From 77882daac06b28f114e5b7b34ac8b02bf607af04 Mon Sep 17 00:00:00 2001 From: Kevin Darbyshire-Bryant Date: Thu, 5 May 2016 12:34:49 +0100 Subject: [PATCH 1/2] base-files: sysfixtime exclude dnsmasq.time dnsmasq maintains dnsmasq.time across reboots and uses it as a means of determining if current time is good enough to validate dnssec time stamps. By including /etc/dnsmasq.time as a time source for sysfixtime, the mechanism was effectively defeated because time was set to the last time that dnsmasq considered current even though that time is in the past. Since that time is out of date, dns(sec) resolution would fail thus defeating any ntp based mechanisms for setting the clock correctly. In theory the process is defeated by any files in /etc that are newer than /etc/dnsmasq.time however dnsmasq now updates the file's timestamp on process TERM so hopefully /etc/dnsmasq.time is the latest file timestamp in /etc as part of LEDE shutdown/reboot. Either way, including /etc/dnsmasq.time as a time source for sysfixtime is not helpful. --- package/base-files/files/etc/init.d/sysfixtime | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/package/base-files/files/etc/init.d/sysfixtime b/package/base-files/files/etc/init.d/sysfixtime index ab946f6518f6..1354a586ce4e 100755 --- a/package/base-files/files/etc/init.d/sysfixtime +++ b/package/base-files/files/etc/init.d/sysfixtime @@ -10,8 +10,8 @@ HWCLOCK=/sbin/hwclock boot() { start && exit 0 + local maxtime="$(maxtime)" local curtime="$(date +%s)" - local maxtime="$(find /etc -type f -exec date -r {} +%s \; | sort -nr | head -n1)" [ $curtime -lt $maxtime ] && date -s @$maxtime } @@ -23,3 +23,12 @@ stop() { [ -e "$RTC_DEV" ] && [ -e "$HWCLOCK" ] && $HWCLOCK -w -f $RTC_DEV && \ logger -t sysfixtime "saved '$(date)' to $RTC_DEV" } + +maxtime() { + local file newest + + for file in $( find /etc -type f ! -path /etc/dnsmasq.time ) ; do + [ -z "$newest" -o "$newest" -ot "$file"] && newest=$file + done + [ "$newest" ] && date -r "$newest" +%s +} From 698454740629aca3ec01df7f3dfc42389d721038 Mon Sep 17 00:00:00 2001 From: Kevin Darbyshire-Bryant Date: Thu, 5 May 2016 12:25:53 +0100 Subject: [PATCH 2/2] dnsmasq: sysupgrade hook to conditionally preserve dnsmasq.time conditionally save dnsmasq.time across sysupgrade dnsmasq uses /etc/dnsmasq.time as record of the last known good system time to aid its validation of dnssec timestamps. dnsmasq updates the timestamp on process start/stop once it considers the system time as valid. The timestamp file should be preserved across system upgrade but should not be included as part of normal configuration backups to prevent restores corrupting the current timestamp. --- package/network/services/dnsmasq/Makefile | 2 ++ .../dnsmasq/files/dnsmasqsec-add-conffiles.sh | 16 ++++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 package/network/services/dnsmasq/files/dnsmasqsec-add-conffiles.sh diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile index 3f12a40cd33f..f0aba1af44ea 100644 --- a/package/network/services/dnsmasq/Makefile +++ b/package/network/services/dnsmasq/Makefile @@ -151,6 +151,8 @@ $(call Package/dnsmasq/install,$(1)) ifneq ($(CONFIG_PACKAGE_dnsmasq_full_dnssec),) $(INSTALL_DIR) $(1)/usr/share/dnsmasq $(INSTALL_DATA) $(PKG_BUILD_DIR)/trust-anchors.conf $(1)/usr/share/dnsmasq + $(INSTALL_DIR) $(1)/lib/upgrade + $(INSTALL_BIN) ./files/dnsmasqsec-add-conffiles.sh $(1)/lib/upgrade endif endef diff --git a/package/network/services/dnsmasq/files/dnsmasqsec-add-conffiles.sh b/package/network/services/dnsmasq/files/dnsmasqsec-add-conffiles.sh new file mode 100644 index 000000000000..116ab5f8cf72 --- /dev/null +++ b/package/network/services/dnsmasq/files/dnsmasqsec-add-conffiles.sh @@ -0,0 +1,16 @@ +add_dnsmasqsec_conffiles() +{ + local filelist="$1" + + # do NOT include timestamp in a backup, only system upgrade + # dnsmasq restart ensures file timestamp is up to date + if [ -z $NEED_IMAGE ]; then + if [ $(ubus call service list '{"name":"dnsmasq"}' | jsonfilter -e '@.*.instances.instance1.running') = "true" ]; then + /etc/init.d/dnsmasq restart + sleep 1 + echo "/etc/dnsmasq.time" >>$filelist + fi + fi +} + +sysupgrade_init_conffiles="$sysupgrade_init_conffiles add_dnsmasqsec_conffiles"