[Opendnssec-user] Dropping exec perms -- running daemons as == ods USER/GROUP, !root ?

PGNet Dev pgnet.dev at gmail.com
Wed Dec 21 16:22:48 UTC 2016 

While testing, I've been running the ods2 daemons as root.

exec'd as 'root', no startup issues so far.  But the daemons do not drop perms, and persist running as root.

IIUC, there's no reason -- and is likely unwise (?) -- to exec as 'root'; I'm attempting to run as my ods2 user, "opendnnssec".

Using (just for the moment) systemd's "PermissionsStartOnly=" for perms mgmt (eventually, I'll switch to tmpfiles ...), editing

(btw, shouldn't ods2 sources include systemd instrumentation ?)

	edit /etc/systemd/system/ods-signer.service
		[Unit]
		Description=ods2 signer
		After=syslog.target network.target

		[Service]
		Type=forking
+		PermissionsStartOnly=true
+		User=opendnssec
+		Group=opendnssec
		PIDFile=/var/run/opendnssec/signerd.pid
		EnvironmentFile=-/etc/sysconfig/ods
+		ExecStartPre=/bin/chown -R opendnssec:opendnssec /usr/local/etc/opendnssec /var/run/opendnssec /var/opendnssec
		ExecStart=/usr/local/opendnssec/sbin/ods-signerd $ODS_SIGNERD_OPT

		[Install]
		WantedBy=multi-user.target

	edit /etc/systemd/system/ods-enforcer.service
		[Unit]
		Description=ods2 enforcer
		After=syslog.target network.target
		After=ods-signer

		[Service]
		Type=forking
+		PermissionsStartOnly=true
+		User=opendnssec
+		Group=opendnssec
		PIDFile=/var/run/opendnssec/enforcerd.pid
		EnvironmentFile=-/etc/sysconfig/ods
+		ExecStartPre=/bin/chown -R opendnssec:opendnssec /usr/local/etc/opendnssec /var/run/opendnssec /var/opendnssec
		ExecStart=/usr/local/opendnssec/sbin/ods-enforcerd $ODS_ENFORCERD_OPT

		[Install]
		WantedBy=multi-user.target

force stop

	pkill ods-signer
	pkill ods-enforcer

reload

	systemctl daemon-reload

restart

	systemctl start ods-signer
	systemctl start ods-enforcer

, my logs get hammered with dozens of
	...

	Dec 21 07:57:10 core ods-enforcerd: ObjectFile.cpp(122): The attribute does not exist: 0x00000002
	...
	Dec 21 07:57:54 core ods-signerd: ObjectFile.cpp(122): The attribute does not exist: 0x00000002
	...

The only instance of ObjectFile.cpp I have on my system is

	/usr/local/src/softhsm/src/lib/object_store/ObjectFile.cpp

where

	cat /usr/local/src/softhsm/src/lib/object_store/ObjectFile.cpp
		...
		bool ObjectFile::getBooleanValue(CK_ATTRIBUTE_TYPE type, bool val)
		{
		    MutexLocker lock(objectMutex);

		    OSAttribute* attr = attributes[type];
		    if (attr == NULL)
		    {
	122	        ERROR_MSG("The attribute does not exist: 0x%08X", type);
		        return val;
		    }
		...

What's the attribute problem here?

Is there more to execing as !root that needs to be addressed?

More information about the Opendnssec-user mailing list