[bind10-dev] Possible suid root on b10-sockcreator

[JINMEI Tatuya / 神明達哉]

At Fri, 16 Dec 2011 19:51:26 +0100,
Michal 'vorner' Vaner <michal.vaner at nic.cz> wrote:

>   Pros:
>   - No need to become completely root to start it.
>   - Consistent with the fact we don't support daemon mode directly either, eg it
>     is handled by external tools. If user wants it to run as a different user,
>     he would use su.
>   - We could drop all the code that handles users. It would mean less tricky
>     code, so less chance to screw it up for us.
>   - The socket creator could potentially restart if it crashed by OOM killer or
>     something. It could even be made started on-demand and stopped when not used
>     for some time, to not clutter the process list.

I really didn't understand the first two.  The third one seems to be a
real benefit if we could really eliminate the option for the user to
change run time users.  I'm not sure if it's the case though.  I see
the advantage of the fourth one, too; however my general understanding
was that if socketcreator ever crashed we'd rather stop the entire
system.  At least I'd hold off to see how often/common the crash could
happen before jumping to the setuid+restart approach for this reason.

> So, there are two questions:
> • Are there other pros and cons I didn't mention?
> • Which one is better? Or should we support both modes?

Overall, I'm not sure.  I see some advantage of this approach as
commented above, but for now it doesn't seem to be sufficiently strong
especially if that's something administrators are not willing to
accept.  One thing I'd point out at this moment is that if we end up
providing both modes that would kill the third advantage and since I'm
not yet convinced that the fourth one is really a good idea, I'd hold
off until we see stronger need for this approach.

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.