<div dir="ltr">Unless something has changed, root is required to bind to ports below 1024 before privilege separation can begin.</div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Sep 27, 2015 at 11:59 AM, Gordon Lang <span dir="ltr"><<a href="mailto:glang@goalex.com" target="_blank">glang@goalex.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Here is the file info:<br><br>glang@nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin bind-9.10.3/sbin/named<br>drwxrwsr-x. 2 incadmin network 4096 Sep 26 10:39 bind-9.10.3/sbin<br>-rwsr-xr-x. 2 root network 10095219 Sep 26 09:16 bind-9.10.3/sbin/named<br>glang@nstv1:/export/local/ISC><br><br><br>If I run "named" as user 'glang' without the "-u" option, it works fine -- "named" runs as root (due to the suid file bit) and it listens on port 53 of the configured ip addresses.<br><br>If I run "named" as user 'glang' with the "-u incadmin" option, it does not work fine -- it runs with the change of process owner to 'incadmin', but it does not listen on any ip addresses.<br><br>If I run "named" as user 'root' with the "-u incadmin" option, it works fine -- it listens on the configured ip's and it changes the owner of the process to 'incadmin'.<br><br>--<br>Gordon A. Lang<br><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Sep 27, 2015 at 9:09 AM, Niall O'Reilly <span dir="ltr"><<a href="mailto:niall.oreilly@ucd.ie" target="_blank">niall.oreilly@ucd.ie</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Sat, 26 Sep 2015 17:27:56 +0100,<br>
Gordon Lang wrote:<br>
><br>
> CHANGE: I did not properly characterized the problem in my original<br>
> post, so here is the real situation.<br>
><br>
> If the bash shell from which I launch "named" is owned by root, then<br>
> "named" runs perfectly using the "-u" option, even listening on the<br>
> tun/tap interfaces.<br>
> But if I run "named" as a regular user, relying on the SUID file<br>
> setting to elevate privileges, then named fails to listen on any<br>
> addresses.<br>
> I believe the differences I saw before related to tun/tap interfaces<br>
> were due to testing on different RedHat platforms, but this revised<br>
> problem statement describes what is happening on both platforms.<br>
><br>
> So the real problem is this: It seems I can use the SUID file bit to<br>
> allow a regular user to launch named, OR I can use the "-u" option of<br>
> "named" to lower the privileges after launch (requiring native root<br>
> privileges to launch), but I can't use both at the same time.<br>
><br>
> Can anyone shed any light on this scenario?<br>
<br>
</span> I'm missing some information which might help me understand the<br>
problem: the user and group to which your named belong.<br>
<br>
Best regards,<br>
Niall O'Reilly<br>
<br><span class="HOEnZb"><font color="#888888">
</font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br><div><div dir="ltr"><br><div>--</div><div>Gordon A. Lang</div></div></div>
</font></span></div></div>
<br>_______________________________________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">aRDy Music and Rick Dicaire present:<br><a href="http://www.ardynet.com" target="_blank">http://www.ardynet.com</a><br><a href="http://www.ardynet.com:9000/ardymusic.ogg.m3u" target="_blank">http://www.ardynet.com:9000/ardymusic.ogg.m3u</a></div>
</div>