[Opendnssec-user] ods-ksmutil and /var/opendnssec/kasp.db.our_lock

Paul Wouters paul at nohats.ca
Sun May 13 07:45:54 UTC 2012


Hi,

I was wondering why ods-ksmutil key list tries to lock/write the
/var/opendnssec/kasp.db.our_lock file.

The comment in ksmutil.c says:

    /* If we are in sqlite mode then take a lock out on a file to
        prevent multiple access (not sure that we can be sure that sqlite is
        safe for multiple processes to access). */
     if (DbFlavour() == SQLITE_DB) {

         /* Make sure that nothing is happening to the DB */
         StrAppend(&lock_filename, dbschema);
         StrAppend(&lock_filename, ".our_lock");

         lock_fd = fopen(lock_filename, "w");
         status = get_lite_lock(lock_filename, lock_fd);
         if (status != 0) {

According to https://www.sqlite.org/faq.html#q5 it is fine to have
multiple reads/selects.

My problem is that starting up opendnssec creates the lock file as
root, even if the <User> is define as non-root. Then you cannot run
ods-ksmutil key list as non-root user anymore because the lock file
is owned and only writable by root.

So I think that the lock file control for ods-ksmutil should be refined
a bit so it only uses the lock file when it needs to modify something.

Probably the enforcer(?) should drop privs before it writes that lock
file too? Though I'm not sure what happens if it writes the lock file
with someone else has the lock file open. Perhaps one is not supposed
to use ods-ksmutil that causes modifications when the enforcer is running?
If so, then I think the lock code logic is not enforcing that.

Paul



More information about the Opendnssec-user mailing list