cache files in /var/dnscrypt-proxy/* downloaded as root but fail to update as user_name #1265
Description
Credit for this bug report goes to Larry Hynes.
I am the maintainer of the dnscrypt-proxy port on OpenBSD and Larry Hynes e-mailed me a bug report, which I will share here on github.
Who is the bug affecting?
dnscrypt-proxy users on OpenBSD and other *BSD and linux platforms where privileges are dropped.
What is affected by this bug?
$ ls -lah /var/dnscrypt-proxy/
...
drwxr-xr-x 2 root wheel 512B Mar 20 13:04 .
drwxr-xr-x 26 root wheel 512B Mar 4 18:20 ..
-rw-r--r-- 1 root wheel 50.3K Mar 22 05:13 public-resolvers.md
-rw-r--r-- 1 root wheel 307B Mar 20 13:04 public-resolvers.md.minisig
-rw-r--r-- 1 root wheel 7.2K Mar 22 05:13 relays.md
-rw-r--r-- 1 root wheel 297B Mar 15 17:09 relays.md.minisig
When does this occur?
These cache files in /var/dnscrypt-proxy are downloaded as root, drops privileges to become user_name = '_dnscrypt-proxy' and tries to periodically update as _dnscrypt-proxy. There are permissions errors.
Where does it happen?
How do we replicate the issue?
Bug report from Larry Hynes:
There is, I think, possibly a permissions issue with the default
install of dnscrypt-proxy:pkg_add installs the directory
/var/dnscrypt-proxy
with owner:group
root:wheel
dnscrypt-proxy periodically attempts to update the files in there e.g.
public-resolvers.md
but it does so with the owner:group under which it runs i.e.
_dnscrypt-proxy:_dnscrypt-proxy
so it fails to update the list of resolvers.
Relevant log snippet:
Mar 13 21:29:04 foo dnscrypt-proxy[55126]:
/var/dnscrypt-proxy/relays.md: chtimes
/var/dnscrypt-proxy/relays.md: operation not permitted
Mar 13 21:29:05 foo dnscrypt-proxy[55126]:
/var/dnscrypt-proxy/public-resolvers.md: open
/var/dnscrypt-proxy/sf-dc6tvrzwb25llprh.tmp: permission denied$ chown -R _dnscrypt-proxy:_dnscrypt-proxy /var/dnscrypt-proxy
fixes the issue.
Do you think it would be possible (or advisable?) to have the
installer use the owner and group that dnscrypt-proxy runs under? Or
have I misunderstood this situation?
Expected behavior (i.e. solution)
For now, a short-term solution that I proposed for the OpenBSD port is two-fold.
The goal is to get it to these permissions. First, I made the pkg/PLIST give ownership to _dnscrypt-proxy:_dnscrypt-proxy for the directory itself. Then, cache files get group ownership by default.
$ ls -lah /var/dnscrypt-proxy/
total 132
drwxr-xr-x 2 _dnscrypt-proxy _dnscrypt-proxy 512B Mar 26 17:12 .
drwxr-xr-x 26 root wheel 512B Mar 26 17:12 ..
-rw-rw-r-- 1 root _dnscrypt-proxy 50.3K Mar 26 17:12 public-resolvers.md
-rw-rw-r-- 1 root _dnscrypt-proxy 307B Mar 26 17:12 public-resolvers.md.minisig
-rw-rw-r-- 1 root _dnscrypt-proxy 5.4K Mar 26 17:12 relays.md
-rw-rw-r-- 1 root _dnscrypt-proxy 297B Mar 26 17:12 relays.md.minisig
What's left is to patch the code to chmod the files:
RCS file: patches/patch-dnscrypt-proxy_sources_go
diff -N patches/patch-dnscrypt-proxy_sources_go
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-dnscrypt-proxy_sources_go 27 Mar 2020 01:52:09 -0000
@@ -0,0 +1,17 @@
+$OpenBSD$
+
+Fixes being unable to update cache files in /var/dnscrypt-proxy/* by adding
+group write permissions for _dnscrypt-proxy.
+
+Index: dnscrypt-proxy/sources.go
+--- dnscrypt-proxy/sources.go.orig
++++ dnscrypt-proxy/sources.go
+@@ -117,6 +117,8 @@ func (source *Source) writeToCache(bin, sig []byte, no
+ }
+ }
+ writeErr = os.Chtimes(f, now, now)
++ _ = os.Chmod(f, 0664)
++ _ = os.Chmod(f+".minisig", 0664)
+ }
+
+ func (source *Source) parseURLs(urls []string) {
Now, I get no permissions errors in syslog.
Other Comments
The ideal solution would involve fetching the cache files as user_name instead of root, continuing setup as root, and dropping privileges again. Perhaps this can be refactored in the future?