[pkg] CurveDNS - review

Stéphane Neveu stefneveu at gmail.com
Wed Jun 28 13:33:59 UTC 2017 

2017-06-27 23:00 GMT+02:00 Lukas Schwaighofer <lukas at schwaighofer.name>:
> Hi Stéphane,
>
> In the postinst script you tried the following:
>
> DNSPUBKEY=`echo $OUTPUT | awk '/DNS public key:/ {print $4}'`
> HEXPUBKEY=`echo $OUTPUT | awk '/Hex public key:/ {print $4}'`
> HEXSECRETKEY=`echo $OUTPUT | awk '/Hex secret key:/ {print $4}'`
>
> This is a good way of extracting the information (much better than what
> you did afterwards).  The reason why it didn't work is because you need
> to quote "$OUTPUT", otherwise the shell performs what is called word
> splitting.
>
> Please change the lines again to be similar to:
> DNSPUBKEY=`echo "$OUTPUT" | awk '/DNS public key:/ {print $4}'`
>
> On Tue, 27 Jun 2017 21:55:57 +0200
> Stéphane Neveu <stefneveu at gmail.com> wrote:
>> > On Tue, 27 Jun 2017 15:20:48 +0200
>> > Stéphane Neveu <stefneveu at gmail.com> wrote:
>> >> > * init script (debian/curvedns.init):
>> >> >   the environment variables will not be available to the executed
>> >> > daemon and there is no straight forward way I'm aware of to pass
>> >> > environment variables through start-stop-daemon.  The `env`
>> >> > binary can help in some cases, but is not powerful enough to
>> >> > read the variables from a file.  One option would be to write a
>> >> > wrapper script and install it to installed to /usr/lib/curvedns/
>> >> > that does something like
>> >> >
>> >> >         #!/bin/sh
>> >> >         set -o allexport
>> >> >         . /path/to/sourcefile1
>> >> >         . /path/to/sourcefile2
>> >> >         exec real-daemon "$@"
>> >> >
>> >>
>> >> Still not sure to understand... do you mean that my curvedns.init
>> >> is just calling that new script to start curvedns without
>> >> stop-start-daemon ?
>> >
>> > What I meant is that start-stop-daemon should call that wrapper
>> > script (which will in turn exec the daemon).  Otherwise the
>> > environment variables are not available to the daemon and it will
>> > not start.
>> >
>> > After you have made the changes you should try if the init works as
>> > expected (is able to start the daemon).  What I usually do:
>> > * stop the service
>> > * remove the systemd unit file from /lib/systemd/system
>> > * execute `systemctl daemon-reload`
>> > When starting the service now, systemd should use the init script
>> > to do so.
>> >
>>
>> Done but it doesn't work yet. I need to figure out why.
>
> The environment should work fine.  Have a look at the DAEMON_ARGS…
>

I did somthing like that :

#!/bin/sh
set -o allexport
. /etc/default/curvedns
. /etc/curvedns/curvedns_private_key.hex
. /var/lib/curvedns/numeric_uid_gid
ARGS="$IP $PORT $REMOTEIP $REMOTEPORT"
exec /usr/sbin/curvedns $ARGS

(I test if those files exist in the curvedns.init then I source variables here)

but I must ctrl+c to get my shell back and stop do not work.


>> I had to chmod +x the wrapper-start script, if you have
>> another trick here to remove it, I take.
>
> That made me laugh :) .  It's not that chmod is bad, just race
> conditions that can lead to bad things (e.g. leaking secrets) should be
> avoided if possible…
>
> As for the wrapper script: just place the cotents of the script into
> debian/wrapper-start and give it execute permissions.  Then add the
> following line to debian/curvedns.install:
>     debian/wrapper-start /usr/lib/curvedns
>
> Only files with dynamic content should be generated in maintainer
> scripts (and then it needs to go to /var/…).  It's always better to
> have files directly included in the binary package, then it also
> gets cleaned properly etc. without you having to care about that in
> the postrm script.
>
> Regards
> Lukas

And yes I'll test everything asap :)
Thank you.

Stephane

More information about the Pkg-security-team mailing list