Re: Any issues running as root vs. opendkim?

From: Steve Jenkins <steve_at_stevejenkins.com>
Date: Wed, 30 Jul 2014 13:26:39 -0700

On Wed, Jul 30, 2014 at 1:22 PM, Todd Lyons <tlyons_at_ivenue.com> wrote:

> On Wed, Jul 30, 2014 at 12:51 PM, Steve Jenkins <steve_at_stevejenkins.com>
> wrote:
> > My default opendkim.conf file has:
> >
> > UserID opendkim:opendkim
> >
> >
> > But I'm attempting to help resolve this bug:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=891292
> >
> > Please refer to my comment #47.
> >
> > It is OK to run the opendkim process as root?
>
> No, it's not ok to run as root. Basically, selinux wants root to be
> the owner of pretty much everything /etc, so make everything be owned
> by root:%{name}.
>
> I am no selinux expert, but I think in order to fix your packaging,
> the comment 36 addresses what to do with the files in the
> /etc/opendkim/ subdirectory:
>
> -%config(noreplace) %attr(640,%{name},%{name})
> %{_sysconfdir}/%{name}/SigningTable
> -%config(noreplace) %attr(640,%{name},%{name})
> %{_sysconfdir}/%{name}/KeyTable
> -%config(noreplace) %attr(640,%{name},%{name})
> %{_sysconfdir}/%{name}/TrustedHosts
> +%config(noreplace) %attr(640,root,%{name})
> %{_sysconfdir}/%{name}/SigningTable
> +%config(noreplace) %attr(640,root,%{name}) %{_sysconfdir}/%{name}/KeyTable
> +%config(noreplace) %attr(640,root,%{name})
> %{_sysconfdir}/%{name}/TrustedHosts
>
> Then per comment 37, make the keys subdirectories have root own them,
> but group opendkim can read:
> %dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}
> %dir %attr(640,%{name},%{name}) %{_sysconfdir}/%{name}/keys
>
> Then make the default supplied keys have something accessible yet
> group restricted the way that opendkim requires:
>
> %config(noreplace) %attr(640,root,%{name})
> %{_sysconfdir}/%{name}/keys/*.private
> %config(noreplace) %attr(644,root,%{name})
> %{_sysconfdir}/%{name}/keys/*.txt
>
> I think that the %post by default will include a restorecon so you
> shouldn't have to mess with that manually.
>
> Hopefully this will help a bit, or at least spark a bit of genius
> among those who know selinux better than us. :-)


Thanks, Todd.

I think I have it figured out. It takes the ownership and permissions as
shown in Comment 36... but that's going to require an update to something
in the source -- the default keygen script that sets permission for the
default keys when OpenDKIM starts for the first time.

Here's my updated contrib/init/redhat/opendkim-default-keygen.in

https://github.com/stevejenkins/OpenDKIM-Fedora/blob/develop/contrib/init/redhat/opendkim-default-keygen.in

Only difference is line 32: chmod should be 640, instead of 600.

Can someone with commit privileges make that change to the OpenDKIM source,
and then I'll just patch it for now in this Fedora build?

Thanks,

SteveJ
Received on Wed Jul 30 2014 - 20:26:55 PST

This archive was generated by hypermail 2.3.0 : Wed Jul 30 2014 - 20:36:01 PST