[pkg] CurveDNS - review

Lukas Schwaighofer lukas at schwaighofer.name
Tue Jun 27 15:14:35 UTC 2017 


On Tue, 27 Jun 2017 15:20:48 +0200
Stéphane Neveu <stefneveu at gmail.com> wrote:
> > * init script (debian/curvedns.init):
> >   the environment variables will not be available to the executed
> > daemon and there is no straight forward way I'm aware of to pass
> > environment variables through start-stop-daemon.  The `env` binary
> > can help in some cases, but is not powerful enough to read the
> > variables from a file.  One option would be to write a wrapper
> > script and install it to installed to /usr/lib/curvedns/ that does
> > something like
> >
> >         #!/bin/sh
> >         set -o allexport
> >         . /path/to/sourcefile1
> >         . /path/to/sourcefile2
> >         exec real-daemon "$@"
> >  
> 
> Still not sure to understand... do you mean that my curvedns.init is
> just calling that new script to start curvedns without
> stop-start-daemon ?

What I meant is that start-stop-daemon should call that wrapper script
(which will in turn exec the daemon).  Otherwise the environment
variables are not available to the daemon and it will not start.

After you have made the changes you should try if the init works as
expected (is able to start the daemon).  What I usually do:
* stop the service
* remove the systemd unit file from /lib/systemd/system
* execute `systemctl daemon-reload`
When starting the service now, systemd should use the init script to do
so.

> So I removed the entire env directory and now everything is saved
> under /etc/curvedns (back again :)
> pub key+hex key + priv key

Heads up here: you call `curvedns-keygen` multiple times.  That means
that the public and private keys you extract will not match (they are
from two different key generation runs).  Nothing will work if you setup
the system with a non-matching public/private keypair.  You need to
extract the three lines from the same `curvedns-keygen` run.


For writing the private key to file, you should do the following:

  (umask 077; echo "key=$value" > /path/to/file)

and drop the chmod.  This will make sure the file is created with
correct permissions right away (no race condition where another process
could theoretically extract the private key if it opens the  file at
just the right moment).  You can use umask 0377 instead if you want to
mask the write bit for the owner as well (I wouldn't do that though).

Oh, and you no longer need to source the debconf confmodule in your
courvedns.postinst file.


Let me know if you were able to successfully deploy a curvedns
test-setup :) .

Regards
Lukas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170627/f5d001f9/attachment.sig>

More information about the Pkg-security-team mailing list