      -PKG_SOURCE_URL:=<a class="moz-txt-link-freetext" href="http://thekelleys.org.uk/dnsmasq">http://thekelleys.org.uk/dnsmasq</a><br>
      -PKG_MD5SUM:=cf82f81cf09ad3d47612985012240483<br>
      +PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2<br>
      +PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)<br>
      +PKG_SOURCE_URL:=git://thekelleys.org.uk/dnsmasq.git<br>
      +PKG_SOURCE_PROTO:=git<br>
      +PKG_SOURCE_VERSION:=30d0879ed55cb67b1b735beab3d93f3bb3ef1dd2<br>
       <br>
       PKG_LICENSE:=GPL-2.0<br>
       PKG_LICENSE_FILES:=COPYING<br>
       <br>
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)<br>
+#PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)<br>
       <br>
       PKG_INSTALL:=1<br>
       PKG_BUILD_PARALLEL:=1<br>
      @@ -143,6 +145,7 @@ Package/dnsmasq-dhcpv6/install =
      $(Package/dnsmasq/install)<br>
       define Package/dnsmasq-full/install<br>
       $(call Package/dnsmasq/install,$(1))<br>
       ifneq ($(CONFIG_PACKAGE_dnsmasq_full_dnssec),)<br>
      +       $(INSTALL_DIR) $(1)/etc/dnsmasq.d<br>
              $(INSTALL_DIR) $(1)/usr/share/dnsmasq<br>
              $(INSTALL_DATA) $(PKG_BUILD_DIR)/trust-anchors.conf
      $(1)/usr/share/dnsmasq<br>
       endif<br>
      <br>
      <br>
      <br>
    </tt>
  </body>
</html>