problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface
Gordon Lang
glang at goalex.com
Sun Sep 27 15:59:14 UTC 2015
Here is the file info:
glang at nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin
bind-9.10.3/sbin/named
drwxrwsr-x. 2 incadmin network 4096 Sep 26 10:39 bind-9.10.3/sbin
-rwsr-xr-x. 2 root network 10095219 Sep 26 09:16 bind-9.10.3/sbin/named
glang at nstv1:/export/local/ISC>
If I run "named" as user 'glang' without the "-u" option, it works fine --
"named" runs as root (due to the suid file bit) and it listens on port 53
of the configured ip addresses.
If I run "named" as user 'glang' with the "-u incadmin" option, it does not
work fine -- it runs with the change of process owner to 'incadmin', but it
does not listen on any ip addresses.
If I run "named" as user 'root' with the "-u incadmin" option, it works
fine -- it listens on the configured ip's and it changes the owner of the
process to 'incadmin'.
--
Gordon A. Lang
On Sun, Sep 27, 2015 at 9:09 AM, Niall O'Reilly <niall.oreilly at ucd.ie>
wrote:
> On Sat, 26 Sep 2015 17:27:56 +0100,
> Gordon Lang wrote:
> >
> > CHANGE: I did not properly characterized the problem in my original
> > post, so here is the real situation.
> >
> > If the bash shell from which I launch "named" is owned by root, then
> > "named" runs perfectly using the "-u" option, even listening on the
> > tun/tap interfaces.
> > But if I run "named" as a regular user, relying on the SUID file
> > setting to elevate privileges, then named fails to listen on any
> > addresses.
> > I believe the differences I saw before related to tun/tap interfaces
> > were due to testing on different RedHat platforms, but this revised
> > problem statement describes what is happening on both platforms.
> >
> > So the real problem is this: It seems I can use the SUID file bit to
> > allow a regular user to launch named, OR I can use the "-u" option of
> > "named" to lower the privileges after launch (requiring native root
> > privileges to launch), but I can't use both at the same time.
> >
> > Can anyone shed any light on this scenario?
>
> I'm missing some information which might help me understand the
> problem: the user and group to which your named belong.
>
> Best regards,
> Niall O'Reilly
>
>
--
--
Gordon A. Lang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150927/67008156/attachment.html>
More information about the bind-users
mailing list