Fwd: problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface

Gordon Lang glang at goalex.com
Tue Sep 29 21:29:41 UTC 2015


---------- Forwarded message ----------
From: Gordon Lang <glang at goalex.com>
Date: Tue, Sep 29, 2015 at 5:29 PM
Subject: Re: problem using setuid ("-u" option) with BIND 9.10.3 on RedHat
when listening on tun/tap interface
To: Carl Byington <carl at byington.org>


--disable-threads fixes the problem.

But now the question is whether or not there is a way to make things work
without disabling threads?  Does anyone have insight into why supporting
threads might interfere with the normal SUID bit based change of the
effective user id?

Thanks.

--
Gordon A. Lang

On Tue, Sep 29, 2015 at 11:02 AM, Carl Byington <carl at byington.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > Thanks.  I appreciate the information and the insights.  I will add it
> > to my list to learn more about SEL features.  I will also take a look
> > at the source RPM option.  I am skeptical about it fixing my problem
> > at hand, but who knows -- anything is worth a try at this point.
> > Thanks again.
>
> from Mark Andrews list message:
>
> 9.9.3 doesn't build threaded by default.
> 9.10.3 does build threaded by default.
>
> So you might try:
>
>     ./configure --disable-threads --prefix=/export/local/ISC/bind-9.10.3
>     make
>     make install
>     ...
>
>
> My source rpm will build with threads enabled. From the syslog entries
> on startup:
>
> Sep 16 15:53:12 ns named[17505]: starting BIND 9.10.3 <id:2799933> -u
> named
> Sep 16 15:53:12 ns named[17505]: built with '--build=x86_64-redhat-
> linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-
> linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--
> bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--
> datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '
> - --libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--
> mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--
> localstatedir=/var' '--enable-threads' '--enable-ipv6' '--enable-filter-
> aaaa' '--with-pic' '--disable-static' '--disable-openssl-version-check'
> '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-
> fixed-rrset' '--enable-sit' '--enable-fetchlimit' '--with-gssapi=yes'
> '--disable-isc-spnego' '--with-tuning=large' '--with-geoip' '--with-
> python' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-
> linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe
> - -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param
> =ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE'
>
>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.14 (GNU/Linux)
>
> iEYEARECAAYFAlYKp9MACgkQL6j7milTFsEcrQCghZz08+ZOTBUiNpHF0Oe4TC5y
> RF8An2c9nF+aUDxP/huhAMyW01BJBKE3
> =8AAA
> -----END PGP SIGNATURE-----
>
>
>


-- 

--
Gordon A. Lang



-- 

--
Gordon A. Lang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150929/474d3e7a/attachment.html>


More information about the bind-users mailing list