[Dnsmasq-discuss] a little feedback on the new dnssec startup method in openwrt

Simon Kelley simon at thekelleys.org.uk
Thu Apr 2 23:04:52 BST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/04/15 22:21, Dave Taht wrote:
> On Thu, Apr 2, 2015 at 1:20 PM, Simon Kelley 
> <simon at thekelleys.org.uk> wrote: On 02/04/15 19:41, Dave Taht 
> wrote:
>>>> A) Not clear what happens if it tries to write it while the 
>>>> jffs filesystem is still being cleaned
> 
> Not sure I have anything sensible to add here.
> 
>>>> 
>>>> B)  the dnssec_timestamp file needs to go somewhere that can 
>>>> be written by nobody.
> 
> This is documented in the manpage entry.
> 
> nobody is the default, but you most systems have a "dnsmasq" user 
> and run with --user=dnsmasq
> 
>> I would not mind if this much more priv separation existed in 
>> openwrt also, yes.
> 
>>>> 
>>>> B1) trying to create it to /etc/ fails and fails to startup 
>>>> dnsmasq (see A)
>>>> 
>>>> Thu Apr  2 18:31:52 2015 daemon.info dnsmasq[3705]: started,
>>>>  version 2.73rc3 cachesize 150 Thu Apr  2 18:31:52 2015 
>>>> daemon.info dnsmasq[3705]: compile time options: IPv6 
>>>> GNU-getopt no-DBus no-i18n no-IDN DHCP DHCPv6 no-Lua TFTP 
>>>> no-conntrack ipset auth DNSSEC loop-detect inotify Thu Apr
>>>> 2 18:31:52 2015 daemon.info dnsmasq[3705]: DNS service
>>>> limited to local subnets Thu Apr  2 18:31:52 2015
>>>> daemon.crit dnsmasq[3705]: cannot create timestamp file 
>>>> /etc/dnssec_timestamp: Permission denied Thu Apr  2 18:31:52
>>>>  2015 daemon.crit dnsmasq[3705]: FAILED to start up Thu Apr 2
>>>> 18:31:57 2015 daemon.info dnsmasq[3706]: started, version 
>>>> 2.73
>>>> 
>>>> B2) creating it as root, but not chowning it to nobody, 
>>>> fails.
>>>> 
>>>> In this second case, failure to update mtime is ok and 
>>>> dnsmasq startup
>>>> 
>>>> Thu Apr  2 18:32:07 2015 daemon.err dnsmasq[3751]: failed to 
>>>> update mtime on /etc/dnssec_timestamp: Permission denied Thu 
>>>> Apr  2 18:32:07 2015 daemon.info dnsmasq[3751]: DNSSEC 
>>>> validation enabled
>>>> 
>>>> C) making it writable by nobody of course makes it
>>>> vulnerable to other users running as nobody
> 
> Which is why a "dnsmasq" user is a good idea.
> 
>> I buy that. John?
> 
>>>> 
>>>> root at OpenWrt:/etc/config# ls -l /etc/dnssec_timestamp 
>>>> -rw-r--r-- 1 nobody   root             0 Apr  2 18:32 
>>>> /etc/dnssec_timestamp
>>>> 
>>>> 
>>>> 
> 
> By the time the mtime update happens, dnsmasq has dropped root, so
>  having the timestamp file writable only by root won't work. The 
> first iteration of this code had the timestamp created whilst 
> dnsmasq still has root, and chowned to the dnsmasq no-priv user
> (eg nobody). I couldn't convince myself that that couldn't be
> leveraged somehow, so changed to this method. The idea is there
> should be some directory writable by nobody for this file to live
> in.
> 
>> Well, if it is perpetually created in /tmp on boot, how does it 
>> detect the time slew?

/tmp isn't suitable. It needs to be on a filesystem which is preserved
over reboots. A directory under /etc would be fine. The Debian dnsmasq
package already has this, the pid file stored there, so that it can be
deleted by dnsmasq when it does a controlled shutdown. If you don't
want to do that, then ensuring the that the dnssec_timestamp file
exists and is writable by the dnsmasq non-priv user will do. In that
case dnsmasq will never try to create it, so the permissions of the
directory don't matter.


Cheers,

Simon.

> 
>> It seemed to me that writing it to flash closed a vulnerability 
>> during a quick reboot cycle.
> 
> 
> 
> 
> Cheers,
> 
> Simon.
> 
> 
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlUdvQMACgkQKPyGmiibgreCmACfZ2F93m8u26PYstfgh1oJyrwz
OXoAnihKGP9gDNb/GdFzfr3u3Yd9yhmF
=fI+P
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list