[pkg] CurveDNS - review
Stéphane Neveu
stefneveu at gmail.com
Tue Jun 27 19:55:57 UTC 2017
Hi Lukas,
>
>
> On Tue, 27 Jun 2017 15:20:48 +0200
> Stéphane Neveu <stefneveu at gmail.com> wrote:
>> > * init script (debian/curvedns.init):
>> > the environment variables will not be available to the executed
>> > daemon and there is no straight forward way I'm aware of to pass
>> > environment variables through start-stop-daemon. The `env` binary
>> > can help in some cases, but is not powerful enough to read the
>> > variables from a file. One option would be to write a wrapper
>> > script and install it to installed to /usr/lib/curvedns/ that does
>> > something like
>> >
>> > #!/bin/sh
>> > set -o allexport
>> > . /path/to/sourcefile1
>> > . /path/to/sourcefile2
>> > exec real-daemon "$@"
>> >
>>
>> Still not sure to understand... do you mean that my curvedns.init is
>> just calling that new script to start curvedns without
>> stop-start-daemon ?
>
> What I meant is that start-stop-daemon should call that wrapper script
> (which will in turn exec the daemon). Otherwise the environment
> variables are not available to the daemon and it will not start.
>
> After you have made the changes you should try if the init works as
> expected (is able to start the daemon). What I usually do:
> * stop the service
> * remove the systemd unit file from /lib/systemd/system
> * execute `systemctl daemon-reload`
> When starting the service now, systemd should use the init script to do
> so.
>
Done but it doesn't work yet. I need to figure out why.
>> So I removed the entire env directory and now everything is saved
>> under /etc/curvedns (back again :)
>> pub key+hex key + priv key
>
> Heads up here: you call `curvedns-keygen` multiple times. That means
> that the public and private keys you extract will not match (they are
> from two different key generation runs). Nothing will work if you setup
> the system with a non-matching public/private keypair. You need to
> extract the three lines from the same `curvedns-keygen` run.
>
>
OMG I was tired today ! Sorry, It should be ok now.
> For writing the private key to file, you should do the following:
>
> (umask 077; echo "key=$value" > /path/to/file)
>
> and drop the chmod. This will make sure the file is created with
> correct permissions right away (no race condition where another process
> could theoretically extract the private key if it opens the file at
> just the right moment). You can use umask 0377 instead if you want to
> mask the write bit for the owner as well (I wouldn't do that though).
>
> Oh, and you no longer need to source the debconf confmodule in your
> courvedns.postinst file.
>
Done but I had to chmod +x the wrapper-start script, if you have
another trick here to remove it, I take.
>
> Let me know if you were able to successfully deploy a curvedns
> test-setup :) .
>
> Regards
> Lukas
>
>
>
Thank you for your patience Lukas.
More information about the Pkg-security-team
mailing list