[Opendnssec-user] Dropping exec perms -- running daemons as == ods USER/GROUP, !root ?

PGNet Dev pgnet.dev at gmail.com
Thu Dec 22 02:53:54 UTC 2016 

On 12/21/2016 02:27 PM, Yuri Schaeffer wrote:
> Indeed. It might be useful to start ods-signerd (and then drop) as root
> in case you want it to serve XFRs on low ports.
> 
...

> ODS should run fine as a normal user. But beware that binding port
> numbers < 1024 might not work of you don't use the permission dropping
> functionality. This is only relevant for the signer and when using DNS
> adapters.

took a bit of doing, but finally for ods2 + softhsm2 here,

	/usr/local/opendnssec/sbin/ods-signerd -V
		opendnssec version 2.1.0-dev

	/usr/local/softhsm/bin/softhsm2-util --version
		2.3.0rc1

with one pending 'gotcha'; dropped back to botan 1.11.33

	/usr/local/botan/bin/botan version --full
		Botan 1.11.33 (released, dated 20161026, revision git:560c0e5623cd9ef704b06c56b7e827e7431ae1a8, distribution unspecified)

until this gets sorted

	https://github.com/opendnssec/SoftHSMv2/issues/276 Botan 1.11.34

now,

ods-{signerd,enforcerd} are managed by systemd

	systemctl status ods-signer
		● ods-signer.service - OpenDNSSEC Signer
		   Loaded: loaded (/etc/systemd/system/ods-signer.service; enabled; vendor preset: disabled)
		   Active: active (running) since Wed 2016-12-21 18:11:25 PST; 20min ago
		  Process: 1564 ExecStart=/bin/sh -c /usr/local/opendnssec/sbin/ods-signerd -d & (code=exited, status=0/SUCCESS)
		 Main PID: 1565 (ods-signerd)
		    Tasks: 12 (limit: 512)
		   CGroup: /system.slice/ods-signer.service
		           └─1565 /usr/local/opendnssec/sbin/ods-signerd -d

	systemctl status ods-enforcer
		● ods-enforcer.service - OpenDNSSEC Enforcer
		   Loaded: loaded (/etc/systemd/system/ods-enforcer.service; enabled; vendor preset: disabled)
		   Active: active (running) since Wed 2016-12-21 18:11:25 PST; 21min ago
		  Process: 1598 ExecStart=/bin/sh -c /usr/local/opendnssec/sbin/ods-enforcerd -d & (code=exited, status=0/SUCCESS)
		 Main PID: 1599 (ods-enforcerd)
		    Tasks: 6 (limit: 512)
		   CGroup: /system.slice/ods-enforcer.service
		           └─1599 /usr/local/opendnssec/sbin/ods-enforcerd -d


launched as root, with non-root/user priveleges specified in conf.xml

	cat conf.xml
		...
		<Enforcer>
		    <Privileges>
		        <User>opendnssec</User>
		        <Group>opendnssec</Group>
		    </Privileges>
			...
		</Enforcer>

		<Signer>
		    <Privileges>
		        <User>opendnssec</User>
		        <Group>opendnssec</Group>
		    </Privileges>
			...
		</Signer>
		...

where UID/GID are <1024

	id opendnssec
		uid=227(opendnssec) gid=227(opendnssec) groups=227(opendnssec)

and correctly dropped on exec

	ps aux | grep ods
		opendns+  1565  3.8  3.8 1032016 109832 ?      Sl   18:11   0:47 /usr/local/opendnssec/sbin/ods-signerd -d
		opendns+  1599  0.6  3.4 583412 97984 ?        Sl   18:11   0:07 /usr/local/opendnssec/sbin/ods-enforcerd -d

	tree /var/run/opendnssec/
		/var/run/opendnssec/
		├── [opendnssec           5]  enforcerd.pid
		├── [opendnssec           0]  enforcer.sock
		├── [opendnssec           0]  engine.sock
		└── [opendnssec           5]  signerd.pid

after adding a zone (under 'lab' policy), and waiting a bit for 'ds-seen'

	/usr/local/opendnssec/sbin/ods-enforcer key list --debug
		Keys:
		Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
		example.info                    KSK      ready     waiting for ds-seen      256   14         17e8878380c62e242def6bf0f690927f SoftHSM     48442
		example.info                    ZSK      active    2016-12-21 22:11:57      256   14         7e5c6b64da291b04aea7480ec45eb2d6 SoftHSM     65522
		Keys:
		Zone:                           Key role:     DS:          DNSKEY:      RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
		example.info                    KSK           rumoured     omnipresent  omnipresent  NA           1    1    17e8878380c62e242def6bf0f690927f
		example.info                    ZSK           NA           omnipresent  NA           omnipresent  1    1    7e5c6b64da291b04aea7480ec45eb2d6

for a very simple specified submit action

	<DelegationSignerSubmitCommand>/usr/local/etc/opendnssec/scripts/dnskey-mailer.sh</DelegationSignerSubmitCommand>

	cat dnskey-mailer.sh
		#!/bin/bash
		RECIPIENT="adm+ods at example.com"
		if [ -n "$RECIPIENT" ]
		then
			cat | mail -s "New keys from OpenDNSSEC" $RECIPIENT
		fi

mail is now sent/delivered on submit

	...
	Date: Wed, 21 Dec 2016 18:27:58 -0800
	From: adm+ods-dnskey-mailer at example.net
	To: adm+ods at example.com
	Subject: New keys from OpenDNSSEC
	Message-ID: <585b3a2e.QB+wG9zDnHst/Xyk%adm+ods-dnskey-mailer at example.net>
	User-Agent: Heirloom mailx 12.5 7/5/10
	MIME-Version: 1.0
	Content-Type: text/plain; charset=us-ascii
	Content-Transfer-Encoding: 7bit

	example.info. 300 IN DNSKEY 257 3 14 QUx...WSc/ 

Thanks for the help in getting this cleared up.

Next, setting up a production policy ...

More information about the Opendnssec-user mailing list