problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface

Gordon Lang glang at
Sun Sep 27 15:59:14 UTC 2015

Here is the file info:

glang at nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin
drwxrwsr-x. 2 incadmin network     4096 Sep 26 10:39 bind-9.10.3/sbin
-rwsr-xr-x. 2 root     network 10095219 Sep 26 09:16 bind-9.10.3/sbin/named
glang at nstv1:/export/local/ISC>

If I run "named" as user 'glang' without the "-u" option, it works fine --
"named" runs as root (due to the suid file bit) and it listens on port 53
of the configured ip addresses.

If I run "named" as user 'glang' with the "-u incadmin" option, it does not
work fine -- it runs with the change of process owner to 'incadmin', but it
does not listen on any ip addresses.

If I run "named" as user 'root' with the "-u incadmin" option, it works
fine -- it listens on the configured ip's and it changes the owner of the
process to 'incadmin'.

Gordon A. Lang

On Sun, Sep 27, 2015 at 9:09 AM, Niall O'Reilly <niall.oreilly at>

> On Sat, 26 Sep 2015 17:27:56 +0100,
> Gordon Lang wrote:
> >
> > CHANGE: I did not properly characterized the problem in my original
> > post, so here is the real situation.
> >
> > If the bash shell from which I launch "named" is owned by root, then
> > "named" runs perfectly using the "-u" option, even listening on the
> > tun/tap interfaces.
> > But if I run "named" as a regular user, relying on the SUID file
> > setting to elevate privileges, then named fails to listen on any
> > addresses.
> > I believe the differences I saw before related to tun/tap interfaces
> > were due to testing on different RedHat platforms, but this revised
> > problem statement describes what is happening on both platforms.
> >
> > So the real problem is this: It seems I can use the SUID file bit to
> > allow a regular user to launch named, OR I can use the "-u" option of
> > "named" to lower the privileges after launch (requiring native root
> > privileges to launch), but I can't use both at the same time.
> >
> > Can anyone shed any light on this scenario?
>   I'm missing some information which might help me understand the
>   problem: the user and group to which your named belong.
>   Best regards,
>   Niall O'Reilly


Gordon A. Lang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list