Unless something has changed, root is required to bind to ports below 1024 before privilege separation can begin.
On Sun, Sep 27, 2015 at 11:59 AM, Gordon Lang <gl...@goalex.com> wrote: > Here is the file info: > > glang@nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin > bind-9.10.3/sbin/named > drwxrwsr-x. 2 incadmin network 4096 Sep 26 10:39 bind-9.10.3/sbin > -rwsr-xr-x. 2 root network 10095219 Sep 26 09:16 bind-9.10.3/sbin/named > glang@nstv1:/export/local/ISC> > > > If I run "named" as user 'glang' without the "-u" option, it works fine -- > "named" runs as root (due to the suid file bit) and it listens on port 53 > of the configured ip addresses. > > If I run "named" as user 'glang' with the "-u incadmin" option, it does > not work fine -- it runs with the change of process owner to 'incadmin', > but it does not listen on any ip addresses. > > If I run "named" as user 'root' with the "-u incadmin" option, it works > fine -- it listens on the configured ip's and it changes the owner of the > process to 'incadmin'. > > -- > Gordon A. Lang > > > On Sun, Sep 27, 2015 at 9:09 AM, Niall O'Reilly <niall.orei...@ucd.ie> > wrote: > >> On Sat, 26 Sep 2015 17:27:56 +0100, >> Gordon Lang wrote: >> > >> > CHANGE: I did not properly characterized the problem in my original >> > post, so here is the real situation. >> > >> > If the bash shell from which I launch "named" is owned by root, then >> > "named" runs perfectly using the "-u" option, even listening on the >> > tun/tap interfaces. >> > But if I run "named" as a regular user, relying on the SUID file >> > setting to elevate privileges, then named fails to listen on any >> > addresses. >> > I believe the differences I saw before related to tun/tap interfaces >> > were due to testing on different RedHat platforms, but this revised >> > problem statement describes what is happening on both platforms. >> > >> > So the real problem is this: It seems I can use the SUID file bit to >> > allow a regular user to launch named, OR I can use the "-u" option of >> > "named" to lower the privileges after launch (requiring native root >> > privileges to launch), but I can't use both at the same time. >> > >> > Can anyone shed any light on this scenario? >> >> I'm missing some information which might help me understand the >> problem: the user and group to which your named belong. >> >> Best regards, >> Niall O'Reilly >> >> > > > -- > > -- > Gordon A. Lang > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- aRDy Music and Rick Dicaire present: http://www.ardynet.com http://www.ardynet.com:9000/ardymusic.ogg.m3u
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
