problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface
kritek at gmail.com
Sun Sep 27 17:20:56 UTC 2015
Unless something has changed, root is required to bind to ports below 1024
before privilege separation can begin.
On Sun, Sep 27, 2015 at 11:59 AM, Gordon Lang <glang at goalex.com> wrote:
> Here is the file info:
> glang at nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin
> drwxrwsr-x. 2 incadmin network 4096 Sep 26 10:39 bind-9.10.3/sbin
> -rwsr-xr-x. 2 root network 10095219 Sep 26 09:16 bind-9.10.3/sbin/named
> glang at nstv1:/export/local/ISC>
> If I run "named" as user 'glang' without the "-u" option, it works fine --
> "named" runs as root (due to the suid file bit) and it listens on port 53
> of the configured ip addresses.
> If I run "named" as user 'glang' with the "-u incadmin" option, it does
> not work fine -- it runs with the change of process owner to 'incadmin',
> but it does not listen on any ip addresses.
> If I run "named" as user 'root' with the "-u incadmin" option, it works
> fine -- it listens on the configured ip's and it changes the owner of the
> process to 'incadmin'.
> Gordon A. Lang
> On Sun, Sep 27, 2015 at 9:09 AM, Niall O'Reilly <niall.oreilly at ucd.ie>
>> On Sat, 26 Sep 2015 17:27:56 +0100,
>> Gordon Lang wrote:
>> > CHANGE: I did not properly characterized the problem in my original
>> > post, so here is the real situation.
>> > If the bash shell from which I launch "named" is owned by root, then
>> > "named" runs perfectly using the "-u" option, even listening on the
>> > tun/tap interfaces.
>> > But if I run "named" as a regular user, relying on the SUID file
>> > setting to elevate privileges, then named fails to listen on any
>> > addresses.
>> > I believe the differences I saw before related to tun/tap interfaces
>> > were due to testing on different RedHat platforms, but this revised
>> > problem statement describes what is happening on both platforms.
>> > So the real problem is this: It seems I can use the SUID file bit to
>> > allow a regular user to launch named, OR I can use the "-u" option of
>> > "named" to lower the privileges after launch (requiring native root
>> > privileges to launch), but I can't use both at the same time.
>> > Can anyone shed any light on this scenario?
>> I'm missing some information which might help me understand the
>> problem: the user and group to which your named belong.
>> Best regards,
>> Niall O'Reilly
> Gordon A. Lang
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
aRDy Music and Rick Dicaire present:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users