[Opendnssec-user] Dropping exec perms -- running daemons as == ods USER/GROUP, !root ?

Yuri Schaeffer yuri at nlnetlabs.nl
Wed Dec 21 22:27:05 UTC 2016 

> exec'd as 'root', no startup issues so far.  But the daemons do not drop perms, and persist running as root.

If you specify so in conf.xml the daemons *will* drop permissions.

> IIUC, there's no reason -- and is likely unwise (?) -- to exec as 'root'; I'm attempting to run as my ods2 user, "opendnnssec".

Indeed. It might be useful to start ods-signerd (and then drop) as root
in case you want it to serve XFRs on low ports.

> Using (just for the moment) systemd's "PermissionsStartOnly=" for perms mgmt (eventually, I'll switch to tmpfiles ...), editing
> 
> (btw, shouldn't ods2 sources include systemd instrumentation ?)
> 
> 	edit /etc/systemd/system/ods-signer.service
> 		[Unit]
> 		Description=ods2 signer
> 		After=syslog.target network.target
> 
> 		[Service]
> 		Type=forking

NOTE: you can start the signerd and enforcerd with the -d flag. Then it
won't fork from the console. This might improve the systemd experience.

> +		PermissionsStartOnly=true
> +		User=opendnssec
> +		Group=opendnssec
> 		PIDFile=/var/run/opendnssec/signerd.pid
> 		EnvironmentFile=-/etc/sysconfig/ods
> +		ExecStartPre=/bin/chown -R opendnssec:opendnssec /usr/local/etc/opendnssec /var/run/opendnssec /var/opendnssec
> 		ExecStart=/usr/local/opendnssec/sbin/ods-signerd $ODS_SIGNERD_OPT
> 
> 		[Install]
> 		WantedBy=multi-user.target


> , my logs get hammered with dozens of
> 	Dec 21 07:57:10 core ods-enforcerd: ObjectFile.cpp(122): The attribute does not exist: 0x00000002
> What's the attribute problem here?

This is a permission problem again. You probably initialized the SoftHSM
slots as root. Fix the permissions so /var/lib/softhsm is RW for the
opendnssec user.

> Is there more to execing as !root that needs to be addressed?

ODS should run fine as a normal user. But beware that binding port
numbers < 1024 might not work of you don't use the permission dropping
functionality. This is only relevant for the signer and when using DNS
adapters.

//Yuri

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20161221/a31fdf11/attachment.bin>

More information about the Opendnssec-user mailing list