Re: problem using setuid ("-u" option) with BIND 9.10.3 on RedHat when listening on tun/tap interface

2015-09-26 Thread Gordon Lang 
CHANGE:  I did not properly characterized the problem in my original post,
so here is the real situation.

If the bash shell from which I launch "named" is owned by root, then
"named" runs perfectly using the "-u" option, even listening on the tun/tap
interfaces.
But if I run "named" as a regular user, relying on the SUID file setting to
elevate privileges, then named fails to listen on any addresses.
I believe the differences I saw before related to tun/tap interfaces were
due to testing on different RedHat platforms, but this revised problem
statement describes what is happening on both platforms.

So the real problem is this: It seems I can use the SUID file bit to allow
a regular user to launch named, OR I can use the "-u" option of "named" to
lower the privileges after launch (requiring native root privileges to
launch), but I can't use both at the same time.

Can anyone shed any light on this scenario?

Thanks.

--
Gordon A. Lang





On Fri, Sep 25, 2015 at 8:26 PM, Gordon Lang  wrote:

> Problem: named launches and functions perfectly fine if launched without
> the "-u" option, but it won't listen on any ip addresses if any of them are
> bound to TAP interfaces when the "-u" is used.  This problem surfaced when
> upgrading to BIND version 9.10.2-P3, but the problem does not occur with
> BIND version 9.9.3-P2.
>
> Background: We place service addresses on their own RedHat tun/tap
> interfaces as opposed to placing all of the service addresses on the Eth
> interface as secondary addresses.  We do this for a number of reasons.
> Many years ago, I used multiple loopback interfaces for this purpose, but
> a while ago when loopbacks would no longer would on RedHat, we discovered
> that RedHat tun/tap interfaces (in the TAP mode) served the same purpose,
> and we found a similar construct on Solaris.  But now there seems to be a
> problem.
>
> Platform: RedHat Enterprise Linux release 6.6, kernel version
> 2.6.32-504.16.2.el6.x86_64
>
> Conifg: I have the config file set to listen on two ip addresses, one of
> which is bound to eth0, and the other bound to a TAP interface.
> .
> Here is an excerpt of the debug output when launching "named -u incadmin
> -g -d99" which fails to listen on any ip addresses:
>
> 25-Sep-2015 19:58:49.963 socket 0x7f5921547010: created
> 25-Sep-2015 19:58:49.963 sockmgr 0x7f592152e010: watcher got message -3
> for socket 20
> 25-Sep-2015 19:58:49.963 sockmgr 0x7f592152e010: watcher got message -2
> for socket -1
> 25-Sep-2015 19:58:49.963 socket 0x7f5921547010: socket_recv: event
> 0x7f5921548010 -> task 0x7f5921540010
> 25-Sep-2015 19:58:49.964 loading configuration from
> '/export/local/ISC/bind-9.10.2-P3/etc/named.conf'
> 25-Sep-2015 19:58:49.969 reading built-in trusted keys from file
> '/export/local/ISC/bind-9.10.2-P3/etc/bind.keys'
> 25-Sep-2015 19:58:49.969 set maximum stack size to 18446744073709551615:
> success
> 25-Sep-2015 19:58:49.969 set maximum data size to 18446744073709551615:
> success
> 25-Sep-2015 19:58:49.969 set maximum core size to 0: success
> 25-Sep-2015 19:58:49.969 set maximum open files to 18446744073709551615:
> success
> 25-Sep-2015 19:58:49.970 using default UDP/IPv4 port range: [1024, 65535]
> 25-Sep-2015 19:58:49.970 using default UDP/IPv6 port range: [1024, 65535]
> 25-Sep-2015 19:58:49.971 listening on IPv4 interface eth0, 10.130.33.71#53
> 25-Sep-2015 19:58:49.971 clientmgr @0x7f5921447010: create
> 25-Sep-2015 19:58:49.972 sendmsg: Invalid argument
> 25-Sep-2015 19:58:49.972 socket 0x7f5921547268: created
> 25-Sep-2015 19:58:49.973 socket 0x7f5921547268: destroying
> 25-Sep-2015 19:58:49.973 sockmgr 0x7f592152e010: watcher got message -5
> for socket 512
> 25-Sep-2015 19:58:49.973 sockmgr 0x7f592152e010: watcher got message -2
> for socket -1
> 25-Sep-2015 19:58:49.973 could not listen on UDP socket: permission denied
> 25-Sep-2015 19:58:49.973 clientmgr @0x7f5921447010: destroy
> 25-Sep-2015 19:58:49.973 clientmgr @0x7f5921447010: clientmgr_destroy
> 25-Sep-2015 19:58:49.973 creating IPv4 interface eth0 failed; interface
> ignored
> 25-Sep-2015 19:58:49.973 listening on IPv4 interface nstest2,
> 192.168.53.223#53
> 25-Sep-2015 19:58:49.973 clientmgr @0x7f5921447010: create
> 25-Sep-2015 19:58:49.973 socket 0x7f5921547268: created
> 25-Sep-2015 19:58:49.973 socket 0x7f5921547268: destroying
> 25-Sep-2015 19:58:49.973 sockmgr 0x7f592152e010: watcher got message -5
> for socket 512
> 25-Sep-2015 19:58:49.973 sockmgr 0x7f592152e010: watcher got message -2
> for socket -1
> 25-Sep-2015 19:58:49.973 could not listen on UDP socket: permission denied
> 25-Sep-2015 19:58:49.973 clientmgr @0x7f5921447010: destroy
> 25-Sep-2015 19:58:49.973 clientmgr @0x7f5921447010: clientmgr_destroy
> 25-Sep-2015 19:58:49.973 creating IPv4 interface nstest2 failed; interface
> ignored
> 25-Sep-2015 19:58:49.973 not listening on any interfaces
>
>
> And here is is an excerpt of the debug output when launching "named -g
> -d99" which listens on both configured ip addr

Re: Caching and upper case issue with BIND 9.9.7-P3

2015-09-26 Thread /dev/rob0 
On Wed, Sep 23, 2015 at 08:18:45AM -0700, cypher Nix wrote:
> We eventually restarted BIND and the issue went away. After
> restarting BIND all responses served from cache are now lower
> case, as expected.

Restarting is a very painful way to fix cache issues.  Consider as 
better choices:
rndc flush
rndc flushtree example.com
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users