Fwd: problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface

Mark Andrews marka at isc.org
Wed Sep 30 02:27:52 UTC 2015 

If you really have to insist on running suid which is NEVER
a good idea unless the program has been designed to run suid
the try the following.  This is untested beyond compiling.

Mark

diff --git a/bin/named/main.c b/bin/named/main.c
index bdbbf92..8f946f3 100644
--- a/bin/named/main.c
+++ b/bin/named/main.c
@@ -22,6 +22,7 @@
 #include <ctype.h>
 #include <stdlib.h>
 #include <string.h>
+#include <unistd.h>
 
 #include <isc/app.h>
 #include <isc/backtrace.h>
@@ -1263,6 +1264,15 @@ main(int argc, char *argv[]) {
 #endif
 
 	/*
+	 * If we are running sgid/suid complete process.
+	 */
+	if (getegid() != getgid())
+		setgid(getegid());
+
+	if (geteuid() != getuid())
+		setuid(geteuid());
+
+	/*
 	 * Record version in core image.
 	 * strings named.core | grep "named version:"
 	 */
In message <CAC4BHT4rddf3jAH+a3dHYZrosXEB3W9CD1F9j59ru+u_ULAJOA at mail.gmail.com>, Gordon Lang writes:
> --===============3732002365036211140==
> Content-Type: multipart/alternative; boundary=f46d043892cfc600190520ebcff6
> 
> --f46d043892cfc600190520ebcff6
> Content-Type: text/plain; charset=UTF-8
> 
> After reading Mark's post (found in my spam folder), I gather suid cannot
> be used with threads on Linux.  So I have to choose between setting up a
> suid root wrapper, or simply not using threads.  So my final question is
> whether or not using threads on Linux is sufficiently beneficial in spite
> of it being "a total mess."
> 
> --
> Gordon A. Lang
> 
> --f46d043892cfc600190520ebcff6
> Content-Type: text/html; charset=UTF-8
> Content-Transfer-Encoding: quoted-printable
> 
> <p dir=3D"ltr">After reading Mark's post (found in my spam folder), I g=
> ather suid cannot be used with threads on Linux.=C2=A0 So I have to choose =
> between setting up a suid root wrapper, or simply not using threads.=C2=A0 =
> So my final question is whether or not using threads on Linux is sufficient=
> ly beneficial in spite of it being "a total mess."</p>
> <p dir=3D"ltr">--<br>
> Gordon A. Lang</p>
> 
> --f46d043892cfc600190520ebcff6--
> 
> --===============3732002365036211140==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> --===============3732002365036211140==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list