Re: [Opendnssec-user] Dropping exec perms -- running daemons as == ods USER/GROUP, !root ?

Wed, 21 Dec 2016 18:55:03 -0800 

On 12/21/2016 02:27 PM, Yuri Schaeffer wrote:
> Indeed. It might be useful to start ods-signerd (and then drop) as root
> in case you want it to serve XFRs on low ports.
> 
...

> ODS should run fine as a normal user. But beware that binding port
> numbers < 1024 might not work of you don't use the permission dropping
> functionality. This is only relevant for the signer and when using DNS
> adapters.

took a bit of doing, but finally for ods2 + softhsm2 here,

        /usr/local/opendnssec/sbin/ods-signerd -V
                opendnssec version 2.1.0-dev

        /usr/local/softhsm/bin/softhsm2-util --version
                2.3.0rc1

with one pending 'gotcha'; dropped back to botan 1.11.33

        /usr/local/botan/bin/botan version --full
                Botan 1.11.33 (released, dated 20161026, revision 
git:560c0e5623cd9ef704b06c56b7e827e7431ae1a8, distribution unspecified)

until this gets sorted

        https://github.com/opendnssec/SoftHSMv2/issues/276 Botan 1.11.34

now,

ods-{signerd,enforcerd} are managed by systemd

        systemctl status ods-signer
                ● ods-signer.service - OpenDNSSEC Signer
                   Loaded: loaded (/etc/systemd/system/ods-signer.service; 
enabled; vendor preset: disabled)
                   Active: active (running) since Wed 2016-12-21 18:11:25 PST; 
20min ago
                  Process: 1564 ExecStart=/bin/sh -c 
/usr/local/opendnssec/sbin/ods-signerd -d & (code=exited, status=0/SUCCESS)
                 Main PID: 1565 (ods-signerd)
                    Tasks: 12 (limit: 512)
                   CGroup: /system.slice/ods-signer.service
                           └─1565 /usr/local/opendnssec/sbin/ods-signerd -d

        systemctl status ods-enforcer
                ● ods-enforcer.service - OpenDNSSEC Enforcer
                   Loaded: loaded (/etc/systemd/system/ods-enforcer.service; 
enabled; vendor preset: disabled)
                   Active: active (running) since Wed 2016-12-21 18:11:25 PST; 
21min ago
                  Process: 1598 ExecStart=/bin/sh -c 
/usr/local/opendnssec/sbin/ods-enforcerd -d & (code=exited, status=0/SUCCESS)
                 Main PID: 1599 (ods-enforcerd)
                    Tasks: 6 (limit: 512)
                   CGroup: /system.slice/ods-enforcer.service
                           └─1599 /usr/local/opendnssec/sbin/ods-enforcerd -d


launched as root, with non-root/user priveleges specified in conf.xml

        cat conf.xml
                ...
                <Enforcer>
                    <Privileges>
                        <User>opendnssec</User>
                        <Group>opendnssec</Group>
                    </Privileges>
                        ...
                </Enforcer>

                <Signer>
                    <Privileges>
                        <User>opendnssec</User>
                        <Group>opendnssec</Group>
                    </Privileges>
                        ...
                </Signer>
                ...

where UID/GID are <1024

        id opendnssec
                uid=227(opendnssec) gid=227(opendnssec) groups=227(opendnssec)

and correctly dropped on exec

        ps aux | grep ods
                opendns+  1565  3.8  3.8 1032016 109832 ?      Sl   18:11   
0:47 /usr/local/opendnssec/sbin/ods-signerd -d
                opendns+  1599  0.6  3.4 583412 97984 ?        Sl   18:11   
0:07 /usr/local/opendnssec/sbin/ods-enforcerd -d

        tree /var/run/opendnssec/
                /var/run/opendnssec/
                ├── [opendnssec           5]  enforcerd.pid
                ├── [opendnssec           0]  enforcer.sock
                ├── [opendnssec           0]  engine.sock
                └── [opendnssec           5]  signerd.pid

after adding a zone (under 'lab' policy), and waiting a bit for 'ds-seen'

        /usr/local/opendnssec/sbin/ods-enforcer key list --debug
                Keys:
                Zone:                           Keytype: State:    Date of next 
transition: Size: Algorithm: CKA_ID:                          Repository: 
KeyTag:
                example.info                    KSK      ready     waiting for 
ds-seen      256   14         17e8878380c62e242def6bf0f690927f SoftHSM     48442
                example.info                    ZSK      active    2016-12-21 
22:11:57      256   14         7e5c6b64da291b04aea7480ec45eb2d6 SoftHSM     
65522
                Keys:
                Zone:                           Key role:     DS:          
DNSKEY:      RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
                example.info                    KSK           rumoured     
omnipresent  omnipresent  NA           1    1    
17e8878380c62e242def6bf0f690927f
                example.info                    ZSK           NA           
omnipresent  NA           omnipresent  1    1    
7e5c6b64da291b04aea7480ec45eb2d6

for a very simple specified submit action

        
<DelegationSignerSubmitCommand>/usr/local/etc/opendnssec/scripts/dnskey-mailer.sh</DelegationSignerSubmitCommand>

        cat dnskey-mailer.sh
                #!/bin/bash
                RECIPIENT="[email protected]"
                if [ -n "$RECIPIENT" ]
                then
                        cat | mail -s "New keys from OpenDNSSEC" $RECIPIENT
                fi

mail is now sent/delivered on submit

        ...
        Date: Wed, 21 Dec 2016 18:27:58 -0800
        From: [email protected]
        To: [email protected]
        Subject: New keys from OpenDNSSEC
        Message-ID: 
<585b3a2e.QB+wG9zDnHst/xyk%[email protected]>
        User-Agent: Heirloom mailx 12.5 7/5/10
        MIME-Version: 1.0
        Content-Type: text/plain; charset=us-ascii
        Content-Transfer-Encoding: 7bit

        example.info. 300 IN DNSKEY 257 3 14 QUx...WSc/ 

Thanks for the help in getting this cleared up.

Next, setting up a production policy ...
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to