DNS name resolution failing - EPERM error
Kevin Darcy
kcd at daimlerchrysler.com
Thu Aug 5 23:24:43 UTC 2004
Greg Larkin wrote:
>Hi there,
>
>I am trying to fix a problem on a Gentoo box that I am administering.
>"uname -a" reports the following:
>
>Linux host.name.com 2.4.19-gentoo-r10 #1 SMP Mon Jan 6 11:20:35 EST
>2003 i686 Intel(R) Xeon(TM) CPU 2.40GHz GenuineIntel GNU/Linux
>
>I just discovered that I cannot ping any hosts from this machine due
>to name resolution failures, except the ones defined in /etc/hosts. I
>am running commands as root, but they still can't seem to open the raw
>socket to the DNS servers to send name resolution requests.
>
>For instance:
>
># ping rsync.gentoo.org
>ping: unknown host rsync.gentoo.org
>
>I ran the same command with strace and saw these messages in the
>output file:
>
>...
>...
>socket(PF_INET, SOCK_RAW, IPPROTO_ICMP) = -1 EPERM (Operation not
>permitted)
>
Well, "ping" uses raw sockets because it uses ICMP, and raw sockets
require privileged and/or superuser authority. That's why the "ping"
executable is set-uid root on some (Solaris at least) platforms. Is it
not set-uid root on Gentoo?
Resolver calls, however, do *not* need access to raw sockets. Plain old
UDP or TCP sockets work just fine. If resolver calls required raw
sockets, then every program that looked up DNS names would need to be
privileged...
>...
>...
>send(3, "5\4\1\0\0\1\0\0\0\0\0\0\5rsync\6gentoo\3org\0\0\1\0\1", 34,
>0) = -1 EPERM (Operation not permitted)
>...
>
Now, this is more interesting, and seemingly unrelated to the EPERM
result above. Trouble is, I can't find EPERM as a valid return for the
send() call on any man page I looked at. Does it mean something special
on Gentoo? What does your man page for send() say?
- Kevin
More information about the bind-users
mailing list