projects / openwrt / staging / blogic.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 162e016)
dnsmasq: tighten config file permissions
authorKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Thu, 11 Oct 2018 08:46:42 +0000 (09:46 +0100)
committerKevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Tue, 30 Oct 2018 09:25:32 +0000 (09:25 +0000)
Install following as config files (600) perms instead of as data (644)

/usr/share/dnsmasq/dhcpbogushostname.conf
/usr/share/dnsmasq/trust-anchors.conf
/usr/share/dnsmasq/rfc6761.conf
/etc/hotplug.d/ntp/25-dnsmasqsec
/etc/config/dhcp
/etc/dnsmasq.conf

dnsmasq reads relevant config files before dropping root privilege and
running as dnsmasq:dnsmasq

ntpd runs as root so the hotplug script is still accessible

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
package/network/services/dnsmasq/Makefile patch | blob | history

diff --git a/package/network/services/dnsmasq/Makefile b/package/network/services/dnsmasq/Makefile
index 5e76579e4b02a1bffe19ec8aeaa44b45ac7dbd0f..59f5fb61582a7d32f5fdef5ac9b750f29cec376e 100644 (file)
--- a/package/network/services/dnsmasq/Makefile
+++ b/package/network/services/dnsmasq/Makefile
@@ -156,18 +156,18 @@ define Package/dnsmasq/install
        $(INSTALL_DIR) $(1)/usr/sbin
        $(CP) $(PKG_INSTALL_DIR)/usr/sbin/dnsmasq $(1)/usr/sbin/
        $(INSTALL_DIR) $(1)/etc/config
-       $(INSTALL_DATA) ./files/dhcp.conf $(1)/etc/config/dhcp
-       $(INSTALL_DATA) ./files/dnsmasq.conf $(1)/etc/dnsmasq.conf
+       $(INSTALL_CONF) ./files/dhcp.conf $(1)/etc/config/dhcp
+       $(INSTALL_CONF) ./files/dnsmasq.conf $(1)/etc/dnsmasq.conf
        $(INSTALL_DIR) $(1)/etc/init.d
        $(INSTALL_BIN) ./files/dnsmasq.init $(1)/etc/init.d/dnsmasq
        $(INSTALL_DIR) $(1)/etc/hotplug.d/dhcp
        $(INSTALL_DIR) $(1)/etc/hotplug.d/neigh
        $(INSTALL_DIR) $(1)/etc/hotplug.d/ntp
        $(INSTALL_DIR) $(1)/etc/hotplug.d/tftp
-       $(INSTALL_DATA) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec
+       $(INSTALL_CONF) ./files/dnsmasqsec.hotplug $(1)/etc/hotplug.d/ntp/25-dnsmasqsec
        $(INSTALL_DIR) $(1)/usr/share/dnsmasq
-       $(INSTALL_DATA) ./files/dhcpbogushostname.conf $(1)/usr/share/dnsmasq/
-       $(INSTALL_DATA) ./files/rfc6761.conf $(1)/usr/share/dnsmasq/
+       $(INSTALL_CONF) ./files/dhcpbogushostname.conf $(1)/usr/share/dnsmasq/
+       $(INSTALL_CONF) ./files/rfc6761.conf $(1)/usr/share/dnsmasq/
        $(INSTALL_DIR) $(1)/usr/lib/dnsmasq
        $(INSTALL_BIN) ./files/dhcp-script.sh $(1)/usr/lib/dnsmasq/dhcp-script.sh
        $(INSTALL_DIR) $(1)/usr/share/acl.d
@@ -180,7 +180,7 @@ define Package/dnsmasq-full/install
 $(call Package/dnsmasq/install,$(1))
 ifneq ($(CONFIG_PACKAGE_dnsmasq_full_dnssec),)
        $(INSTALL_DIR) $(1)/usr/share/dnsmasq
-       $(INSTALL_DATA) $(PKG_BUILD_DIR)/trust-anchors.conf $(1)/usr/share/dnsmasq
+       $(INSTALL_CONF) $(PKG_BUILD_DIR)/trust-anchors.conf $(1)/usr/share/dnsmasq
 endif
 endef
 
John Crispins staging tree