named running as named, but queries performed by root?

Ben Nelson lists at venom600.org
Fri Apr 22 16:28:09 UTC 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

So I recently discovered the 'owner' module for iptables.  I decided to
further lock my nameserver down by replacing the following rules:

iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

with:

iptables -A OUTPUT -p tcp -m owner --uid-owner 40 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m owner --uid-owner 40 --dport 53 -j ACCEPT

My intention was that the named user (uid 40 on my system) would be the
only user able to initiate connections to TCP or UDP port 53. Defense in
depth, right?  I've got named running with '-u named' so this should
have worked in my mind.  I noticed, however, that after the change BIND
could no longer perform recursive queries; only answering for zones
which it is authoritative for.

Long story short, after much playing around I found that the following
rules allowed my BIND daemon to start performing recursive queries again:

iptables -A OUTPUT -p tcp -m owner --uid-owner 0 --dport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m owner --uid-owner 0 --dport 53 -j ACCEPT

So....now my question:
If BIND is running with '-u named' (verified using ps -ef | grep named),
how come UID 0 (root) is performing the external queries?

This system is a 2.6.10 Linux system running BIND 9.2.5

Thanks,
- --Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCaSYZ3cL8qXKvzcwRAu8VAJ4pyMKCJr68lWanP7hPaTx4GHcc2QCcC8kI
Oc26paaPi/UsRD8xQ6cxdUk=
=dItE
-----END PGP SIGNATURE-----



More information about the bind-users mailing list