problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface

Gordon Lang glang at goalex.com
Sun Sep 27 19:31:06 UTC 2015 

It works fine with BIND 9.9.3 but not 9.10.3 on the same server.
On Sep 27, 2015 3:25 PM, "Niall O'Reilly" <niall.oreilly at ucd.ie> wrote:

> On Sun, 27 Sep 2015 16:59:14 +0100,
> Gordon Lang wrote:
> >
> > Here is the file info:
> >
> > glang at nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin
> > bind-9.10.3/sbin/named
> > drwxrwsr-x. 2 incadmin network 4096 Sep 26 10:39 bind-9.10.3/sbin
> > -rwsr-xr-x. 2 root network 10095219 Sep 26 09:16
> > bind-9.10.3/sbin/named
> > glang at nstv1:/export/local/ISC>
> >
> > If I run "named" as user 'glang' without the "-u" option, it works
> > fine -- "named" runs as root (due to the suid file bit) and it listens
> > on port 53 of the configured ip addresses.
>
>   Real user is unprivileged, but effective user is, so it all works.
>
> > If I run "named" as user 'glang' with the "-u incadmin" option, it
> > does not work fine -- it runs with the change of process owner to
> > 'incadmin', but it does not listen on any ip addresses.
>
>   Real user is unprivileged. Effective user is briefly privileged,
>   and later unprivileged.  In the section of the ARM which contains
>   copies of the man pages, I see the following description of the
>   -u option.
>
>     -u user
>
>       Setuid to user after completing privileged operations, such as
>       creating sockets that listen on privileged ports.
>
>       NOTE
>       On Linux, named uses the kernel’s capability mechanism to drop
>       all root privileges except the ability to bind(2) to a
>       privileged port and set process resource limits. Unfortunately,
>       this means that the -u option only works when named is run on
>       kernel 2.2.18 or later, or kernel 2.3.99-pre3 or later, since
>       previous kernels did not allow privileges to be retained after
>       setuid(2).  
>
>   I don't doubt that you're running a new enough kernel.  However, I
>   guess that, since the real user didn't have the privileges in
>   question, the final effective user can't retain them.  Without
>   checking kernel and/or named code, I'm afraid I can't do better then
>   guess.
>
> > If I run "named" as user 'root' with the "-u incadmin" option, it
> > works fine -- it listens on the configured ip's and it changes the
> > owner of the process to 'incadmin'.
>
>   This is the "traditional" way to run a reduced-privilege instance of
>   named.  I've used it, and I believe it's widely used.  Are you sure
>   it's not adequately secure for your needs?
>
>   Best regards,
>   Niall O'Reilly
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150927/1a523df8/attachment-0001.html>

More information about the bind-users mailing list