BIND 9.14.0: unable to set effective uid to 0: Operation not permitted
Anand Buddhdev
anandb at ripe.net
Tue Apr 2 09:03:02 UTC 2019
On 28/03/2019 14:40, Gasoo wrote:
Hi Stephan,
> Mar 25 16:41:56 dnsserver named[1348]: unable to set effective uid to 0:
> Operation not permitted
[snip]
> Why does named want to set the uid of itself back to 0?
> Has anyone seen this as well?
I'm not sure why it's doing that, but I think I know the reason for this
error message. The release notes of 9.14.0 say that on Linux, BIND uses
libcap to set certain privileges. However, if the /usr/sbin/named binary
is not marked as being able to use privileges, then it won't be able to
set certain privileges.
There are 2 possible options:
1. The simple one is to configure BIND with the "--disable-linux-caps"
option. The notes say that this comes at the cost of some security, but
it's not clear what the risks are.
2. In your SPEC file, you could mark the /usr/sbin/named binary
specially, so that it can use linux capabilities. For example, in the
%files section, you'd do something like:
%caps(cap_net_raw=ep) /path/to/named
But I still don't actually know what capabilities need to be set. The
above is just an example. Perhaps one of the BIND developers can shed
some light here.
Later when I have some time, I'm going to try and do some process
tracing to figure it out as well.
Regards,
Anand Buddhdev
RIPE NCC
More information about the bind-users
mailing list