[pkg] CurveDNS - review

Lukas Schwaighofer lukas at schwaighofer.name
Tue Jun 27 21:00:08 UTC 2017 

Hi Stéphane,

In the postinst script you tried the following:

DNSPUBKEY=`echo $OUTPUT | awk '/DNS public key:/ {print $4}'`
HEXPUBKEY=`echo $OUTPUT | awk '/Hex public key:/ {print $4}'`
HEXSECRETKEY=`echo $OUTPUT | awk '/Hex secret key:/ {print $4}'`

This is a good way of extracting the information (much better than what
you did afterwards).  The reason why it didn't work is because you need
to quote "$OUTPUT", otherwise the shell performs what is called word
splitting.

Please change the lines again to be similar to:
DNSPUBKEY=`echo "$OUTPUT" | awk '/DNS public key:/ {print $4}'`

On Tue, 27 Jun 2017 21:55:57 +0200
Stéphane Neveu <stefneveu at gmail.com> wrote:
> > On Tue, 27 Jun 2017 15:20:48 +0200
> > Stéphane Neveu <stefneveu at gmail.com> wrote:  
> >> > * init script (debian/curvedns.init):
> >> >   the environment variables will not be available to the executed
> >> > daemon and there is no straight forward way I'm aware of to pass
> >> > environment variables through start-stop-daemon.  The `env`
> >> > binary can help in some cases, but is not powerful enough to
> >> > read the variables from a file.  One option would be to write a
> >> > wrapper script and install it to installed to /usr/lib/curvedns/
> >> > that does something like
> >> >
> >> >         #!/bin/sh
> >> >         set -o allexport
> >> >         . /path/to/sourcefile1
> >> >         . /path/to/sourcefile2
> >> >         exec real-daemon "$@"
> >> >  
> >>
> >> Still not sure to understand... do you mean that my curvedns.init
> >> is just calling that new script to start curvedns without
> >> stop-start-daemon ?  
> >
> > What I meant is that start-stop-daemon should call that wrapper
> > script (which will in turn exec the daemon).  Otherwise the
> > environment variables are not available to the daemon and it will
> > not start.
> >
> > After you have made the changes you should try if the init works as
> > expected (is able to start the daemon).  What I usually do:
> > * stop the service
> > * remove the systemd unit file from /lib/systemd/system
> > * execute `systemctl daemon-reload`
> > When starting the service now, systemd should use the init script
> > to do so.
> >  
> 
> Done but it doesn't work yet. I need to figure out why.

The environment should work fine.  Have a look at the DAEMON_ARGS…

> I had to chmod +x the wrapper-start script, if you have
> another trick here to remove it, I take.

That made me laugh :) .  It's not that chmod is bad, just race
conditions that can lead to bad things (e.g. leaking secrets) should be
avoided if possible…

As for the wrapper script: just place the cotents of the script into
debian/wrapper-start and give it execute permissions.  Then add the
following line to debian/curvedns.install:
    debian/wrapper-start /usr/lib/curvedns

Only files with dynamic content should be generated in maintainer
scripts (and then it needs to go to /var/…).  It's always better to
have files directly included in the binary package, then it also
gets cleaned properly etc. without you having to care about that in
the postrm script.

Regards
Lukas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-security-team/attachments/20170627/bfaaabcd/attachment.sig>

More information about the Pkg-security-team mailing list