[oi-dev] Anybody else running named on OI

Gary Mills gary_mills at fastmail.fm
Mon Oct 19 00:21:46 UTC 2020 

On Sun, Oct 18, 2020 at 10:30:09PM +0200, Till Wegmüller wrote:
> 
> I think what happened is that the service manifest has gotten an update
> between you last updated and now.

I don't think so.  I updated on 2018-07-01, again on 2020-08-02, and
again on 2020-10-12.  I probably fixed named after the first one.  I
know I fixed it again after the second one.  Nothing changed on the
third one.

> I see two user options. One in the Propval and one for the launch script
> /lib/svc/method/dns-server.

Yes, the two are related.  If you delete the one in the SMF property
values, the method script omits it and the `-u' option too.  That's
what I did.  The man page says this about this option:

       -u user
              Setuid to user after completing privileged operations, such as
              creating sockets that listen on privileged ports.

       NOTE:
          On Linux, named uses the kernel's capability mechanism to drop all
          root privileges except the ability to bind(2) to a privileged port
          and set process resource limits. Unfortunately, this means that the
          -u option only works when named is run on kernel 2.2.18 or later, or
          kernel 2.3.99-pre3 or later, since previous kernels did not allow
          privileges to be retained after setuid(2).

I wonder if this option only works on Linux?

> That script takes in the user parameter but
> I can't find a line that changes the working directory for non chroot
> installations. So that might break the installation for you.
> method_credential can have a working directory parameter so the service
> does not start in /root. Unfortunately I can't remember or find in my
> notes how to do that in the XML. As a workaround I sometimes modified my
> smf method scripts with a cd command.

All the settings for SMF manifests (XML files) are described in
comments in:

    /usr/share/lib/xml/dtd/service_bundle.dtd.1

There are lots of examples in /lib/svc/manifest .  Here's one, from
/lib/svc/manifest/network/network-netcfg.xml:

        <exec_method
                type='method'
                name='start'
                exec='/lib/inet/netcfgd'
                timeout_seconds='600' >
                <method_context>
                        <method_credential user='netcfg' group='netadm'
                                privileges='zone'/>
                </method_context>
        </exec_method>

You normally don't need to change directory in the method script.
Just make it the home directory in the passwd file, and SMF will do
the `cd' for you.  The home directory has to exist, of course.

In the case of the named user, the home directory is /var/chroot/named
and it does not exist by default.  Just specifying `user='named''
won't quite work by itself.

Linux and BSD do not have the fine-grained user privileges that
illumos has.  Instead, they rely on chroot for security.  illumos
privileges would be best for illumos.

If I am truely the only one running named on OI, I can test some
changes to run safely as non-root, but not on my production system.


-- 
-Gary Mills-		-refurb-		-Winnipeg, Manitoba, Canada-

More information about the oi-dev mailing list