[OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

Yousong Zhou yszhou4tech at gmail.com
Tue Sep 22 22:42:31 EDT 2015


On 23 September 2015 at 01:52, Bastian Bittorf <bittorf at bluebottle.com> wrote:
> dnsmasq maintains dnsmasq.time across reboots and uses it as a means of
> determining if current time is good enough to validate dnssec time
> stamps.  By including /etc/dnsmasq.time as a time source for sysfixtime,
> the mechanism was effectively defeated because time was set to the last
> time that dnsmasq considered current even though that time is in
> the past.  Since that time is out of date, dns(sec) resolution would
> fail thus defeating any ntp based mechanisms for setting the clock
> correctly.
>
> In theory the process is defeated by any files in /etc that are newer
> than /etc/dnsmasq.time however dnsmasq now updates the file's timestamp
> on process TERM so hopefully /etc/dnsmasq.time is the latest file
> timestamp in /etc as part of openWrt shutdown/reboot.
>

In theory, a security sensitive mechanism's dependence on a
non-reliable timestamp file with access permission nobody:nogroup
makes little sense to me.  How about that we do --dnssec-no-timecheck
on dnsmasq startup time and notify it of the system time change from
ntpd hotplug script?

Another idea would be to delegate timestamp update task to a specific
service program like ntpd or procd and later on system startup we set
system time from the specific file.

> Either way, including /etc/dnsmasq.time as a time source for sysfixtime
> is not helpful.

Agree.

                yousong

>
> for safing time we dont read the filedate of every file,
> but only the newest in each subdirectory of /etc and sort them.
> this speeds up from 1.72 sec to 0.51 sec on my router.
>
> v1 - original concept from Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk>
> v2 - speedup + update copyright date
>
> Signed-off-by: Bastian Bittorf <bittorf at bluebottle.com>
> ---
>  package/base-files/files/etc/init.d/sysfixtime |   13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/package/base-files/files/etc/init.d/sysfixtime b/package/base-files/files/etc/init.d/sysfixtime
> index 4010e06..b3e3862 100755
> --- a/package/base-files/files/etc/init.d/sysfixtime
> +++ b/package/base-files/files/etc/init.d/sysfixtime
> @@ -1,11 +1,20 @@
>  #!/bin/sh /etc/rc.common
> -# Copyright (C) 2013-2014 OpenWrt.org
> +# Copyright (C) 2013-2015 OpenWrt.org
>
>  START=00
>
>  boot() {
>         local curtime="$(date +%s)"
> -       local maxtime="$(find /etc -type f -exec date -r {} +%s \; | sort -nr | head -n1)"
> +       local maxtime="$(maxtime)"
> +
>         [ $curtime -lt $maxtime ] && date -s @$maxtime
>  }
>
> +maxtime() {
> +       local dir file
> +
> +       find /etc -type d | while read dir; do
> +               file="$dir/$( ls -1t "$dir" | head -n1 )"
> +               [ -e "$file" -a "$file" != '/etc/dnsmasq.time' ] && date -r "$file" +%s
> +       done | sort -nr | head -n1
> +}



> --
> 1.7.10.4
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list