[Dnsmasq-discuss] a little feedback on the new dnssec startup method in openwrt

Simon Kelley simon at thekelleys.org.uk
Thu Apr 2 21:20:07 BST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/15 19:41, Dave Taht wrote:
> A) Not clear what happens if it tries to write it while the jffs 
> filesystem is still being cleaned

Not sure I have anything sensible to add here.

> 
> B)  the dnssec_timestamp file needs to go somewhere that can be 
> written by nobody.

This is documented in the manpage entry.

nobody is the default, but you most systems have a "dnsmasq" user and
run with --user=dnsmasq

> 
> B1) trying to create it to /etc/ fails and fails to startup
> dnsmasq (see A)
> 
> Thu Apr  2 18:31:52 2015 daemon.info dnsmasq[3705]: started, 
> version 2.73rc3 cachesize 150 Thu Apr  2 18:31:52 2015 daemon.info 
> dnsmasq[3705]: compile time options: IPv6 GNU-getopt no-DBus 
> no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth 
> DNSSEC loop-detect inotify Thu Apr  2 18:31:52 2015 daemon.info 
> dnsmasq[3705]: DNS service limited to local subnets Thu Apr  2 
> 18:31:52 2015 daemon.crit dnsmasq[3705]: cannot create timestamp 
> file /etc/dnssec_timestamp: Permission denied Thu Apr  2 18:31:52 
> 2015 daemon.crit dnsmasq[3705]: FAILED to start up Thu Apr  2 
> 18:31:57 2015 daemon.info dnsmasq[3706]: started, version 2.73
> 
> B2) creating it as root, but not chowning it to nobody, fails.
> 
> In this second case, failure to update mtime is ok and dnsmasq 
> startup
> 
> Thu Apr  2 18:32:07 2015 daemon.err dnsmasq[3751]: failed to update
> mtime on /etc/dnssec_timestamp: Permission denied Thu Apr  2 
> 18:32:07 2015 daemon.info dnsmasq[3751]: DNSSEC validation enabled
> 
> C) making it writable by nobody of course makes it vulnerable to 
> other users running as nobody

Which is why a "dnsmasq" user is a good idea.
> 
> root at OpenWrt:/etc/config# ls -l /etc/dnssec_timestamp -rw-r--r-- 1
> nobody   root             0 Apr  2 18:32 /etc/dnssec_timestamp
> 
> 
> 

By the time the mtime update happens, dnsmasq has dropped root, so
having the timestamp file writable only by root won't work. The first
iteration of this code had the timestamp created whilst dnsmasq still
has root, and chowned to the dnsmasq no-priv user (eg nobody). I
couldn't convince myself that that couldn't be leveraged somehow, so
changed to this method. The idea is there should be some directory
writable by nobody for this file to live in.



Cheers,

Simon.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlUdpHcACgkQKPyGmiibgrcEKwCfX1A5AFEru0uMwZRiE84mT/1A
F8cAnR7gnt7tBfuqECc7InKfCsBpCNUF
=i7iB
-----END PGP SIGNATURE-----

More information about the Dnsmasq-discuss mailing list