[Dnsmasq-discuss] a little feedback on the new dnssec startup method in openwrt

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Fri Apr 3 00:08:39 BST 2015 

Chaps,

If I may interject:


On 02/04/2015 22:21, Dave Taht wrote:
> On Thu, Apr 2, 2015 at 1:20 PM, Simon Kelley <simon at thekelleys.org.uk> wrote:
> On 02/04/15 19:41, Dave Taht wrote:
> >>> A) Not clear what happens if it tries to write it while the jffs
> >>> filesystem is still being cleaned
>
> Not sure I have anything sensible to add here.
>
> >>>
> >>> B)  the dnssec_timestamp file needs to go somewhere that can be
> >>> written by nobody.
>
> This is documented in the manpage entry.
>
> nobody is the default, but you most systems have a "dnsmasq" user and
> run with --user=dnsmasq

I've been fiddling/meddling with Openwrt & dnsmasq RC's the past week or
so.  I modded the openwrt package to create /etc/dnsmasq.d and the
dnsmasq init script to chown nobody:nogroup /etc/dnsmasq.d (as I can't
work out how to get the build scripts to change the owner at image build
time)   That directory is used to store a dnsmasq timestamp file and is
there specifically to survive reboots.....otherwise the timestamp
mechanism is slightly pointless :-)    There is a security issue in the
sense that 'nobody' can mess with the file if they so choose.  I
considered a dnsmasq user, but I wonder on further knock ons with regard
to 'luci' reading dhcp lease files and the like.

There's some new secure computing options coming in (yet to be enabled
by default AFAIK) that effectively partition the filesystems that each
process can see to a per process view.  That may go some way to negating
the need to create 'mr. dnsmasq' rather than keeping everything as
'nobody'.   I've yet to play with the secccomp option though I've done
my best to update the init script to be seccomp, timestamp &
customisable dhcp.leases aware  (sorry gone a bit openwrt there!)

Ideally 'luci' needs to have the all the dnssec options exposed
including the new timestamp file as a customisable location.

> > Well, if it is perpetually created in /tmp on boot, how does it detect
> > the time slew?
>
> > It seemed to me that writing it to flash closed a vulnerability during
> > a quick reboot cycle.

I've even considered stopping the 'sysfixtime' service as this has the
potential to confuse dnsmasq in the event it doesn't have the timestamp
file to reference.

Here's a plea/offer to the Openwrt aware people (John?):  I'm very new
to Openwrt and the past week has been quite a learning curve on the
build & packaging process.  I think I've probably logged an erroneous
ticket due to my lack of experience.  What I would say is that there is
a willing idiot here who would be glad to offer the tweaks & bits &
pieces I've done so far.... I do need a bit of help, asking the odd
idiot question or two to get me to a state where I can hopefully be more
help than a hindrance.

Maybe these will help: 



diff --git a/package/network/services/dnsmasq/files/dnsmasq.init
b/package/network/services/dnsmasq/files/dnsmasq.init
index 9795d1a..46bc698 100644
--- a/package/network/services/dnsmasq/files/dnsmasq.init
+++ b/package/network/services/dnsmasq/files/dnsmasq.init
@@ -15,6 +15,7 @@ ADD_LOCAL_HOSTNAME=1
 CONFIGFILE="/var/etc/dnsmasq.conf"
 HOSTFILE="/tmp/hosts/dhcp"
 TRUSTANCHORSFILE="/usr/share/dnsmasq/trust-anchors.conf"
+TIMESTAMPFILE="/etc/dnsmasq.d/dnsmasq.timestamp"
 
 xappend() {
        local value="$1"
@@ -202,6 +203,7 @@ dnsmasq() {
 
        config_get_bool dnssec "$cfg" dnssec 0
        [ "$dnssec" -gt 0 ] && {
+               xappend "--dnssec-timestamp=$TIMESTAMPFILE"
                xappend "--conf-file=$TRUSTANCHORSFILE"
                xappend "--dnssec"
                append_bool "$cfg" dnsseccheckunsigned
"--dnssec-check-unsigned"
@@ -554,10 +556,12 @@ start_service() {
 
        procd_add_jail dnsmasq ubus log
        procd_add_jail_mount $CONFIGFILE $TRUSTANCHORSFILE $HOSTFILE
/etc/passwd /dev/urandom /etc/dnsmasq.conf /tmp/dnsmasq.d
/tmp/resolv.conf.auto /etc/hosts
-       procd_add_jail_mount_rw /var/run/dnsmasq/ /tmp/dhcp.leases
+       procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile $TIMESTAMPFILE
       
        procd_close_instance
 
+       chown nobody:nogroup /etc/dnsmasq.d
+
        # before we can call xappend
        mkdir -p /var/run/dnsmasq/
        mkdir -p $(dirname $CONFIGFILE)
@@ -575,6 +579,9 @@ start_service() {
 
        args=""
        config_foreach dnsmasq dnsmasq
+
+       procd_add_jail_mount_rw $leasefile
+
        config_foreach dhcp_host_add host
        echo >> $CONFIGFILE
        config_foreach dhcp_boot_add boot



diff --git a/package/network/services/dnsmasq/Makefile
b/package/network/services/dnsmasq/Makefile
index dcbb63a..597186a 100644
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -8,17 +8,19 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dnsmasq
-PKG_VERSION:=2.72
-PKG_RELEASE:=4
+PKG_VERSION:=2.73rc3
+PKG_RELEASE:=1
 
-PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
-PKG_SOURCE_URL:=http://thekelleys.org.uk/dnsmasq
-PKG_MD5SUM:=cf82f81cf09ad3d47612985012240483
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION)
+PKG_SOURCE_URL:=git://thekelleys.org.uk/dnsmasq.git
+PKG_SOURCE_PROTO:=git
+PKG_SOURCE_VERSION:=30d0879ed55cb67b1b735beab3d93f3bb3ef1dd2
 
 PKG_LICENSE:=GPL-2.0
 PKG_LICENSE_FILES:=COPYING
 
-PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
+#PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(BUILD_VARIANT)/$(PKG_NAME)-$(PKG_VERSION)
 
 PKG_INSTALL:=1
 PKG_BUILD_PARALLEL:=1
@@ -143,6 +145,7 @@ Package/dnsmasq-dhcpv6/install =
$(Package/dnsmasq/install)
 define Package/dnsmasq-full/install
 $(call Package/dnsmasq/install,$(1))
 ifneq ($(CONFIG_PACKAGE_dnsmasq_full_dnssec),)
+       $(INSTALL_DIR) $(1)/etc/dnsmasq.d
        $(INSTALL_DIR) $(1)/usr/share/dnsmasq
        $(INSTALL_DATA) $(PKG_BUILD_DIR)/trust-anchors.conf
$(1)/usr/share/dnsmasq
 endif



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150403/75a588da/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4791 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150403/75a588da/attachment-0001.bin>

More information about the Dnsmasq-discuss mailing list