On 01/10/15 12:56, Etienne Champetier wrote: > > > 2015-10-01 13:21 GMT+02:00 Kevin Darbyshire-Bryant > <ke...@darbyshire-bryant.me.uk <mailto:ke...@darbyshire-bryant.me.uk>>: > > > > On 01/10/15 11:37, Etienne Champetier wrote: > > Hi, > > > > 2015-10-01 12:19 GMT+02:00 Kevin Darbyshire-Bryant > > <ke...@darbyshire-bryant.me.uk > <mailto:ke...@darbyshire-bryant.me.uk> > <mailto:ke...@darbyshire-bryant.me.uk > <mailto:ke...@darbyshire-bryant.me.uk>>>: > > > > This patch stops SIGHUP from enabling dnssec timechecks if > disabled by > > use of --dnssec-no-timecheck option. --dnssec-timestamp > continues to > > work correctly. > > > > > > I haven't really followed the previous discusion, > > but maybe you can just use another signal? > The user defined signals USR1 & USR2 are already occupied by dnsmasq > with debug/info dump type functions. Maybe one of the SIGTT* signals > could be repurposed but I don't know how valid a solution that is. > > However even if that were done it still doesn't stop a malicious > user/process from sending that new signal and potentially > disabling dns > resolution (assuming dnssec is being used & the system time is > incorrect) > > > you can only signal yourself > http://stackoverflow.com/a/13335054/3768051
It runs as nobody. So do other processes. I didn't raise the security flag ;-) > > > > Ideally some evaluation of threat presented by 'sysfixtime', 'dnssec > timestamp files', 'dnssec no timecheck' and the multi-function > 'overloading' of SIGHUP into dnsmasq in the context of dnssec & > correct/incorrect system time should take place and an appropriate, > considered response and solution proposed/implemented. That person > isn't me ;-) > That statement still stands. > I personally think that sysfixtime is a necessary evil, but at the > very > least at the present moment until a more correct solution is > implemented, it should not be using dnsmasq's timestamp file as a > source > time reference on boot. > > > > > > > > > > Enabling dnssec timechecks now requires restarting dnsmasq > without > > the --dnssec-no-timecheck configuration option and closes a > > potential denial of service exploit by sending SIGHUP when > system > > time does not correspond with Internet time. > > > > > > > > > > This change may be useful for future ntpd/dnsmasq hotplug > integration. > > > > > > Signed-off-by: Kevin Darbyshire-Bryant > > <ke...@darbyshire-bryant.me.uk > <mailto:ke...@darbyshire-bryant.me.uk> > <mailto:ke...@darbyshire-bryant.me.uk > <mailto:ke...@darbyshire-bryant.me.uk>>> > > --- > > .../dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch > | 13 > > +++++++++++++ > > 1 file changed, 13 insertions(+) > > create mode 100644 > > > > package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch > > > > > > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel