BIND 10 #180: b10 start auth server drop privs asap

BIND 10 Development do-not-reply at isc.org
Fri Jun 25 06:18:01 UTC 2010 

#180: b10 start auth server drop privs asap
--------------------------+-------------------------------------------------
 Reporter:  shane         |        Owner:  UnAssigned                                    
     Type:  enhancement   |       Status:  reviewing                                     
 Priority:  major         |    Milestone:  05. 3rd Incremental Release: Serious Secondary
Component:  Boss of BIND  |   Resolution:                                                
 Keywords:                |    Sensitive:  0                                             
--------------------------+-------------------------------------------------

Comment(by shane):

 Realized that maybe I should add a description of the changes.

   * I added a "uid" attribute to the ProcessInfo class, which is changed
 to in the preexec_fn of the POpen instance associated with it. This means
 that after to fork() but before the exec() the process changes to that
 user if it is specified. We do this so we can setuid() for msgq and
 cfgmgr, which have to start before the auth process.
   * I added the uid to the constructor for the BossOfBind class, which is
 what the process ends up setuid() to, if present.
   * I moved the xfrout process after the auth process in startup, because
 it does not need to run as root.
   * Before the auth process stars, setuid() is invoked if a uid is
 specified.
   * Fixed a bug in the return value of restart_processes() that I
 discovered during testing. During shutdown this should return 0, not None,
 because if None is specified the select() will wait until some data is
 ready - and we really just want to skip it and proceed to our cleanup.
   * Set output to line buffering, even when not going to a TTY. This is
 useful for testing, and should not affect performance on such a low output
 program.
   * Added the "-u" (or "--user") option, which accepts UID or user name
   * Check for arguments on start - this is an error and is now reported as
 such
   * Added output when the server is done starting, useful for testing (and
 admins!)
   * Explicitly exit(0) after shutdown, just to be clear what is going on

 There are tests in the tests/test_args.py file which do:

   * Run bind10 without arguments to make sure it starts
   * Run bind10 with an unknown option
   * Run bind10 with an argument
   * Run bind10 with a bogus setuid user name
   * Run bind10 with a bogus setuid UID
   * Run bind10 with a valid setuid name, and make sure it changes to that
 user

 The last test was tricky for 2 reasons. As I mentioned, I don't know a way
 to find out a valid user name on the system (besides root). Also, I don't
 know if there is a generic way to get a list of processes and users. What
 I used will work for Linux and FreeBSD, but probably not for Solaris.

 The test also does not check the user that the various BIND 10 processes
 are running as. This is possibly useful to test, but I'll wait until the
 boss process is changed to run with configurable processes to make that
 check.

-- 
Ticket URL: <http://bind10.isc.org/ticket/180#comment:5>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development

More information about the bind10-tickets mailing list