[Opendnssec-user] Dropping exec perms -- running daemons as == ods USER/GROUP, !root ?
yuri at nlnetlabs.nl
Wed Dec 21 22:27:05 UTC 2016
> exec'd as 'root', no startup issues so far. But the daemons do not drop perms, and persist running as root.
If you specify so in conf.xml the daemons *will* drop permissions.
> IIUC, there's no reason -- and is likely unwise (?) -- to exec as 'root'; I'm attempting to run as my ods2 user, "opendnnssec".
Indeed. It might be useful to start ods-signerd (and then drop) as root
in case you want it to serve XFRs on low ports.
> Using (just for the moment) systemd's "PermissionsStartOnly=" for perms mgmt (eventually, I'll switch to tmpfiles ...), editing
> (btw, shouldn't ods2 sources include systemd instrumentation ?)
> edit /etc/systemd/system/ods-signer.service
> Description=ods2 signer
> After=syslog.target network.target
NOTE: you can start the signerd and enforcerd with the -d flag. Then it
won't fork from the console. This might improve the systemd experience.
> + PermissionsStartOnly=true
> + User=opendnssec
> + Group=opendnssec
> + ExecStartPre=/bin/chown -R opendnssec:opendnssec /usr/local/etc/opendnssec /var/run/opendnssec /var/opendnssec
> ExecStart=/usr/local/opendnssec/sbin/ods-signerd $ODS_SIGNERD_OPT
> , my logs get hammered with dozens of
> Dec 21 07:57:10 core ods-enforcerd: ObjectFile.cpp(122): The attribute does not exist: 0x00000002
> What's the attribute problem here?
This is a permission problem again. You probably initialized the SoftHSM
slots as root. Fix the permissions so /var/lib/softhsm is RW for the
> Is there more to execing as !root that needs to be addressed?
ODS should run fine as a normal user. But beware that binding port
numbers < 1024 might not work of you don't use the permission dropping
functionality. This is only relevant for the signer and when using DNS
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 195 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-user