[Opendnssec-user] ods-ksmutil and /var/opendnssec/kasp.db.our_lock
Siôn Lloyd
sion at nominet.org.uk
Mon May 14 08:55:34 UTC 2012
Hi Paul.
On 13/05/12 08:45, Paul Wouters wrote:
>
>
> According to https://www.sqlite.org/faq.html#q5 it is fine to have
> multiple reads/selects.
>
When this was written we saw some strange behaviour, and at the time the
concurrency model of sqlite seemed to depend on compile flags (at least
for the versions shipping with some OSs). So we put this mechanism in
place to take this question out of the equation.
Perhaps it is time to revisit that decision.
> My problem is that starting up opendnssec creates the lock file as
> root, even if the <User> is define as non-root. Then you cannot run
> ods-ksmutil key list as non-root user anymore because the lock file
> is owned and only writable by root.
>
> So I think that the lock file control for ods-ksmutil should be refined
> a bit so it only uses the lock file when it needs to modify something.
>
> Probably the enforcer(?) should drop privs before it writes that lock
> file too? Though I'm not sure what happens if it writes the lock file
> with someone else has the lock file open. Perhaps one is not supposed
> to use ods-ksmutil that causes modifications when the enforcer is
> running?
> If so, then I think the lock code logic is not enforcing that.
The enforcer does drop privs before creating/grabbing the lock file...
Is it possible that the lock file is left from some previous process
that was run as root?
Cheers,
Sion
More information about the Opendnssec-user
mailing list