Credit goes to Larry Hynes for e-mailing me with a bug report where cache files in /var/dnscrypt-proxy/* cannot be periodically updated. Everything quoted with > that follows is from Larry Hynes' bug report.
> There is, I think, possibly a permissions issue with the default > install of dnscrypt-proxy: > > pkg_add installs the directory > > /var/dnscrypt-proxy > > with owner:group > > root:wheel > > dnscrypt-proxy periodically attempts to update the files in there e.g. > > public-resolvers.md > > but it does so with the owner:group under which it runs i.e. > > _dnscrypt-proxy:_dnscrypt-proxy > > so it fails to update the list of resolvers. > > Relevant log snippet: > > ------ > Mar 13 21:29:04 foo dnscrypt-proxy[55126]: /var/dnscrypt-proxy/relays.md: > chtimes /var/dnscrypt-proxy/relays.md: operation not permitted > Mar 13 21:29:05 foo dnscrypt-proxy[55126]: > /var/dnscrypt-proxy/public-resolvers.md: open > /var/dnscrypt-proxy/sf-dc6tvrzwb25llprh.tmp: permission denied > ------ > > $ chown -R _dnscrypt-proxy:_dnscrypt-proxy /var/dnscrypt-proxy > > fixes the issue. > > Do you think it would be possible (or advisable?) to have the > installer use the owner and group that dnscrypt-proxy runs under? Or > have I misunderstood this situation? Here is a diff that: - Updates to dnscrypt-proxy 2.0.42, released March 26, 2020. Changelogs: https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.42/ChangeLog https://github.com/DNSCrypt/dnscrypt-proxy/blob/2.0.41/ChangeLog - Fixes being unable to update cache files in /var/dnscrypt-proxy/* by adding group write permissions for _dnscrypt-proxy. before: drwxr-xr-x 2 root wheel 512B Mar 20 13:04 . drwxr-xr-x 26 root wheel 512B Mar 4 18:20 .. -rw-r--r-- 1 root wheel 50.3K Mar 22 05:13 public-resolvers.md -rw-r--r-- 1 root wheel 307B Mar 20 13:04 public-resolvers.md.minisig -rw-r--r-- 1 root wheel 7.2K Mar 22 05:13 relays.md -rw-r--r-- 1 root wheel 297B Mar 15 17:09 relays.md.minisig after: $ ls -lah /var/dnscrypt-proxy/ total 132 drwxr-xr-x 2 _dnscrypt-proxy _dnscrypt-proxy 512B Mar 26 17:12 . drwxr-xr-x 26 root wheel 512B Mar 26 17:12 .. -rw-rw-r-- 1 root _dnscrypt-proxy 50.3K Mar 26 17:12 public-resolvers.md -rw-rw-r-- 1 root _dnscrypt-proxy 307B Mar 26 17:12 public-resolvers.md.minisig -rw-rw-r-- 1 root _dnscrypt-proxy 5.4K Mar 26 17:12 relays.md -rw-rw-r-- 1 root _dnscrypt-proxy 297B Mar 26 17:12 relays.md.minisig It does this through manual plist editing to change user and group ownership to _dnscrypt-proxy:_dnscrypt-proxy (cribbed from games/yquake2) and a light patch to call chmod. Currently the program does the following: 1. Fetch cache files as root. 2. Do some more setup. 3. Drop privileges by running as the _dnscrypt-proxy user. 4. Periodically fail to update the cache files as _dnscrypt-proxy. I will report the issue upstream on github once it opens up again for reporting new issues. An optimal solution will involve fetching the cache files as _dnscrypt-proxy and should be handled upstream. If periodic updates failing is not important and is out of scope of the port, I would be fine with leaving it off. Feedback and tests are welcome. I do not know golang so some eyes on the new patch would be nice. I tested and observed that /var/log/messages no longer displays permissions errors. Relevant options in /etc/dnscrypt-proxy.toml to use /var/log/messages: log_level = 2 use_syslog = true Index: Makefile =================================================================== RCS file: /cvs/ports/net/dnscrypt-proxy/Makefile,v retrieving revision 1.52 diff -u -p -r1.52 Makefile --- Makefile 23 Mar 2020 05:16:43 -0000 1.52 +++ Makefile 27 Mar 2020 01:52:09 -0000 @@ -4,7 +4,7 @@ COMMENT = flexible DNS proxy with suppor GH_ACCOUNT = jedisct1 GH_PROJECT = dnscrypt-proxy -GH_TAGNAME = 2.0.40 +GH_TAGNAME = 2.0.42 CATEGORIES = net Index: distinfo =================================================================== RCS file: /cvs/ports/net/dnscrypt-proxy/distinfo,v retrieving revision 1.28 diff -u -p -r1.28 distinfo --- distinfo 23 Mar 2020 05:16:43 -0000 1.28 +++ distinfo 27 Mar 2020 01:52:09 -0000 @@ -1,2 +1,2 @@ -SHA256 (dnscrypt-proxy-2.0.40.tar.gz) = F/lc+eOM6GSonc76MKTC4j14+zUUzTVnpg96DfwTPXg= -SIZE (dnscrypt-proxy-2.0.40.tar.gz) = 2322600 +SHA256 (dnscrypt-proxy-2.0.42.tar.gz) = wADKThWcZgbLNHbqnjTtZLXEbHENcMxWUfFPESXI01I= +SIZE (dnscrypt-proxy-2.0.42.tar.gz) = 2324442 Index: patches/patch-dnscrypt-proxy_sources_go =================================================================== RCS file: patches/patch-dnscrypt-proxy_sources_go diff -N patches/patch-dnscrypt-proxy_sources_go --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-dnscrypt-proxy_sources_go 27 Mar 2020 01:52:09 -0000 @@ -0,0 +1,17 @@ +$OpenBSD$ + +Fixes being unable to update cache files in /var/dnscrypt-proxy/* by adding +group write permissions for _dnscrypt-proxy. + +Index: dnscrypt-proxy/sources.go +--- dnscrypt-proxy/sources.go.orig ++++ dnscrypt-proxy/sources.go +@@ -117,6 +117,8 @@ func (source *Source) writeToCache(bin, sig []byte, no + } + } + writeErr = os.Chtimes(f, now, now) ++ _ = os.Chmod(f, 0664) ++ _ = os.Chmod(f+".minisig", 0664) + } + + func (source *Source) parseURLs(urls []string) { Index: pkg/PLIST =================================================================== RCS file: /cvs/ports/net/dnscrypt-proxy/pkg/PLIST,v retrieving revision 1.2 diff -u -p -r1.2 PLIST --- pkg/PLIST 22 Dec 2019 14:12:47 -0000 1.2 +++ pkg/PLIST 27 Mar 2020 01:52:09 -0000 @@ -16,4 +16,6 @@ share/examples/dnscrypt-proxy/example-dn share/examples/dnscrypt-proxy/example-forwarding-rules.txt share/examples/dnscrypt-proxy/example-ip-blacklist.txt share/examples/dnscrypt-proxy/example-whitelist.txt +@owner _dnscrypt-proxy +@group _dnscrypt-proxy @sample ${LOCALSTATEDIR}/dnscrypt-proxy/
