dns-over-https icon indicating copy to clipboard operation
dns-over-https copied to clipboard

Published 20 hours ago verified publisher icon m13253

doh-server not starting when key file is only readable by root

Open josvo opened this issue 6 years ago • 6 comments

Hello

In doh-server.conf you can set a cert an key file. However, when the key file is only readable by root, the service won't start:

[root@testserver ~]# ls -l test.key -r-------- 1 root root 1675 21. Sep 17:52 test.key

systemctl status doh-server ● doh-server.service - DNS-over-HTTPS Server Loaded: loaded (/usr/lib/systemd/system/doh-server.service; disabled; vendor preset: disabled) Active: activating (auto-restart) since Mon 2018-09-24 10:08:34 CEST; 949ms ago Docs: https://github.com/m13253/dns-over-https Process: 152070 ExecStart=/usr/local/bin/doh-server -conf /etc/dns-over-https/doh-server.conf (code=exited, status=0/SUCCESS) Main PID: 152070 (code=exited, status=0/SUCCESS)

It works when permissions are set to 444. I checked the service which drops its privileges and is then using AmbientCapabilities to bind to port 443; however I don't know how to read the file as user nobody with AmbientCapabilities.

josvo avatar Sep 24 '18 08:09 josvo

Thank you for your report!

Actually this is an old problem. But since I found a good DoH server also requires OCSP Stapling, which I can not provide in a few lines of code, I started to recommend users to set up an Nginx / Caddy / Apache server in front of DoH. (So that this bug will not occur)

Do you have any better idea? For example, a cross-platform implementation of privilege dropping.

m13253 avatar Sep 24 '18 16:09 m13253

I did a quick search but it doesn't look as if this would be easily possible. The only thing that comes to my mind is create a own user and then giving the read privileges for the private key for this user, instead of the user nobody. This also might be better because as soon there is more than one process with user "nobody", there would be a problem anyway. You are of course right with OCSP Stapling, which still would not be solved.

josvo avatar Sep 25 '18 10:09 josvo

You are of course right with OCSP Stapling, which still would not be solved.

I tried to search an easy OCSP Stapling library for Go, but come up with no good solution. Actually when OCSP Stapling is available, I would certainly provide a better experience in running doh-server as standalone mode.

I know Caddy (an HTTP server written in Go) has OCSP Stapling by default. Maybe I need to check their code. But my intuition tells me it won't be so easy.

Anyway I recommend running a frontend load-balancer and do HTTPS their at the moment.

m13253 avatar Sep 25 '18 15:09 m13253

I tried to search an easy OCSP Stapling library for Go, but come up with no good solution. Actually when OCSP Stapling is available, I would certainly provide a better experience in running doh-server as standalone mode.

You have done a great job with dns-over-https so far, keep on the good work! 👍 In case you implement OCSP Stapling, I'd be happy to test!

josvo avatar Sep 26 '18 21:09 josvo

I guess this could be done after https://github.com/golang/go/issues/40017?

gdm85 avatar Sep 03 '22 09:09 gdm85

I guess this could be done after golang/go#40017?

This doesn't seem enough. We need to get net/http.HTTPServer to support OCSP stapling.

m13253 avatar Sep 19 '22 00:09 m13253

Due to technical limitations of Golang’s HTTP server, we still need to put a load balancer in front of doh-server. Therefore, I don’t have any plan to completely solve this issue. There is no way to fix it as of now.

m13253 avatar Sep 09 '23 10:09 m13253