[bind10-dev] Possible suid root on b10-sockcreator

Michal 'vorner' Vaner michal.vaner at nic.cz
Fri Dec 16 18:51:26 UTC 2011


Hello

As we briefly talked on the call, there are two possibilities how to make sure
the socket creator is root and everything runs under a different user.

• The current way (yet unfinished), the boss is started as root, it starts the
  socket creator and then switches itself to a different user, passed by command
  line.

  Pros:
  - Users probably know what is happening.
  - If root wants to run as a user, no need for different programs to handle it
    are needed.
• Have setuid on the b10-sockcreator binary and have it owned by root (readable
  and executable by the bind10 group only, so normal users couldn't start it).
  Pros:
  - No need to become completely root to start it.
  - Consistent with the fact we don't support daemon mode directly either, eg it
    is handled by external tools. If user wants it to run as a different user,
    he would use su.
  - We could drop all the code that handles users. It would mean less tricky
    code, so less chance to screw it up for us.
  - The socket creator could potentially restart if it crashed by OOM killer or
    something. It could even be made started on-demand and stopped when not used
    for some time, to not clutter the process list.
  Cons:
  - Some admins might feel bad about a binary with setuid on it.

So, there are two questions:
• Are there other pros and cons I didn't mention?
• Which one is better? Or should we support both modes?

Thanks

-- 
Java: Write once, run everywhere
Perl: Write once, run away
Perl6: Don't write, it DWYW

Michal 'vorner' Vaner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <https://lists.isc.org/pipermail/bind10-dev/attachments/20111216/86525f2e/attachment.bin>


More information about the bind10-dev mailing list