named running as named, but queries performed by root?

Kevin Darcy kcd at daimlerchrysler.com
Thu Apr 28 23:57:17 UTC 2005


You'd probably need to talk to the developers/maintainers of the "owner" 
module about this, or figure it out from the source of the module 
yourself. named is uid 0 when it starts up, so maybe the "owner" module 
is still looking at that original uid when tracing the source of the 
packet back to a uid. Another possibility is you've locked your 
query-source port to 53 so the "owner" module is automatically assuming 
uid 0 since that port is in the privileged range...

                                                                         
                                                            - Kevin

Ben Nelson wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>So I recently discovered the 'owner' module for iptables.  I decided to
>further lock my nameserver down by replacing the following rules:
>
>iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
>
>with:
>
>iptables -A OUTPUT -p tcp -m owner --uid-owner 40 --dport 53 -j ACCEPT
>iptables -A OUTPUT -p udp -m owner --uid-owner 40 --dport 53 -j ACCEPT
>
>My intention was that the named user (uid 40 on my system) would be the
>only user able to initiate connections to TCP or UDP port 53. Defense in
>depth, right?  I've got named running with '-u named' so this should
>have worked in my mind.  I noticed, however, that after the change BIND
>could no longer perform recursive queries; only answering for zones
>which it is authoritative for.
>
>Long story short, after much playing around I found that the following
>rules allowed my BIND daemon to start performing recursive queries again:
>
>iptables -A OUTPUT -p tcp -m owner --uid-owner 0 --dport 53 -j ACCEPT
>iptables -A OUTPUT -p udp -m owner --uid-owner 0 --dport 53 -j ACCEPT
>
>So....now my question:
>If BIND is running with '-u named' (verified using ps -ef | grep named),
>how come UID 0 (root) is performing the external queries?
>
>This system is a 2.6.10 Linux system running BIND 9.2.5
>
>Thanks,
>- --Ben
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (GNU/Linux)
>
>iD8DBQFCaSYZ3cL8qXKvzcwRAu8VAJ4pyMKCJr68lWanP7hPaTx4GHcc2QCcC8kI
>Oc26paaPi/UsRD8xQ6cxdUk=
>=dItE
>-----END PGP SIGNATURE-----
>
>
>
>
>
>  
>




More information about the bind-users mailing list