Subject: dnscrypt-proxy: system user incompletely installed Package: dnscrypt-proxy Version: 1.9.4-1 Severity: grave
Dear Maintainer, 1] APOLOGY (kind of): This is the first time I'm reporting a bug as 'grave', and I'm hesitant to do so, but I guess that most bugs associated with this package are 'grave' because when dns doesn't resolve, many other packages cease to function. 2] SYMPTOMS / INDICATIONS: The package would not resolve dns queries, and the daemon.log would indicate that the package was repeatedly attempting and failing to refetch server certificates, although it would initially succeed in obtaining a server certificate. 3] FIX: The installation script(s) for this package create a system user named _dnscrypt-proxy (with a leading underscore) and set its home directory as /run/dnscrypt-proxy, but: 3.1] The home directory is not created. It seems to need to exist, owned by the '_dnscrypt-proxy' user, though I don't see any files placed there. 755 permissions worked for me. 3.1.1] That being the case, the home directory should be moved to a folder that persists across boots. 3.2] When the user is created, no associated user group is created. Setting the home directory to 'nogroup' does seem to work, but its not pretty. 3.3] The default configuration file /etc/dnscrypt-proxy.conf is inconsistent with the debian default configuration in that it's missing a line 'User _dnscrypt-proxy'. 3.4] The file /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv was out-of-date and needed to be retrieved from https://download.dnscrypt.org/dnscrypt-proxy/dnscrypt-resolvers.csv. Also the documented references to the local path for the file are wrong. 3.5] The package is missing an init script. You may not want to address this particular point if you're ideologically systemd, but in case you choose to include a SysVinit option, the /etc/init.d/dnscrypt file that works for me is included in-line below. 3.6] As quibbles: 3.6.1] In all of debian, what other system user is labeled with a leading underscore? Please consider a normal user/group name. 3.6.2] The current name assignments are internally inconsistent, and inconsistent with how other debian system daemons assign names. If you want the daemon to be called 'dnscrypt', then don't name the user '_dnscrypt-proxy' and the home directory 'dnscrypt-proxy'. (personal vote: everything named 'dnscrypt') --------------- begin /etc/init.d/dnscrypt ------------------------ #!/bin/sh ### BEGIN INIT INFO # Provides: dnscrypt # Required-Start: $network $local_fs # Required-Stop: $network $local_fs # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: DNSCrypt # Description: Launch the dnscrypt proxy ### END INIT INFO DAEMON="/usr/sbin/dnscrypt-proxy" NAME="dnscrypt" dnscrypt_start() { echo "Starting dnscrypt" $DAEMON \ --daemonize \ --local-address=127.0.2.1:53 \ --resolver-name=random \ --user=_dnscrypt-proxy # $DAEMON --daemonize --ephemeral-keys --user=dnscrypt \ # --local-address=127.0.2.1 --resolver-name=$RESOLVER_1 # $DAEMON --daemonize --ephemeral-keys --user=dnscrypt \ # --local-address=127.0.2.2 --resolver-name=$RESOLVER_2 } dnscrypt_stop() { echo "Stopping dnscrypt" start-stop-daemon --oknodo --stop --quiet --retry=0/3/KILL/3 --exec "" > /dev/null } case "$1" in start) dnscrypt_start ;; stop) dnscrypt_stop ;; restart|force-reload) dnscrypt_stop dnscrypt_start ;; *) echo "Usage: /etc/init.d/ {start|stop|restart|force-reload}" >&2 exit 1 ;; esac exit 0 --------------- end /etc/init.d/dnscrypt ------------------------ -- System Information: Distributor ID: Devuan Description: Devuan GNU/Linux 1.0 (jessie) Release: 1.0 Codename: jessie Architecture: x86_64 Kernel: Linux 4.5.0-0.bpo.2-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages dnscrypt-proxy depends on: ii adduser 3.113+nmu3 ii init-system-helpers 1.24+devuan1.0 ii libc6 2.24-9 ii libltdl7 2.4.6-2 ii libsodium18 1.0.11-1 ii libsystemd0 230-7~bpo8+2 ii lsb-base 4.1+devuan2 dnscrypt-proxy recommends no packages. Versions of packages dnscrypt-proxy suggests: pn resolvconf <none> -- Configuration Files: /etc/dnscrypt-proxy/dnscrypt-proxy.conf changed [not included] -- debconf information excluded -- hkp://keys.gnupg.net CA45 09B5 5351 7C11 A9D1 7286 0036 9E45 1595 8BC0
