What user should be specified for the opendikm -u UID option?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

What user should be specified for the opendikm -u UID option?

Tom Browder
The docs mention not to use root or postfix for the "-u UID" option. Then what user should it be? Is a new user to be created for that purpose?  Should that same user own the /var/db/dkim directory and files?

Thanks.

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Wietse Venema
Tom Browder:
> The docs mention not to use root or postfix for the "-u UID" option. Then
> what user should it be? Is a new user to be created for that purpose?
> Should that same user own the /var/db/dkim directory and files?

All my opendkim FILES are owned by root, in directories owned by
root, and those files/directories are writable only by root. Note
that opendkim reads the secret key before dropping root privileges.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Tom Browder

On Sun, Sep 3, 2017 at 06:44 Wietse Venema <[hidden email]> wrote:
Tom Browder:
> The docs mention not to use root or postfix for the "-u UID" option. Then
> what user should it be? Is a new user to be created for that purpose?
> Should that same user own the /var/db/dkim directory and files?

All my opendkim FILES are owned by root, in directories owned by
root, and those files/directories are writable only by root. Note
that opendkim reads the secret key before dropping root privileges.

Okay, so I assume opendikim will then be run by the appropriate post* user so I shouldn't use the "-u UID" option?

Thanks, Wietse.

-Tom




        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Wietse Venema
Tom Browder:

> On Sun, Sep 3, 2017 at 06:44 Wietse Venema <[hidden email]> wrote:
>
> > Tom Browder:
>
> > The docs mention not to use root or postfix for the "-u UID" option. Then
> > > what user should it be? Is a new user to be created for that purpose?
> > > Should that same user own the /var/db/dkim directory and files?
> >
> > All my opendkim FILES are owned by root, in directories owned by
> > root, and those files/directories are writable only by root. Note
> > that opendkim reads the secret key before dropping root privileges.
>
>
> Okay, so I assume opendikim will then be run by the appropriate post* user
> so I shouldn't use the "-u UID" option?

AS DOCUMENTED
OPENDKIM MUST NOT RUN AS POSTFIX
OPENDKIM MUST NOT RUN AS ROOT

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Graham Leggett
In reply to this post by Tom Browder
On 03 Sep 2017, at 12:38 PM, Tom Browder <[hidden email]> wrote:

> The docs mention not to use root or postfix for the "-u UID" option. Then what user should it be? Is a new user to be created for that purpose?

Yes.

> Should that same user own the /var/db/dkim directory and files?

No.

The idea is that opendkim’s files must be read only, so that someone who manages to remote control the opendkim process cannot use this to fiddle with the filesystem and opendkim’s settings. You achieve this by making your files owned by one user (Wietse recommended root) and have another user (example: user opendkim) run the opendkim process. In the process, the opendkim process can look, but not touch.

In addition, make the secret readable by root only. Opendkim will read the secret as root on startup, then drop privileges so that anyone who takes over the opendkim user cannot read the secret.

Regards,
Graham



smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

pgndev
In reply to this post by Tom Browder
fyi, if you prefer a dedicated user approach, just need to make sure you're consistent,

groupdel opendkim
groupadd opendkim
useradd  opendkim -g opendkim -G "" -s /bin/false -d /var/run/opendkim -M
usermod -a -G opendkim postfix

id opendkim
    uid=5117(opendkim) gid=5117(opendkim) groups=5117(opendkim)
id postfix
    uid=5001(postfix) gid=5001(postfix) groups=5001(postfix),12(mail),5002(postdrop),...,5117(opendkim),...


cat /etc/systemd/system/opendkim.service
    ...
    [Service]
    User=opendkim
    Group=opendkim
    Type=forking
    PIDFile=/var/run/opendkim/opendkim.pid
    ExecStart=/opt/opendkim/sbin/opendkim -l -x /usr/local/etc/opendkim/opendkim.conf -u opendkim
    ...

cat /usr/local/etc/opendkim/opendkim.conf
    ...
    UserID    opendkim:opendkim
    Socket    local:/var/run/opendkim/opendkim.sock
    PidFile   /var/run/opendkim/opendkim.pid
    ...

cat /usr/local/etc/opendkim/key_table
    dkim-56..._domainkey.example1.com    example1.com:dkim-56...:/usr/local/etc/sec/dkim/dkim-146...example1.com.key.pem
    dkim-0e..._domainkey.example2.com    example2.com:dkim-0e...:/usr/local/etc/sec/dkim/dkim-146...example2.com.key.pem
    ...

ls -alr /var/run/opendkim
    total 4.0K
    srwxrwxr-x  1 opendkim opendkim    0 Sep  2 09:33 opendkim.sock=
    -rw-r--r--  1 opendkim opendkim    5 Sep  2 09:33 opendkim.pid
    drwxr-xr-x 42 root     root     1.2K Sep  3 08:06 ../
    drwxr-xr-x  2 opendkim opendkim   80 Sep  2 09:33 ./

ls -alr /usr/local/etc/opendkim
    total 40K
    -rw-rw-r--+  1 opendkim opendkim   93 May 30  2016 trusted_hosts
    -rw-r-----+  1 opendkim opendkim 2.1K May 30  2016 signing_table
    -rw-r-----+  1 opendkim opendkim 7.6K May 30 08:26 opendkim.conf
    -rw-r-----+  1 opendkim opendkim 4.1K May 30  2016 key_table
    drwxrwxr-x+ 32 root     root     4.0K Aug 28 07:30 ../
    drwxr-xr-x+  2 opendkim opendkim 4.0K May 30  2016 ./

ls -al /usr/local/etc/sec/dkim
    total 384K
    drwxr-xr-x  2 opendkim opendkim  12K May 30  2016 ./
    drwxr-xr-x 10 root     root     4.0K Aug 28 07:32 ../
    -rw-------  1 opendkim opendkim 1.7K May 30  2016 dkim-14...example1.com.key.pem
    -rw-------  1 opendkim opendkim  451 May 30  2016 dkim-14...example1.com.pubkey.pem
    -rw-------  1 opendkim opendkim 1.7K May 30  2016 dkim-14...example2.com.key.pem
    -rw-------  1 opendkim opendkim  451 May 30  2016 dkim-14...example2.com.pubkey.pem
    ...

cat /usr/local/etc/postfix/master.cf
    ...
    [127.0.0.1]:10005 inet n - n - - smtpd
      -o smtpd_milters=...,unix:/var/run/opendkim/opendkim.sock,...
    ...
    [int.mx.MYDOMAIN.COM]:587 inet n - n - - smtpd
      -o smtpd_milters=...,unix:/var/run/opendkim/opendkim.sock,...
    ...

cat /usr/local/etc/postfix/main.cf
    ...
    authorized_submit_users = ..., opendkim, ...
    ...


works well here.

hth.


Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Harald Koch-2
Just a small nit:

running opendkim as user opendkim in the systemd service file completely defeats the ability of opendkim to drop privileges *after* reading the private keys as root. I suspect most people aren't aware that having a daemon start as root and drop privileges itself is a security feature?

Anyway, don't specify "User" and "Group" in the service file, but do use the "-u opendkim" option. And then make the private keys owned by root.

-- 
Harald




On 3 September 2017 at 11:45, pgndev <[hidden email]> wrote:
fyi, if you prefer a dedicated user approach, just need to make sure you're consistent,

groupdel opendkim
groupadd opendkim
useradd  opendkim -g opendkim -G "" -s /bin/false -d /var/run/opendkim -M
usermod -a -G opendkim postfix

id opendkim
    uid=5117(opendkim) gid=5117(opendkim) groups=5117(opendkim)
id postfix
    uid=5001(postfix) gid=5001(postfix) groups=5001(postfix),12(mail),5002(postdrop),...,5117(opendkim),...


cat /etc/systemd/system/opendkim.service
    ...
    [Service]
    User=opendkim
    Group=opendkim
    Type=forking
    PIDFile=/var/run/opendkim/opendkim.pid
    ExecStart=/opt/opendkim/sbin/opendkim -l -x /usr/local/etc/opendkim/opendkim.conf -u opendkim
    ...

cat /usr/local/etc/opendkim/opendkim.conf
    ...
    UserID    opendkim:opendkim
    Socket    local:/var/run/opendkim/opendkim.sock
    PidFile   /var/run/opendkim/opendkim.pid
    ...

cat /usr/local/etc/opendkim/key_table
    dkim-56..._domainkey.example1.com    example1.com:dkim-56...:/usr/local/etc/sec/dkim/dkim-146...example1.com.key.pem
    dkim-0e..._domainkey.example2.com    example2.com:dkim-0e...:/usr/local/etc/sec/dkim/dkim-146...example2.com.key.pem
    ...

ls -alr /var/run/opendkim
    total 4.0K
    srwxrwxr-x  1 opendkim opendkim    0 Sep  2 09:33 opendkim.sock=
    -rw-r--r--  1 opendkim opendkim    5 Sep  2 09:33 opendkim.pid
    drwxr-xr-x 42 root     root     1.2K Sep  3 08:06 ../
    drwxr-xr-x  2 opendkim opendkim   80 Sep  2 09:33 ./

ls -alr /usr/local/etc/opendkim
    total 40K
    -rw-rw-r--+  1 opendkim opendkim   93 May 30  2016 trusted_hosts
    -rw-r-----+  1 opendkim opendkim 2.1K May 30  2016 signing_table
    -rw-r-----+  1 opendkim opendkim 7.6K May 30 08:26 opendkim.conf
    -rw-r-----+  1 opendkim opendkim 4.1K May 30  2016 key_table
    drwxrwxr-x+ 32 root     root     4.0K Aug 28 07:30 ../
    drwxr-xr-x+  2 opendkim opendkim 4.0K May 30  2016 ./

ls -al /usr/local/etc/sec/dkim
    total 384K
    drwxr-xr-x  2 opendkim opendkim  12K May 30  2016 ./
    drwxr-xr-x 10 root     root     4.0K Aug 28 07:32 ../
    -rw-------  1 opendkim opendkim 1.7K May 30  2016 dkim-14...example1.com.key.pem
    -rw-------  1 opendkim opendkim  451 May 30  2016 dkim-14...example1.com.pubkey.pem
    -rw-------  1 opendkim opendkim 1.7K May 30  2016 dkim-14...example2.com.key.pem
    -rw-------  1 opendkim opendkim  451 May 30  2016 dkim-14...example2.com.pubkey.pem
    ...

cat /usr/local/etc/postfix/master.cf
    ...
    [127.0.0.1]:10005 inet n - n - - smtpd
      -o smtpd_milters=...,unix:/var/run/opendkim/opendkim.sock,...
    ...
    [int.mx.MYDOMAIN.COM]:587 inet n - n - - smtpd
      -o smtpd_milters=...,unix:/var/run/opendkim/opendkim.sock,...
    ...

cat /usr/local/etc/postfix/main.cf
    ...
    authorized_submit_users = ..., opendkim, ...
    ...


works well here.

hth.



Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

pgndev
fwiw, from Arch wiki

https://wiki.archlinux.org/index.php/OpenDKIM
"The OpenDKIM daemon does not need to run as root at all (the configuration suggested earlier will have OpenDKIM drop root privileges by itself, but systemd can do this too and much earlier)."

cat /etc/systemd/system/opendkim.service
  ...
  [Service]
  Type=forking
  User=opendkim
  Group=postfix
  ...


Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Harald Koch-2
haha I was going to mention the Arch Wiki - it also gives misleading advice. Their improved setup has private keys owned by (and writable by!) the same user that the daemon runs as. Hacked daemon -> private key compromise.

The default service file installed by the Arch package runs as root, btw, and drops privileges if you specify a "UserID" in the config file.

-- 
Harald


On 3 September 2017 at 12:08, pgndev <[hidden email]> wrote:
fwiw, from Arch wiki

https://wiki.archlinux.org/index.php/OpenDKIM
"The OpenDKIM daemon does not need to run as root at all (the configuration suggested earlier will have OpenDKIM drop root privileges by itself, but systemd can do this too and much earlier)."

cat /etc/systemd/system/opendkim.service
  ...
  [Service]
  Type=forking
  User=opendkim
  Group=postfix
  ...



Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Harald Koch-2
Of course, it can't actually b this simple. None of this applies if you use a KeyTable:

Thus, keys referenced by the KeyTable must always be accessible for read by the unprivileged user.

Those keys are read at first use, not when the daemon starts up. *sigh. I knew there was something I was forgetting.

-- 
Harald



On 3 September 2017 at 12:15, Harald Koch <[hidden email]> wrote:
haha I was going to mention the Arch Wiki - it also gives misleading advice. Their improved setup has private keys owned by (and writable by!) the same user that the daemon runs as. Hacked daemon -> private key compromise.

The default service file installed by the Arch package runs as root, btw, and drops privileges if you specify a "UserID" in the config file.

-- 
Harald


On 3 September 2017 at 12:08, pgndev <[hidden email]> wrote:
fwiw, from Arch wiki

https://wiki.archlinux.org/index.php/OpenDKIM
"The OpenDKIM daemon does not need to run as root at all (the configuration suggested earlier will have OpenDKIM drop root privileges by itself, but systemd can do this too and much earlier)."

cat /etc/systemd/system/opendkim.service
  ...
  [Service]
  Type=forking
  User=opendkim
  Group=postfix
  ...




Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Tom Browder
On 3 September 2017 at 12:08, pgndev <[hidden email]> wrote:
...

Thanks for all the responses.

Does everyone agree with pgndev's detailed cookbook recipe?

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Wietse Venema
In reply to this post by pgndev
pgndev:
> fyi, if you prefer a dedicated user approach, just need to make sure you're
> consistent,
>
> groupdel opendkim
> groupadd opendkim
> useradd  opendkim -g opendkim -G "" -s /bin/false -d /var/run/opendkim -M
> usermod -a -G opendkim postfix

This advice is incorrect. There is no need to add 'postfix' to any group.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Wietse Venema
In reply to this post by Tom Browder
Tom Browder:
> On 3 September 2017 at 12:08, pgndev <[hidden email]> wrote:
> ...
>
> Thanks for all the responses.
>
> Does everyone agree with pgndev's detailed cookbook recipe?

No, that advice is incorrect.

1) Specify the opendkim '-u' option with an account that is not
   used by anything else. Not postfix. Not wwww. Not your personal
   account.

2) Make opendkim files/directories owned by root and writable
   only by root.

3) Start opendkim as root (DO NOT use systemd user/group settings),

Don't believe info from archwiki or other non-Postfix sites.
They give bad advice such as sharing groups with Postfix
or making opendkim files writable by the opendkim process.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Harald Koch-2
The info I posted earlier, about private keys read via a KeyTable - that comes from the "FILE PERMISSIONS" section of the opendkim man page.

-- 
Harald

Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Tom Browder
In reply to this post by Wietse Venema
On Sun, Sep 3, 2017 at 13:56 Wietse Venema <[hidden email]> wrote:
Tom Browder:
> Does everyone agree with pgndev's detailed cookbook recipe?

No, that advice is incorrect.

1) Specify the opendkim '-u' option with an account that is not
   used by anything else. Not postfix. Not wwww. Not your personal
   account.

Choosing 'opendkim' sounds like a good choice.

2) Make opendkim files/directories owned by root and writable
   only by root.

3) Start opendkim as root (DO NOT use systemd user/group settings),

Do you use a simple init.d script for system reboots? Or a proper systemd service file that does the right thing?

I notice there is a contributed systemd service file with the opendkim source.

-Tom
Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Michael Orlitzky-2
In reply to this post by Wietse Venema
On 09/03/2017 07:43 AM, Wietse Venema wrote:
> Tom Browder:
>> The docs mention not to use root or postfix for the "-u UID" option. Then
>> what user should it be? Is a new user to be created for that purpose?
>> Should that same user own the /var/db/dkim directory and files?
>
> All my opendkim FILES are owned by root, in directories owned by
> root, and those files/directories are writable only by root. Note
> that opendkim reads the secret key before dropping root privileges.
>

I just did some experiments with this. If you're using a KeyTable and
SigningTable, it looks like OpenDKIM will read those as root, but not
all of the secret keys.

(The rest is quite skippable if you're not interested in such a setup.)

If your OpenDKIM user is named "opendkim" and is a member of the
"opendkim" group, then the obvious way to deal with that is to make your
keys (and the directories they're contained in) read-only to the
"opendkim" group. So far so good.

But now what if you want to use a local UNIX socket to talk to OpenDKIM?
Postfix needs to be able to write to it. On most systems, the socket
will be created as opendkim:opendkim, and if you add the "postfix" user
to the "opendkim" group, then

  1. that's more access than postfix should have to your keys, and

  2. the OpenDKIM daemon will complain to the effect of #1.

So to share a socket, you need another group. I created a new group
called "milter", and added both the "postfix" and "opendkim" users to
it. Here I tried to tell OpenDKIM to run as "opendkim:milter",  but that
doesn't work because when you specify one particular group, it omits all
of that user's other groups -- including the "opendkim" group that you
need to read your keys!

Fortunately, you can tell the system to use "milter" as the primary
group for the "opendkim" user. Just swap the two with,

  $ usermod -g milter opendkim
  $ usermod -a -G milter opendkim

Now if OpenDKIM is running as user "opendkim", it will create the socket
with that user's primary group "milter", but still be able to access
your keys via the secondary group "opendkim".

To summarize,

  * OpenDKIM runs as UserID "opendkim", an otherwise-unused user.
  * all OpenDKIM files owned by "root"
  * key table and signing table are group "root"
  * secret keys are group "opendkim" and group-read-only
  * socket needs to belong to a third group containing "opendkim"
    and "postfix"
  * you need to make that third group the primary group of "opendkim"
    so that the socket gets created with the correct group
Reply | Threaded
Open this post in threaded view
|

Re: What user should be specified for the opendikm -u UID option?

Matus UHLAR - fantomas
In reply to this post by Wietse Venema
>Tom Browder:
>> Does everyone agree with pgndev's detailed cookbook recipe?

On 03.09.17 14:55, Wietse Venema wrote:
>No, that advice is incorrect.
>
>1) Specify the opendkim '-u' option with an account that is not
>   used by anything else. Not postfix. Not wwww. Not your personal
>   account.
>
>2) Make opendkim files/directories owned by root and writable
>   only by root.

what about readable by opendkim?

>3) Start opendkim as root (DO NOT use systemd user/group settings),

with the above, starting under opendkim:opendkim should be fine.
Of course, unless someone other has access to the opendkim group
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.