Stuart Henderson writes: > On 2020/06/11 19:49, Nam Nguyen wrote: >> This is an update for net/dnscrypt-proxy 2.0.44, released June 11, 2020. >> >> Changelogs: >> https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.44/ChangeLog >> https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.43/ChangeLog >> >> A config breaking change is that the `tls_client_auth' section was >> renamed to `doh_client_x509_auth', but it errors out to notify the user >> if this is a problem. >> >> - "cache files are now downloaded as the user the daemon will be running >> as. This fixes permission issues at startup time." > > The existing files need to have their ownership changed don't they? > That could be done with @exec-update or in the rc script.
Here is a fresh diff incorporating sthen@'s advice. I cargo-culted net/exabgp/pkg/exabgp.rc for rc_pre() and net/dhcpcd/pkg/PLIST for @exec-update. > >> Larry Hynes reported this bug, and it was fixed by upstream (Frank Denis). >> https://github.com/DNSCrypt/dnscrypt-proxy/commit/6f2dcb900af01954a424e0d38bf0d16d9c599607 >> >> Port-wise to support downloading cache files, PLIST is manually changed >> to have @mode 775 and @owner/@group to _dnscrypt-proxy for >> /var/dnscrypt-proxy. Does 775 seem fine? > > 775 seems ok, I would have it owned by root:_dnscrypt-proxy though, even if > only to avoid blowing out the columns in ls -l /var quite so much.. I tested with two scenarios: no cache files and with cache files, and the permissions are fixed eventually upon rc start. @exec-update is used for /var/dnscrypt-proxy itself while rc_pre() is used for cache files. Should I move everything into rc? /var/dnscrypt-proxy is created once and cache files are downloaded later at runtime, so it may be fine as proposed. Permissions are now: $ ls -al /var/dnscrypt-proxy/ total 160 drwxrwxr-x 2 root _dnscrypt-proxy 512 Jun 15 04:01 . drwxr-xr-x 25 root wheel 512 Jun 15 04:01 .. -rw-rw-r-- 1 root _dnscrypt-proxy 55606 Jun 15 04:01 public-resolvers.md -rw-rw-r-- 1 root _dnscrypt-proxy 307 Jun 15 04:01 public-resolvers.md.minisig -rw-rw-r-- 1 root _dnscrypt-proxy 6154 Jun 15 04:01 relays.md -rw-rw-r-- 1 root _dnscrypt-proxy 297 Jun 15 04:01 relays.md.minisig Index: Makefile =================================================================== RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v retrieving revision 1.53 diff -u -p -u -p -r1.53 Makefile --- Makefile 6 Apr 2020 18:42:57 -0000 1.53 +++ Makefile 15 Jun 2020 11:04:52 -0000 @@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor GH_ACCOUNT = jedisct1 GH_PROJECT = dnscrypt-proxy -GH_TAGNAME = 2.0.42 +GH_TAGNAME = 2.0.44 CATEGORIES = net Index: distinfo =================================================================== RCS file: /cvs/ports/net/dnscrypt-proxy/distinfo,v retrieving revision 1.29 diff -u -p -u -p -r1.29 distinfo --- distinfo 6 Apr 2020 18:42:57 -0000 1.29 +++ distinfo 15 Jun 2020 11:04:52 -0000 @@ -1,2 +1,2 @@ -SHA256 (dnscrypt-proxy-2.0.42.tar.gz) = wADKThWcZgbLNHbqnjTtZLXEbHENcMxWUfFPESXI01I= -SIZE (dnscrypt-proxy-2.0.42.tar.gz) = 2324442 +SHA256 (dnscrypt-proxy-2.0.44.tar.gz) = wsmWjwekFOlz7Fc09FmNdWo1wyvu2xgmhZDqE1V5Qjc= +SIZE (dnscrypt-proxy-2.0.44.tar.gz) = 2279842 Index: patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml =================================================================== RCS file: /cvs/ports/net/dnscrypt-proxy/patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml,v retrieving revision 1.13 diff -u -p -u -p -r1.13 patch-dnscrypt-proxy_example-dnscrypt-proxy_toml --- patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 23 Mar 2020 05:16:43 -0000 1.13 +++ patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 15 Jun 2020 11:04:52 -0000 @@ -12,7 +12,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p ## Require servers (from static + remote sources) to satisfy specific properties -@@ -585,7 +585,7 @@ cache_neg_max_ttl = 600 +@@ -594,7 +594,7 @@ cache_neg_max_ttl = 600 [sources.'public-resolvers'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md', 'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md'] @@ -21,7 +21,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3' prefix = '' -@@ -593,7 +593,7 @@ cache_neg_max_ttl = 600 +@@ -602,7 +602,7 @@ cache_neg_max_ttl = 600 [sources.'relays'] urls = ['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md', 'https://download.dnscrypt.info/resolvers-list/v2/relays.md'] Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/PLIST,v retrieving revision 1.2 diff -u -p -u -p -r1.2 PLIST --- pkg/PLIST 22 Dec 2019 14:12:47 -0000 1.2 +++ pkg/PLIST 15 Jun 2020 11:04:52 -0000 @@ -16,4 +16,8 @@ share/examples/dnscrypt-proxy/example-dn share/examples/dnscrypt-proxy/example-forwarding-rules.txt share/examples/dnscrypt-proxy/example-ip-blacklist.txt share/examples/dnscrypt-proxy/example-whitelist.txt +@mode 775 +@group _dnscrypt-proxy @sample ${LOCALSTATEDIR}/dnscrypt-proxy/ +@comment fix perms for upgrades since privsep downloaded cache files in 2.0.43 +@exec-update [[ -d ${LOCALSTATEDIR}/dnscrypt-proxy ]] && chown root:_dnscrypt-proxy ${LOCALSTATEDIR}/dnscrypt-proxy && chmod 775 ${LOCALSTATEDIR}/dnscrypt-proxy Index: pkg/dnscrypt_proxy.rc =================================================================== RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/dnscrypt_proxy.rc,v retrieving revision 1.5 diff -u -p -u -p -r1.5 dnscrypt_proxy.rc --- pkg/dnscrypt_proxy.rc 16 Oct 2018 14:55:02 -0000 1.5 +++ pkg/dnscrypt_proxy.rc 15 Jun 2020 11:04:52 -0000 @@ -4,6 +4,7 @@ daemon="${TRUEPREFIX}/bin/dnscrypt-proxy" daemon_flags="-config ${SYSCONFDIR}/dnscrypt-proxy.toml" +d="${LOCALSTATEDIR}/dnscrypt-proxy" . /etc/rc.d/rc.subr @@ -11,5 +12,17 @@ pexp="${daemon}${daemon_flags:+ ${daemon rc_bg=YES rc_reload=NO + +rc_pre() { + for i in public-resolvers.md{,.minisig}\ + relays.md{,.minisig}\ + quad9-resolvers.md{,.minisig}\ + parental-control.md{,.minisig}; do + if [[ -e "$d/$i" ]]; then + chown root:_dnscrypt-proxy "$d/$i" + chmod 664 "$d/$i" + fi + done +} rc_cmd $1
