dns_server: fix create cert failed when run as nobody with bind-tls feature

src/dns_conf.c

@@ -3297,31 +3297,6 @@ errout:
 	return -1;
 }
 
-static int _check_and_create_cert(void)
-{
-	if (dns_conf_need_cert == 0) {
-		return 0;
-	}
-
-	if (dns_conf_bind_ca_file[0] != 0 && dns_conf_bind_ca_key_file[0] != 0) {
-		return -1;
-	}
-
-	conf_get_conf_fullpath("smartdns-cert.pem", dns_conf_bind_ca_file, sizeof(dns_conf_bind_ca_file));
-	conf_get_conf_fullpath("smartdns-key.pem", dns_conf_bind_ca_key_file, sizeof(dns_conf_bind_ca_key_file));
-	if (access(dns_conf_bind_ca_file, F_OK) == 0 && access(dns_conf_bind_ca_key_file, F_OK) == 0) {
-		return 0;
-	}
-
-	tlog(TLOG_INFO, "Generate default ssl cert and key file.");
-	if (generate_cert_key(dns_conf_bind_ca_key_file, dns_conf_bind_ca_file, NULL, 365 * 3) != 0) {
-		tlog(TLOG_WARN, "Generate default ssl cert and key file failed.");
-		return -1;
-	}
-
-	return 0;
-}
-
 static int _dns_conf_load_post(void)
 {
 	_config_setup_smartdns_domain();
@@ -3347,8 +3322,6 @@ static int _dns_conf_load_post(void)
 
 	_config_domain_set_name_table_destroy();
 
-	_check_and_create_cert();
-
 	return 0;
 }
 

src/dns_conf.h

@@ -413,6 +413,7 @@ extern int dns_conf_bind_ip_num;
 extern char dns_conf_bind_ca_file[DNS_MAX_PATH];
 extern char dns_conf_bind_ca_key_file[DNS_MAX_PATH];
 extern char dns_conf_bind_ca_key_pass[DNS_MAX_PATH];
+extern char dns_conf_need_cert;
 
 extern int dns_conf_tcp_idle_time;
 extern int dns_conf_cachesize;

src/smartdns.c

@@ -214,6 +214,7 @@ static int _smartdns_load_from_resolv(void)
 		safe_strncpy(dns_conf_servers[dns_conf_server_num].server, ns_ip, DNS_MAX_IPLEN);
 		dns_conf_servers[dns_conf_server_num].port = port;
 		dns_conf_servers[dns_conf_server_num].type = DNS_SERVER_UDP;
+		dns_conf_servers[dns_conf_server_num].set_mark = -1;
 		dns_conf_server_num++;
 		ret = 0;
 	}
@@ -344,6 +345,42 @@ static int _smartdns_set_ecs_ip(void)
 	return ret;
 }
 
+static int _smartdns_create_cert(void)
+{
+	int uid = 0;
+	int gid = 0;
+
+	if (dns_conf_need_cert == 0) {
+		return 0;
+	}
+
+	if (dns_conf_bind_ca_file[0] != 0 && dns_conf_bind_ca_key_file[0] != 0) {
+		return -1;
+	}
+
+	conf_get_conf_fullpath("smartdns-cert.pem", dns_conf_bind_ca_file, sizeof(dns_conf_bind_ca_file));
+	conf_get_conf_fullpath("smartdns-key.pem", dns_conf_bind_ca_key_file, sizeof(dns_conf_bind_ca_key_file));
+	if (access(dns_conf_bind_ca_file, F_OK) == 0 && access(dns_conf_bind_ca_key_file, F_OK) == 0) {
+		return 0;
+	}
+
+	if (generate_cert_key(dns_conf_bind_ca_key_file, dns_conf_bind_ca_file, NULL, 365 * 3) != 0) {
+		tlog(TLOG_WARN, "Generate default ssl cert and key file failed. %s", strerror(errno));
+		return -1;
+	}
+
+	int unused __attribute__((unused)) = 0;
+
+	if (get_uid_gid(&uid, &gid) != 0) {
+		return -1;
+	}
+
+	unused = chown(dns_conf_bind_ca_file, uid, gid);
+	unused = chown(dns_conf_bind_ca_key_file, uid, gid);
+
+	return 0;
+}
+
 static int _smartdns_init_ssl(void)
 {
 #if OPENSSL_API_COMPAT < 0x10100000L
@@ -582,6 +619,11 @@ static int _smartdns_init_pre(void)
 
 	_set_rlimit();
 
+	if (_smartdns_create_cert() != 0) {
+		tlog(TLOG_ERROR, "create cert failed.");
+		return -1;
+	}
+
 	return 0;
 }
 

src/util.c

@@ -37,6 +37,7 @@
 #include <netinet/tcp.h>
 #include <openssl/crypto.h>
 #include <openssl/ssl.h>
+#include <openssl/x509v3.h>
 #include <pthread.h>
 #include <signal.h>
 #include <stdlib.h>