BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

[Anand Buddhdev]

On 28/03/2019 14:40, Gasoo wrote:

Hi Stephan,

> Mar 25 16:41:56 dnsserver named[1348]: unable to set effective uid to 0:
> Operation not permitted

[snip]

> Why does named want to set the uid of itself back to 0?
> Has anyone seen this as well?

I'm not sure why it's doing that, but I think I know the reason for this
error message. The release notes of 9.14.0 say that on Linux, BIND uses
libcap to set certain privileges. However, if the /usr/sbin/named binary
is not marked as being able to use privileges, then it won't be able to
set certain privileges.

There are 2 possible options:

1. The simple one is to configure BIND with the "--disable-linux-caps"
option. The notes say that this comes at the cost of some security, but
it's not clear what the risks are.

2. In your SPEC file, you could mark the /usr/sbin/named binary
specially, so that it can use linux capabilities. For example, in the
%files section, you'd do something like:

%caps(cap_net_raw=ep) /path/to/named

But I still don't actually know what capabilities need to be set. The
above is just an example. Perhaps one of the BIND developers can shed
some light here.

Later when I have some time, I'm going to try and do some process
tracing to figure it out as well.

Regards,
Anand Buddhdev
RIPE NCC