Stuart Henderson writes:
> I think it only needs one not both - how about this which is a bit more
> targetted too?
>
> @exec-update [[ $(stat -f '%u:%g'
> ${LOCALSTATEDIR}/dnscrypt-proxy/public-resolvers.md 2>/dev/null) == 0:0 ]] &&
> chgrp -R _dnscrypt-proxy ${LOCALSTATEDIR}/dnscrypt-proxy && chmod -R ug+rwX
> ${LOCALSTATEDIR}/dnscrypt-proxy || true
>
Sorry for the lengthy response, but I just wanted to enumerate the
possible use-cases to be thorough.
sthen@'s diff has two problems. New installs forever remain owned by
_dnscrypt-proxy:_dnscrypt-proxy (see case 2). If parental-control.md is
used instead of public-resolvers.md, they forever remain root:wheel (see
case 3).
To resolve this I tweaked sthen@'s diff:
- stat != 0:688 instead of stat == 0:0
- chown instead of chgrp to be more explicit since we should handle changing
_dnscrypt-proxy:_dnscrypt-proxy --> root:_dnscrypt-proxy
Three cases follow as tested with this fresh diff.
case 1: upgrading with use of public-resolvers.md
vulture$ ls -al /var/dnscrypt-proxy/
total 144
drwxr-xr-x 2 root wheel 512 Jun 16 18:10 .
drwxr-xr-x 26 root wheel 512 Jun 16 18:10 ..
-rw-r--r-- 1 root wheel 55606 Jun 16 18:10 public-resolvers.md
-rw-r--r-- 1 root wheel 307 Jun 16 18:10 public-resolvers.md.minisig
-rw-r--r-- 1 root wheel 6154 Jun 16 18:10 relays.md
-rw-r--r-- 1 root wheel 297 Jun 16 18:10 relays.md.minisig
vulture$ ls -al /var/dnscrypt-proxy/
total 144
drwxrwxr-x 2 root _dnscrypt-proxy 512 Jun 16 18:10 .
drwxr-xr-x 26 root wheel 512 Jun 16 18:10 ..
-rw-rw-r-- 1 root _dnscrypt-proxy 55606 Jun 16 18:10 public-resolvers.md
-rw-rw-r-- 1 root _dnscrypt-proxy 307 Jun 16 18:10
public-resolvers.md.minisig
-rw-rw-r-- 1 root _dnscrypt-proxy 6154 Jun 16 18:10 relays.md
-rw-rw-r-- 1 root _dnscrypt-proxy 297 Jun 16 18:10 relays.md.minisig
case 2: new installs
first, rm /var/dnscrypt-proxy/*
then install dnscrypt-proxy
then /etc/rc.d/dnscrypt-proxy restart
cache files get downloaded at runtime as:
vulture$ ls -al /var/dnscrypt-proxy/
total 144
drwxrwxr-x 2 root _dnscrypt-proxy 512 Jun 16 18:13 .
drwxr-xr-x 26 root wheel 512 Jun 16 18:10 ..
-rw-r--r-- 1 _dnscrypt-proxy _dnscrypt-proxy 55606 Jun 16 18:13
public-resolvers.md
-rw-r--r-- 1 _dnscrypt-proxy _dnscrypt-proxy 307 Jun 16 18:13
public-resolvers.md.minisig
-rw-r--r-- 1 _dnscrypt-proxy _dnscrypt-proxy 6154 Jun 16 18:13 relays.md
-rw-r--r-- 1 _dnscrypt-proxy _dnscrypt-proxy 297 Jun 16 18:13
relays.md.minisig
once dnscrypt-proxy gets updated to 2.0.45 in the future (not 2.0.44),
cache files get 664 root:_dnscrypt-proxy because @exec-update finally
gets to run.
vulture$ ls -al /var/dnscrypt-proxy/
total 144
drwxrwxr-x 2 root _dnscrypt-proxy 512 Jun 16 18:13 .
drwxr-xr-x 26 root wheel 512 Jun 16 18:10 ..
-rw-rw-r-- 1 root _dnscrypt-proxy 55606 Jun 16 18:13 public-resolvers.md
-rw-rw-r-- 1 root _dnscrypt-proxy 307 Jun 16 18:13
public-resolvers.md.minisig
-rw-rw-r-- 1 root _dnscrypt-proxy 6154 Jun 16 18:13 relays.md
-rw-rw-r-- 1 root _dnscrypt-proxy 297 Jun 16 18:13 relays.md.minisig
case 3: upgrading for users that choose not to use public-resolvers.md
but their own custom file / parental-control.md (which is a subset of
public-resolvers.md)
The whole point of correct permissions is so that dnscrypt-proxy can
periodically refresh cache files after time_delay. However, some users
use a hardcoded cache file and do not want automatic updating.
The only drawback is that we now force ownership of these custom files, but this
may be acceptable since we handle the much more common case of using
public-resolvers.md.
This actually surprisingly works after upgrading even though
public-resolvers.md does not exist. stat on public-resolvers is still !=
0:688.
2.0.42:
vulture$ ls -al /var/dnscrypt-proxy/
total 44
drwxr-xr-x 2 root wheel 512 Jun 16 18:34 .
drwxr-xr-x 26 root wheel 512 Jun 16 18:33 ..
-rw-r--r-- 1 root wheel 5011 Jun 16 18:34 parental-control.md
-rw-r--r-- 1 root wheel 307 Jun 16 18:34 parental-control.md.minisig
-rw-r--r-- 1 root wheel 6154 Jun 16 18:33 relays.md
-rw-r--r-- 1 root wheel 297 Jun 16 18:33 relays.md.minisig
upgrading to 2.0.44:
vulture$ ls -al /var/dnscrypt-proxy/
total 44
drwxrwxr-x 2 root _dnscrypt-proxy 512 Jun 16 18:34 .
drwxr-xr-x 26 root wheel 512 Jun 16 18:33 ..
-rw-rw-r-- 1 root _dnscrypt-proxy 5011 Jun 16 18:34 parental-control.md
-rw-rw-r-- 1 root _dnscrypt-proxy 307 Jun 16 18:34
parental-control.md.minisig
-rw-rw-r-- 1 root _dnscrypt-proxy 6154 Jun 16 18:33 relays.md
-rw-rw-r-- 1 root _dnscrypt-proxy 297 Jun 16 18:33 relays.md.minisig
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v
retrieving revision 1.53
diff -u -p -u -p -r1.53 Makefile
--- Makefile 6 Apr 2020 18:42:57 -0000 1.53
+++ Makefile 17 Jun 2020 06:25:51 -0000
@@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor
GH_ACCOUNT = jedisct1
GH_PROJECT = dnscrypt-proxy
-GH_TAGNAME = 2.0.42
+GH_TAGNAME = 2.0.44
CATEGORIES = net
Index: distinfo
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/distinfo,v
retrieving revision 1.29
diff -u -p -u -p -r1.29 distinfo
--- distinfo 6 Apr 2020 18:42:57 -0000 1.29
+++ distinfo 17 Jun 2020 06:25:51 -0000
@@ -1,2 +1,2 @@
-SHA256 (dnscrypt-proxy-2.0.42.tar.gz) =
wADKThWcZgbLNHbqnjTtZLXEbHENcMxWUfFPESXI01I=
-SIZE (dnscrypt-proxy-2.0.42.tar.gz) = 2324442
+SHA256 (dnscrypt-proxy-2.0.44.tar.gz) =
wsmWjwekFOlz7Fc09FmNdWo1wyvu2xgmhZDqE1V5Qjc=
+SIZE (dnscrypt-proxy-2.0.44.tar.gz) = 2279842
Index: patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
===================================================================
RCS file:
/cvs/ports/net/dnscrypt-proxy/patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml,v
retrieving revision 1.13
diff -u -p -u -p -r1.13 patch-dnscrypt-proxy_example-dnscrypt-proxy_toml
--- patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 23 Mar 2020
05:16:43 -0000 1.13
+++ patches/patch-dnscrypt-proxy_example-dnscrypt-proxy_toml 17 Jun 2020
06:25:51 -0000
@@ -12,7 +12,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p
## Require servers (from static + remote sources) to satisfy specific
properties
-@@ -585,7 +585,7 @@ cache_neg_max_ttl = 600
+@@ -594,7 +594,7 @@ cache_neg_max_ttl = 600
[sources.'public-resolvers']
urls =
['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/public-resolvers.md',
'https://download.dnscrypt.info/resolvers-list/v2/public-resolvers.md']
@@ -21,7 +21,7 @@ Index: dnscrypt-proxy/example-dnscrypt-p
minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
prefix = ''
-@@ -593,7 +593,7 @@ cache_neg_max_ttl = 600
+@@ -602,7 +602,7 @@ cache_neg_max_ttl = 600
[sources.'relays']
urls =
['https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v2/relays.md',
'https://download.dnscrypt.info/resolvers-list/v2/relays.md']
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/PLIST,v
retrieving revision 1.2
diff -u -p -u -p -r1.2 PLIST
--- pkg/PLIST 22 Dec 2019 14:12:47 -0000 1.2
+++ pkg/PLIST 17 Jun 2020 06:25:51 -0000
@@ -16,4 +16,8 @@ share/examples/dnscrypt-proxy/example-dn
share/examples/dnscrypt-proxy/example-forwarding-rules.txt
share/examples/dnscrypt-proxy/example-ip-blacklist.txt
share/examples/dnscrypt-proxy/example-whitelist.txt
+@mode 775
+@group _dnscrypt-proxy
@sample ${LOCALSTATEDIR}/dnscrypt-proxy/
+@comment fix perms for upgrades since privsep downloaded cache files in 2.0.43
+@exec-update [[ $(stat -f '%u:%g'
${LOCALSTATEDIR}/dnscrypt-proxy/public-resolvers.md 2>/dev/null) != 0:688 ]] &&
chown -R root:_dnscrypt-proxy ${LOCALSTATEDIR}/dnscrypt-proxy && chmod -R
ug+rwX ${LOCALSTATEDIR}/dnscrypt-proxy || true
