update net/dnscrypt-proxy 2.0.42 and fix updating cache files

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

update net/dnscrypt-proxy 2.0.42 and fix updating cache files

Nam Nguyen

Credit goes to Larry Hynes for e-mailing me with a bug report where
cache files in /var/dnscrypt-proxy/* cannot be periodically
updated. Everything quoted with > that follows is from Larry Hynes' bug
report.

> There is, I think, possibly a permissions issue with the default
> install of dnscrypt-proxy:
>
> pkg_add installs the directory
>
> /var/dnscrypt-proxy
>
> with owner:group
>
> root:wheel
>
> dnscrypt-proxy periodically attempts to update the files in there e.g.
>
> public-resolvers.md
>
> but it does so with the owner:group under which it runs i.e.
>
> _dnscrypt-proxy:_dnscrypt-proxy
>
> so it fails to update the list of resolvers.
>
> Relevant log snippet:
>
> ------
> Mar 13 21:29:04 foo dnscrypt-proxy[55126]: /var/dnscrypt-proxy/relays.md: chtimes /var/dnscrypt-proxy/relays.md: operation not permitted
> Mar 13 21:29:05 foo dnscrypt-proxy[55126]:
> /var/dnscrypt-proxy/public-resolvers.md: open
> /var/dnscrypt-proxy/sf-dc6tvrzwb25llprh.tmp: permission denied
> ------
>
> $ chown -R _dnscrypt-proxy:_dnscrypt-proxy /var/dnscrypt-proxy
>
> fixes the issue.
>
> Do you think it would be possible (or advisable?) to have the
> installer use the owner and group that dnscrypt-proxy runs under? Or
> have I misunderstood this situation?

Here is a diff that:
- Updates to dnscrypt-proxy 2.0.42, released March 26, 2020.
  Changelogs:
  https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.42/ChangeLog
  https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.41/ChangeLog
- Fixes being unable to update cache files in /var/dnscrypt-proxy/* by
  adding group write permissions for _dnscrypt-proxy.

before:
drwxr-xr-x   2 root  wheel   512B Mar 20 13:04 .
drwxr-xr-x  26 root  wheel   512B Mar  4 18:20 ..
-rw-r--r--   1 root  wheel  50.3K Mar 22 05:13 public-resolvers.md
-rw-r--r--   1 root  wheel   307B Mar 20 13:04 public-resolvers.md.minisig
-rw-r--r--   1 root  wheel   7.2K Mar 22 05:13 relays.md
-rw-r--r--   1 root  wheel   297B Mar 15 17:09 relays.md.minisig

after:
$ ls -lah /var/dnscrypt-proxy/
total 132
drwxr-xr-x   2 _dnscrypt-proxy  _dnscrypt-proxy   512B Mar 26 17:12 .
drwxr-xr-x  26 root             wheel             512B Mar 26 17:12 ..
-rw-rw-r--   1 root             _dnscrypt-proxy  50.3K Mar 26 17:12 public-resolvers.md
-rw-rw-r--   1 root             _dnscrypt-proxy   307B Mar 26 17:12 public-resolvers.md.minisig
-rw-rw-r--   1 root             _dnscrypt-proxy   5.4K Mar 26 17:12 relays.md
-rw-rw-r--   1 root             _dnscrypt-proxy   297B Mar 26 17:12 relays.md.minisig

It does this through manual plist editing to change user and group
ownership to _dnscrypt-proxy:_dnscrypt-proxy (cribbed from
games/yquake2) and a light patch to call chmod.

Currently the program does the following:
1. Fetch cache files as root.
2. Do some more setup.
3. Drop privileges by running as the _dnscrypt-proxy user.
4. Periodically fail to update the cache files as _dnscrypt-proxy.

I will report the issue upstream on github once it opens up again for
reporting new issues. An optimal solution will involve fetching the
cache files as _dnscrypt-proxy and should be handled upstream.

If periodic updates failing is not important and is out of scope of the
port, I would be fine with leaving it off.

Feedback and tests are welcome. I do not know golang so some eyes on the
new patch would be nice. I tested and observed that /var/log/messages no
longer displays permissions errors.

Relevant options in /etc/dnscrypt-proxy.toml to use /var/log/messages:
log_level = 2
use_syslog = true

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.52
diff -u -p -r1.52 Makefile
--- Makefile 23 Mar 2020 05:16:43 -0000 1.52
+++ Makefile 27 Mar 2020 01:52:09 -0000
@@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor
 
 GH_ACCOUNT = jedisct1
 GH_PROJECT = dnscrypt-proxy
-GH_TAGNAME = 2.0.40
+GH_TAGNAME = 2.0.42
 
 CATEGORIES = net
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/distinfo,v
retrieving revision 1.28
diff -u -p -r1.28 distinfo
--- distinfo 23 Mar 2020 05:16:43 -0000 1.28
+++ distinfo 27 Mar 2020 01:52:09 -0000
@@ -1,2 +1,2 @@
-SHA256 (dnscrypt-proxy-2.0.40.tar.gz) = F/lc+eOM6GSonc76MKTC4j14+zUUzTVnpg96DfwTPXg=
-SIZE (dnscrypt-proxy-2.0.40.tar.gz) = 2322600
+SHA256 (dnscrypt-proxy-2.0.42.tar.gz) = wADKThWcZgbLNHbqnjTtZLXEbHENcMxWUfFPESXI01I=
+SIZE (dnscrypt-proxy-2.0.42.tar.gz) = 2324442
Index: patches/patch-dnscrypt-proxy_sources_go
===================================================================
RCS file: patches/patch-dnscrypt-proxy_sources_go
diff -N patches/patch-dnscrypt-proxy_sources_go
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-dnscrypt-proxy_sources_go 27 Mar 2020 01:52:09 -0000
@@ -0,0 +1,17 @@
+$OpenBSD$
+
+Fixes being unable to update cache files in /var/dnscrypt-proxy/* by adding
+group write permissions for _dnscrypt-proxy.
+
+Index: dnscrypt-proxy/sources.go
+--- dnscrypt-proxy/sources.go.orig
++++ dnscrypt-proxy/sources.go
+@@ -117,6 +117,8 @@ func (source *Source) writeToCache(bin, sig []byte, no
+ }
+ }
+ writeErr = os.Chtimes(f, now, now)
++ _ = os.Chmod(f, 0664)
++ _ = os.Chmod(f+".minisig", 0664)
+ }
+
+ func (source *Source) parseURLs(urls []string) {
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/PLIST,v
retrieving revision 1.2
diff -u -p -r1.2 PLIST
--- pkg/PLIST 22 Dec 2019 14:12:47 -0000 1.2
+++ pkg/PLIST 27 Mar 2020 01:52:09 -0000
@@ -16,4 +16,6 @@ share/examples/dnscrypt-proxy/example-dn
 share/examples/dnscrypt-proxy/example-forwarding-rules.txt
 share/examples/dnscrypt-proxy/example-ip-blacklist.txt
 share/examples/dnscrypt-proxy/example-whitelist.txt
+@owner _dnscrypt-proxy
+@group _dnscrypt-proxy
 @sample ${LOCALSTATEDIR}/dnscrypt-proxy/

Reply | Threaded
Open this post in threaded view
|

Re: update net/dnscrypt-proxy 2.0.42 and fix updating cache files

Nam Nguyen

Here is a simplified update to net/dnscrypt-proxy 2.0.42. I leave the
bugfix to upstream, which plans to fix it. Once that bugfix comes, we
may have to add _dnscrypt-proxy:_dnscrypt-proxy ownership for
/var/dnscrypt-proxy in pkg/PLIST.

I posted Larry Hynes' bug report here:
https://github.com/DNSCrypt/dnscrypt-proxy/issues/1265

Changelogs:
https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.42/ChangeLog
https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.41/ChangeLog

Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.52
diff -u -p -r1.52 Makefile
--- Makefile 23 Mar 2020 05:16:43 -0000 1.52
+++ Makefile 3 Apr 2020 09:29:14 -0000
@@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor
 
 GH_ACCOUNT = jedisct1
 GH_PROJECT = dnscrypt-proxy
-GH_TAGNAME = 2.0.40
+GH_TAGNAME = 2.0.42
 
 CATEGORIES = net
 
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/distinfo,v
retrieving revision 1.28
diff -u -p -r1.28 distinfo
--- distinfo 23 Mar 2020 05:16:43 -0000 1.28
+++ distinfo 3 Apr 2020 09:29:14 -0000
@@ -1,2 +1,2 @@
-SHA256 (dnscrypt-proxy-2.0.40.tar.gz) = F/lc+eOM6GSonc76MKTC4j14+zUUzTVnpg96DfwTPXg=
-SIZE (dnscrypt-proxy-2.0.40.tar.gz) = 2322600
+SHA256 (dnscrypt-proxy-2.0.42.tar.gz) = wADKThWcZgbLNHbqnjTtZLXEbHENcMxWUfFPESXI01I=
+SIZE (dnscrypt-proxy-2.0.42.tar.gz) = 2324442