[Opendnssec-user] Dropping exec perms -- running daemons as == ods USER/GROUP, !root ?

Wed, 21 Dec 2016 08:23:24 -0800 

While testing, I've been running the ods2 daemons as root.

exec'd as 'root', no startup issues so far.  But the daemons do not drop perms, 
and persist running as root.

IIUC, there's no reason -- and is likely unwise (?) -- to exec as 'root'; I'm 
attempting to run as my ods2 user, "opendnnssec".

Using (just for the moment) systemd's "PermissionsStartOnly=" for perms mgmt 
(eventually, I'll switch to tmpfiles ...), editing

(btw, shouldn't ods2 sources include systemd instrumentation ?)

        edit /etc/systemd/system/ods-signer.service
                [Unit]
                Description=ods2 signer
                After=syslog.target network.target

                [Service]
                Type=forking
+               PermissionsStartOnly=true
+               User=opendnssec
+               Group=opendnssec
                PIDFile=/var/run/opendnssec/signerd.pid
                EnvironmentFile=-/etc/sysconfig/ods
+               ExecStartPre=/bin/chown -R opendnssec:opendnssec 
/usr/local/etc/opendnssec /var/run/opendnssec /var/opendnssec
                ExecStart=/usr/local/opendnssec/sbin/ods-signerd 
$ODS_SIGNERD_OPT

                [Install]
                WantedBy=multi-user.target

        edit /etc/systemd/system/ods-enforcer.service
                [Unit]
                Description=ods2 enforcer
                After=syslog.target network.target
                After=ods-signer

                [Service]
                Type=forking
+               PermissionsStartOnly=true
+               User=opendnssec
+               Group=opendnssec
                PIDFile=/var/run/opendnssec/enforcerd.pid
                EnvironmentFile=-/etc/sysconfig/ods
+               ExecStartPre=/bin/chown -R opendnssec:opendnssec 
/usr/local/etc/opendnssec /var/run/opendnssec /var/opendnssec
                ExecStart=/usr/local/opendnssec/sbin/ods-enforcerd 
$ODS_ENFORCERD_OPT

                [Install]
                WantedBy=multi-user.target

force stop

        pkill ods-signer
        pkill ods-enforcer

reload

        systemctl daemon-reload

restart

        systemctl start ods-signer
        systemctl start ods-enforcer

, my logs get hammered with dozens of
        ...

        Dec 21 07:57:10 core ods-enforcerd: ObjectFile.cpp(122): The attribute 
does not exist: 0x00000002
        ...
        Dec 21 07:57:54 core ods-signerd: ObjectFile.cpp(122): The attribute 
does not exist: 0x00000002
        ...

The only instance of ObjectFile.cpp I have on my system is

        /usr/local/src/softhsm/src/lib/object_store/ObjectFile.cpp

where

        cat /usr/local/src/softhsm/src/lib/object_store/ObjectFile.cpp
                ...
                bool ObjectFile::getBooleanValue(CK_ATTRIBUTE_TYPE type, bool 
val)
                {
                    MutexLocker lock(objectMutex);

                    OSAttribute* attr = attributes[type];
                    if (attr == NULL)
                    {
        122             ERROR_MSG("The attribute does not exist: 0x%08X", type);
                        return val;
                    }
                ...

What's the attribute problem here?

Is there more to execing as !root that needs to be addressed?
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to