problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface
Rick Dicaire
kritek at gmail.com
Sun Sep 27 17:20:56 UTC 2015
Unless something has changed, root is required to bind to ports below 1024
before privilege separation can begin.
On Sun, Sep 27, 2015 at 11:59 AM, Gordon Lang <glang at goalex.com> wrote:
> Here is the file info:
>
> glang at nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin
> bind-9.10.3/sbin/named
> drwxrwsr-x. 2 incadmin network 4096 Sep 26 10:39 bind-9.10.3/sbin
> -rwsr-xr-x. 2 root network 10095219 Sep 26 09:16 bind-9.10.3/sbin/named
> glang at nstv1:/export/local/ISC>
>
>
> If I run "named" as user 'glang' without the "-u" option, it works fine --
> "named" runs as root (due to the suid file bit) and it listens on port 53
> of the configured ip addresses.
>
> If I run "named" as user 'glang' with the "-u incadmin" option, it does
> not work fine -- it runs with the change of process owner to 'incadmin',
> but it does not listen on any ip addresses.
>
> If I run "named" as user 'root' with the "-u incadmin" option, it works
> fine -- it listens on the configured ip's and it changes the owner of the
> process to 'incadmin'.
>
> --
> Gordon A. Lang
>
>
> On Sun, Sep 27, 2015 at 9:09 AM, Niall O'Reilly <niall.oreilly at ucd.ie>
> wrote:
>
>> On Sat, 26 Sep 2015 17:27:56 +0100,
>> Gordon Lang wrote:
>> >
>> > CHANGE: I did not properly characterized the problem in my original
>> > post, so here is the real situation.
>> >
>> > If the bash shell from which I launch "named" is owned by root, then
>> > "named" runs perfectly using the "-u" option, even listening on the
>> > tun/tap interfaces.
>> > But if I run "named" as a regular user, relying on the SUID file
>> > setting to elevate privileges, then named fails to listen on any
>> > addresses.
>> > I believe the differences I saw before related to tun/tap interfaces
>> > were due to testing on different RedHat platforms, but this revised
>> > problem statement describes what is happening on both platforms.
>> >
>> > So the real problem is this: It seems I can use the SUID file bit to
>> > allow a regular user to launch named, OR I can use the "-u" option of
>> > "named" to lower the privileges after launch (requiring native root
>> > privileges to launch), but I can't use both at the same time.
>> >
>> > Can anyone shed any light on this scenario?
>>
>> I'm missing some information which might help me understand the
>> problem: the user and group to which your named belong.
>>
>> Best regards,
>> Niall O'Reilly
>>
>>
>
>
> --
>
> --
> Gordon A. Lang
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
aRDy Music and Rick Dicaire present:
http://www.ardynet.com
http://www.ardynet.com:9000/ardymusic.ogg.m3u
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150927/0f6ebffa/attachment.html>
More information about the bind-users
mailing list