[Dnsmasq-discuss] a little feedback on the new dnssec startup method in openwrt
Simon Kelley
simon at thekelleys.org.uk
Thu Apr 2 23:04:52 BST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/04/15 22:21, Dave Taht wrote:
> On Thu, Apr 2, 2015 at 1:20 PM, Simon Kelley
> <simon at thekelleys.org.uk> wrote: On 02/04/15 19:41, Dave Taht
> wrote:
>>>> A) Not clear what happens if it tries to write it while the
>>>> jffs filesystem is still being cleaned
>
> Not sure I have anything sensible to add here.
>
>>>>
>>>> B) the dnssec_timestamp file needs to go somewhere that can
>>>> be written by nobody.
>
> This is documented in the manpage entry.
>
> nobody is the default, but you most systems have a "dnsmasq" user
> and run with --user=dnsmasq
>
>> I would not mind if this much more priv separation existed in
>> openwrt also, yes.
>
>>>>
>>>> B1) trying to create it to /etc/ fails and fails to startup
>>>> dnsmasq (see A)
>>>>
>>>> Thu Apr 2 18:31:52 2015 daemon.info dnsmasq[3705]: started,
>>>> version 2.73rc3 cachesize 150 Thu Apr 2 18:31:52 2015
>>>> daemon.info dnsmasq[3705]: compile time options: IPv6
>>>> GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP
>>>> no-conntrack ipset auth DNSSEC loop-detect inotify Thu Apr
>>>> 2 18:31:52 2015 daemon.info dnsmasq[3705]: DNS service
>>>> limited to local subnets Thu Apr 2 18:31:52 2015
>>>> daemon.crit dnsmasq[3705]: cannot create timestamp file
>>>> /etc/dnssec_timestamp: Permission denied Thu Apr 2 18:31:52
>>>> 2015 daemon.crit dnsmasq[3705]: FAILED to start up Thu Apr 2
>>>> 18:31:57 2015 daemon.info dnsmasq[3706]: started, version
>>>> 2.73
>>>>
>>>> B2) creating it as root, but not chowning it to nobody,
>>>> fails.
>>>>
>>>> In this second case, failure to update mtime is ok and
>>>> dnsmasq startup
>>>>
>>>> Thu Apr 2 18:32:07 2015 daemon.err dnsmasq[3751]: failed to
>>>> update mtime on /etc/dnssec_timestamp: Permission denied Thu
>>>> Apr 2 18:32:07 2015 daemon.info dnsmasq[3751]: DNSSEC
>>>> validation enabled
>>>>
>>>> C) making it writable by nobody of course makes it
>>>> vulnerable to other users running as nobody
>
> Which is why a "dnsmasq" user is a good idea.
>
>> I buy that. John?
>
>>>>
>>>> root at OpenWrt:/etc/config# ls -l /etc/dnssec_timestamp
>>>> -rw-r--r-- 1 nobody root 0 Apr 2 18:32
>>>> /etc/dnssec_timestamp
>>>>
>>>>
>>>>
>
> By the time the mtime update happens, dnsmasq has dropped root, so
> having the timestamp file writable only by root won't work. The
> first iteration of this code had the timestamp created whilst
> dnsmasq still has root, and chowned to the dnsmasq no-priv user
> (eg nobody). I couldn't convince myself that that couldn't be
> leveraged somehow, so changed to this method. The idea is there
> should be some directory writable by nobody for this file to live
> in.
>
>> Well, if it is perpetually created in /tmp on boot, how does it
>> detect the time slew?
/tmp isn't suitable. It needs to be on a filesystem which is preserved
over reboots. A directory under /etc would be fine. The Debian dnsmasq
package already has this, the pid file stored there, so that it can be
deleted by dnsmasq when it does a controlled shutdown. If you don't
want to do that, then ensuring the that the dnssec_timestamp file
exists and is writable by the dnsmasq non-priv user will do. In that
case dnsmasq will never try to create it, so the permissions of the
directory don't matter.
Cheers,
Simon.
>
>> It seemed to me that writing it to flash closed a vulnerability
>> during a quick reboot cycle.
>
>
>
>
> Cheers,
>
> Simon.
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlUdvQMACgkQKPyGmiibgreCmACfZ2F93m8u26PYstfgh1oJyrwz
OXoAnihKGP9gDNb/GdFzfr3u3Yd9yhmF
=fI+P
-----END PGP SIGNATURE-----
More information about the Dnsmasq-discuss
mailing list