setsocket errors - and a journal file question

[Mark.Andrews at nominum.com]

> 
> 
> > 
> > 	named gives up most of it privledges including those to write
> > 	to arbitary files.  Make sure the file permissions are such
> > 	that named can write to the files (ad directories) as if root
> > 	was a ordinary user.
> > 
> > 	Mark
> 
> Um, Huh?  I run named as user named, group named on my boxes.  It sounds
> like you are saying I doesn't need to do that?
> 
> -Jeff
> 
> > --
> > Mark Andrews, Nominum Inc.
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com
> > 
> > 
> > 
> 
> 
> 
	From the 9.1 FAQ.

Q: Why doesn't -u work on Linux 2.2.x?

A: Linux threads do not fully implement the Posix threads (pthreads) standard.
In particular, setuid() operates only on the current thread, not the full
process.  Because of this limitation, BIND 9 cannot use setuid() on Linux as it
can on all other supported platforms.  setuid() cannot be called before
creating threads, since the server does not start listening on reserved ports
until after threads have started.

  In the 2.3.99-pre3 and newer kernels, the ability to preserve capabilities
across a setuid() call is present.  This allows BIND 9 to call setuid() early,
while retaining the ability to bind reserved ports.  This is a Linux-specific
hack.

  On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
of a security risk than a root process that has not dropped privileges.

  If Linux threads ever work correctly, this restriction will go away.

  Configuring BIND9 with the --disable-threads option causes a non-threaded
version to be built, which will allow -u to be used.

--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com