problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface

Gordon Lang glang at goalex.com
Sat Sep 26 00:26:31 UTC 2015 

Problem: named launches and functions perfectly fine if launched without
the "-u" option, but it won't listen on any ip addresses if any of them are
bound to TAP interfaces when the "-u" is used.  This problem surfaced when
upgrading to BIND version 9.10.2-P3, but the problem does not occur with
BIND version 9.9.3-P2.

Background: We place service addresses on their own RedHat tun/tap
interfaces as opposed to placing all of the service addresses on the Eth
interface as secondary addresses.  We do this for a number of reasons.
Many years ago, I used multiple loopback interfaces for this purpose, but a
while ago when loopbacks would no longer would on RedHat, we discovered
that RedHat tun/tap interfaces (in the TAP mode) served the same purpose,
and we found a similar construct on Solaris.  But now there seems to be a
problem.

Platform: RedHat Enterprise Linux release 6.6, kernel version
2.6.32-504.16.2.el6.x86_64

Conifg: I have the config file set to listen on two ip addresses, one of
which is bound to eth0, and the other bound to a TAP interface.
.
Here is an excerpt of the debug output when launching "named -u incadmin -g
-d99" which fails to listen on any ip addresses:

25-Sep-2015 19:58:49.963 socket 0x7f5921547010: created
25-Sep-2015 19:58:49.963 sockmgr 0x7f592152e010: watcher got message -3 for
socket 20
25-Sep-2015 19:58:49.963 sockmgr 0x7f592152e010: watcher got message -2 for
socket -1
25-Sep-2015 19:58:49.963 socket 0x7f5921547010: socket_recv: event
0x7f5921548010 -> task 0x7f5921540010
25-Sep-2015 19:58:49.964 loading configuration from
'/export/local/ISC/bind-9.10.2-P3/etc/named.conf'
25-Sep-2015 19:58:49.969 reading built-in trusted keys from file
'/export/local/ISC/bind-9.10.2-P3/etc/bind.keys'
25-Sep-2015 19:58:49.969 set maximum stack size to 18446744073709551615:
success
25-Sep-2015 19:58:49.969 set maximum data size to 18446744073709551615:
success
25-Sep-2015 19:58:49.969 set maximum core size to 0: success
25-Sep-2015 19:58:49.969 set maximum open files to 18446744073709551615:
success
25-Sep-2015 19:58:49.970 using default UDP/IPv4 port range: [1024, 65535]
25-Sep-2015 19:58:49.970 using default UDP/IPv6 port range: [1024, 65535]
25-Sep-2015 19:58:49.971 listening on IPv4 interface eth0, 10.130.33.71#53
25-Sep-2015 19:58:49.971 clientmgr @0x7f5921447010: create
25-Sep-2015 19:58:49.972 sendmsg: Invalid argument
25-Sep-2015 19:58:49.972 socket 0x7f5921547268: created
25-Sep-2015 19:58:49.973 socket 0x7f5921547268: destroying
25-Sep-2015 19:58:49.973 sockmgr 0x7f592152e010: watcher got message -5 for
socket 512
25-Sep-2015 19:58:49.973 sockmgr 0x7f592152e010: watcher got message -2 for
socket -1
25-Sep-2015 19:58:49.973 could not listen on UDP socket: permission denied
25-Sep-2015 19:58:49.973 clientmgr @0x7f5921447010: destroy
25-Sep-2015 19:58:49.973 clientmgr @0x7f5921447010: clientmgr_destroy
25-Sep-2015 19:58:49.973 creating IPv4 interface eth0 failed; interface
ignored
25-Sep-2015 19:58:49.973 listening on IPv4 interface nstest2,
192.168.53.223#53
25-Sep-2015 19:58:49.973 clientmgr @0x7f5921447010: create
25-Sep-2015 19:58:49.973 socket 0x7f5921547268: created
25-Sep-2015 19:58:49.973 socket 0x7f5921547268: destroying
25-Sep-2015 19:58:49.973 sockmgr 0x7f592152e010: watcher got message -5 for
socket 512
25-Sep-2015 19:58:49.973 sockmgr 0x7f592152e010: watcher got message -2 for
socket -1
25-Sep-2015 19:58:49.973 could not listen on UDP socket: permission denied
25-Sep-2015 19:58:49.973 clientmgr @0x7f5921447010: destroy
25-Sep-2015 19:58:49.973 clientmgr @0x7f5921447010: clientmgr_destroy
25-Sep-2015 19:58:49.973 creating IPv4 interface nstest2 failed; interface
ignored
25-Sep-2015 19:58:49.973 not listening on any interfaces


And here is is an excerpt of the debug output when launching "named -g
-d99" which listens on both configured ip addresses:

25-Sep-2015 19:59:22.568 socket 0x7fdb2efb3010: created
25-Sep-2015 19:59:22.568 sockmgr 0x7fdb2ef9a010: watcher got message -3 for
socket 20
25-Sep-2015 19:59:22.568 sockmgr 0x7fdb2ef9a010: watcher got message -2 for
socket -1
25-Sep-2015 19:59:22.568 socket 0x7fdb2efb3010: socket_recv: event
0x7fdb2efb4010 -> task 0x7fdb2efac010
25-Sep-2015 19:59:22.569 loading configuration from
'/export/local/ISC/bind-9.10.2-P3/etc/named.conf'
25-Sep-2015 19:59:22.573 reading built-in trusted keys from file
'/export/local/ISC/bind-9.10.2-P3/etc/bind.keys'
25-Sep-2015 19:59:22.573 set maximum stack size to 18446744073709551615:
success
25-Sep-2015 19:59:22.573 set maximum data size to 18446744073709551615:
success
25-Sep-2015 19:59:22.573 set maximum core size to 0: success
25-Sep-2015 19:59:22.573 set maximum open files to 18446744073709551615:
success
25-Sep-2015 19:59:22.573 using default UDP/IPv4 port range: [1024, 65535]
25-Sep-2015 19:59:22.573 using default UDP/IPv6 port range: [1024, 65535]
25-Sep-2015 19:59:22.574 listening on IPv4 interface eth0, 10.130.33.71#53
25-Sep-2015 19:59:22.574 clientmgr @0x7fdb2eeb3010: create
25-Sep-2015 19:59:22.582 sendmsg: Invalid argument
25-Sep-2015 19:59:22.582 socket 0x7fdb2efb3268: created
25-Sep-2015 19:59:22.582 socket 0x7fdb2efb3268 10.130.33.71#53: bound
25-Sep-2015 19:59:22.582 dispatchmgr 0x7fdb2ef9b310:
dns_dispatch_createudp: Created UDP dispatch for 10.130.33.71#53 with
socket fd 512

25-Sep-2015 19:59:22.582 dispatchmgr 0x7fdb2ef9b310: created UDP dispatcher
0x7fdb24092720
25-Sep-2015 19:59:22.582 dispatch 0x7fdb24092720: created task
0x7fdb2eeb1790
25-Sep-2015 19:59:22.582 dispatch 0x7fdb24092720: created socket
0x7fdb2efb3268
25-Sep-2015 19:59:22.582 clientmgr @0x7fdb2eeb3010: createclients
25-Sep-2015 19:59:22.582 clientmgr @0x7fdb2eeb3010: get client
25-Sep-2015 19:59:22.582 clientmgr @0x7fdb2eeb3010: create new
25-Sep-2015 19:59:22.582 clientmgr @0x7fdb2eeb3010: clientmctx
25-Sep-2015 19:59:22.582 client @0x7fdb2409d960: create
25-Sep-2015 19:59:22.582 socket 0x7fdb2efb34c0: created
25-Sep-2015 19:59:22.583 socket 0x7fdb2efb34c0 10.130.33.71#53: bound
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3010: createclients
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3010: get client
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3010: create new
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3010: clientmctx
25-Sep-2015 19:59:22.583 client @0x7fdb240abbc0: create
25-Sep-2015 19:59:22.583 listening on IPv4 interface nstest2,
192.168.53.223#53
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3458: create
25-Sep-2015 19:59:22.583 socket 0x7fdb2efb3718: created
25-Sep-2015 19:59:22.583 socket 0x7fdb2efb3718 192.168.53.223#53: bound
25-Sep-2015 19:59:22.583 dispatchmgr 0x7fdb2ef9b310:
dns_dispatch_createudp: Created UDP dispatch for 192.168.53.223#53 with
socket fd 513

25-Sep-2015 19:59:22.583 dispatchmgr 0x7fdb2ef9b310: created UDP dispatcher
0x7fdb24092100
25-Sep-2015 19:59:22.583 dispatch 0x7fdb24092100: created task
0x7fdb2eeb19d0
25-Sep-2015 19:59:22.583 dispatch 0x7fdb24092100: created socket
0x7fdb2efb3718
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3458: createclients
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3458: get client
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3458: create new
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3458: clientmctx
25-Sep-2015 19:59:22.583 client @0x7fdb240ba4d0: create
25-Sep-2015 19:59:22.583 socket 0x7fdb2efb3970: created
25-Sep-2015 19:59:22.583 socket 0x7fdb2efb3970 192.168.53.223#53: bound
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3458: createclients
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3458: get client
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3458: create new
25-Sep-2015 19:59:22.583 clientmgr @0x7fdb2eeb3458: clientmctx
25-Sep-2015 19:59:22.584 client @0x7fdb240c88a0: create


I am wondering if anyone else has any insight into this.  Thanks.

--
Gordon A. Lang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150925/4db9aba0/attachment.html>

More information about the bind-users mailing list