[Dnsmasq-discuss] a little feedback on the new dnssec startup method in openwrt

Dave Taht dave.taht at gmail.com
Thu Apr 2 22:21:31 BST 2015


On Thu, Apr 2, 2015 at 1:20 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/04/15 19:41, Dave Taht wrote:
>> A) Not clear what happens if it tries to write it while the jffs
>> filesystem is still being cleaned
>
> Not sure I have anything sensible to add here.
>
>>
>> B)  the dnssec_timestamp file needs to go somewhere that can be
>> written by nobody.
>
> This is documented in the manpage entry.
>
> nobody is the default, but you most systems have a "dnsmasq" user and
> run with --user=dnsmasq

I would not mind if this much more priv separation existed in openwrt also,
yes.

>>
>> B1) trying to create it to /etc/ fails and fails to startup
>> dnsmasq (see A)
>>
>> Thu Apr  2 18:31:52 2015 daemon.info dnsmasq[3705]: started,
>> version 2.73rc3 cachesize 150 Thu Apr  2 18:31:52 2015 daemon.info
>> dnsmasq[3705]: compile time options: IPv6 GNU-getopt no-DBus
>> no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth
>> DNSSEC loop-detect inotify Thu Apr  2 18:31:52 2015 daemon.info
>> dnsmasq[3705]: DNS service limited to local subnets Thu Apr  2
>> 18:31:52 2015 daemon.crit dnsmasq[3705]: cannot create timestamp
>> file /etc/dnssec_timestamp: Permission denied Thu Apr  2 18:31:52
>> 2015 daemon.crit dnsmasq[3705]: FAILED to start up Thu Apr  2
>> 18:31:57 2015 daemon.info dnsmasq[3706]: started, version 2.73
>>
>> B2) creating it as root, but not chowning it to nobody, fails.
>>
>> In this second case, failure to update mtime is ok and dnsmasq
>> startup
>>
>> Thu Apr  2 18:32:07 2015 daemon.err dnsmasq[3751]: failed to update
>> mtime on /etc/dnssec_timestamp: Permission denied Thu Apr  2
>> 18:32:07 2015 daemon.info dnsmasq[3751]: DNSSEC validation enabled
>>
>> C) making it writable by nobody of course makes it vulnerable to
>> other users running as nobody
>
> Which is why a "dnsmasq" user is a good idea.

I buy that. John?

>>
>> root at OpenWrt:/etc/config# ls -l /etc/dnssec_timestamp -rw-r--r-- 1
>> nobody   root             0 Apr  2 18:32 /etc/dnssec_timestamp
>>
>>
>>
>
> By the time the mtime update happens, dnsmasq has dropped root, so
> having the timestamp file writable only by root won't work. The first
> iteration of this code had the timestamp created whilst dnsmasq still
> has root, and chowned to the dnsmasq no-priv user (eg nobody). I
> couldn't convince myself that that couldn't be leveraged somehow, so
> changed to this method. The idea is there should be some directory
> writable by nobody for this file to live in.

Well, if it is perpetually created in /tmp on boot, how does it detect
the time slew?

It seemed to me that writing it to flash closed a vulnerability during
a quick reboot cycle.

>
>
>
> Cheers,
>
> Simon.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
>
> iEYEARECAAYFAlUdpHcACgkQKPyGmiibgrcEKwCfX1A5AFEru0uMwZRiE84mT/1A
> F8cAnR7gnt7tBfuqECc7InKfCsBpCNUF
> =i7iB
> -----END PGP SIGNATURE-----



-- 
Dave Täht
Let's make wifi fast, less jittery and reliable again!

https://plus.google.com/u/0/107942175615993706558/posts/TVX3o84jjmb



More information about the Dnsmasq-discuss mailing list