update net/dnscrypt-proxy 2.0.42 and fix updating cache files
Credit goes to Larry Hynes for e-mailing me with a bug report where
cache files in /var/dnscrypt-proxy/* cannot be periodically
updated. Everything quoted with > that follows is from Larry Hynes' bug
> There is, I think, possibly a permissions issue with the default
> install of dnscrypt-proxy:
> pkg_add installs the directory
> with owner:group
> dnscrypt-proxy periodically attempts to update the files in there e.g.
> but it does so with the owner:group under which it runs i.e.
> so it fails to update the list of resolvers.
> Relevant log snippet:
> Mar 13 21:29:04 foo dnscrypt-proxy: /var/dnscrypt-proxy/relays.md: chtimes /var/dnscrypt-proxy/relays.md: operation not permitted
> Mar 13 21:29:05 foo dnscrypt-proxy:
> /var/dnscrypt-proxy/public-resolvers.md: open
> /var/dnscrypt-proxy/sf-dc6tvrzwb25llprh.tmp: permission denied
> $ chown -R _dnscrypt-proxy:_dnscrypt-proxy /var/dnscrypt-proxy
> fixes the issue.
> Do you think it would be possible (or advisable?) to have the
> installer use the owner and group that dnscrypt-proxy runs under? Or
> have I misunderstood this situation?
drwxr-xr-x 2 root wheel 512B Mar 20 13:04 .
drwxr-xr-x 26 root wheel 512B Mar 4 18:20 ..
-rw-r--r-- 1 root wheel 50.3K Mar 22 05:13 public-resolvers.md
-rw-r--r-- 1 root wheel 307B Mar 20 13:04 public-resolvers.md.minisig
-rw-r--r-- 1 root wheel 7.2K Mar 22 05:13 relays.md
-rw-r--r-- 1 root wheel 297B Mar 15 17:09 relays.md.minisig
$ ls -lah /var/dnscrypt-proxy/
drwxr-xr-x 2 _dnscrypt-proxy _dnscrypt-proxy 512B Mar 26 17:12 .
drwxr-xr-x 26 root wheel 512B Mar 26 17:12 ..
-rw-rw-r-- 1 root _dnscrypt-proxy 50.3K Mar 26 17:12 public-resolvers.md
-rw-rw-r-- 1 root _dnscrypt-proxy 307B Mar 26 17:12 public-resolvers.md.minisig
-rw-rw-r-- 1 root _dnscrypt-proxy 5.4K Mar 26 17:12 relays.md
-rw-rw-r-- 1 root _dnscrypt-proxy 297B Mar 26 17:12 relays.md.minisig
It does this through manual plist editing to change user and group
ownership to _dnscrypt-proxy:_dnscrypt-proxy (cribbed from
games/yquake2) and a light patch to call chmod.
Currently the program does the following:
1. Fetch cache files as root.
2. Do some more setup.
3. Drop privileges by running as the _dnscrypt-proxy user.
4. Periodically fail to update the cache files as _dnscrypt-proxy.
I will report the issue upstream on github once it opens up again for
reporting new issues. An optimal solution will involve fetching the
cache files as _dnscrypt-proxy and should be handled upstream.
If periodic updates failing is not important and is out of scope of the
port, I would be fine with leaving it off.
Feedback and tests are welcome. I do not know golang so some eyes on the
new patch would be nice. I tested and observed that /var/log/messages no
longer displays permissions errors.
Relevant options in /etc/dnscrypt-proxy.toml to use /var/log/messages:
log_level = 2
use_syslog = true
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.52
diff -u -p -r1.52 Makefile
--- Makefile 23 Mar 2020 05:16:43 -0000 1.52
+++ Makefile 27 Mar 2020 01:52:09 -0000
@@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor
Re: update net/dnscrypt-proxy 2.0.42 and fix updating cache files
Here is a simplified update to net/dnscrypt-proxy 2.0.42. I leave the
bugfix to upstream, which plans to fix it. Once that bugfix comes, we
may have to add _dnscrypt-proxy:_dnscrypt-proxy ownership for
/var/dnscrypt-proxy in pkg/PLIST.