BIND 9.14: unable to set effective uid to 0
Hi folks,
I brought this issue up on the bind-users mailing list, but none of the developers said anything there, so I'm opening it as an issue.
I've compiled BIND on CentOS 7. I start it from systemd with the following command line:
/usr/sbin/named -f -u namedIn the syslog, I see this error/warning emitted twice unable to set effective uid to 0:
Jun 14 10:06:21 ns1 named[11687]: starting BIND 9.14.3 (Stable Release) <id:896acdc>
Jun 14 10:06:21 ns1 named[11687]: running on Linux x86_64 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018
Jun 14 10:06:21 ns1 named[11687]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracki
ng' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--lib
dir=/usr/lib64' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfd
ir=/etc/named' '--disable-static' '--with-pic' '--without-python' '--with-libtool' '--without-lmdb' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-red
hat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mt
une=generic' 'LDFLAGS=-Wl,-z,relro ' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
Jun 14 10:06:21 ns1 named[11687]: running as: named -f -u named
Jun 14 10:06:22 ns1 named[11687]: compiled by GCC 4.8.5 20150623 (Red Hat 4.8.5-36)
Jun 14 10:06:22 ns1 named[11687]: compiled with OpenSSL version: OpenSSL 1.0.2k 26 Jan 2017
Jun 14 10:06:22 ns1 named[11687]: linked to OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017
Jun 14 10:06:22 ns1 named[11687]: compiled with libxml2 version: 2.9.1
Jun 14 10:06:22 ns1 named[11687]: linked to libxml2 version: 20901
Jun 14 10:06:22 ns1 named[11687]: compiled with libjson-c version: 0.11
Jun 14 10:06:22 ns1 named[11687]: linked to libjson-c version: 0.11
Jun 14 10:06:22 ns1 named[11687]: compiled with zlib version: 1.2.7
Jun 14 10:06:22 ns1 named[11687]: linked to zlib version: 1.2.7
Jun 14 10:06:22 ns1 named[11687]: ----------------------------------------------------
Jun 14 10:06:22 ns1 named[11687]: BIND 9 is maintained by Internet Systems Consortium,
Jun 14 10:06:22 ns1 named[11687]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jun 14 10:06:22 ns1 named[11687]: corporation. Support and training for BIND 9 are
Jun 14 10:06:22 ns1 named[11687]: available at https://www.isc.org/support
Jun 14 10:06:22 ns1 named[11687]: ----------------------------------------------------
Jun 14 10:06:22 ns1 named[11687]: adjusted limit on open files from 4096 to 1048576
Jun 14 10:06:22 ns1 named[11687]: found 32 CPUs, using 32 worker threads
Jun 14 10:06:22 ns1 named[11687]: using 32 UDP listeners per interface
Jun 14 10:06:22 ns1 named[11687]: using up to 4096 sockets
Jun 14 10:06:22 ns1 named[11687]: loading configuration from '/etc/named/named.conf'
Jun 14 10:06:22 ns1 named[11687]: unable to open '/etc/named/bind.keys'; using built-in keys instead
Jun 14 10:06:22 ns1 named[11687]: using default UDP/IPv4 port range: [32768, 60999]
Jun 14 10:06:22 ns1 named[11687]: using default UDP/IPv6 port range: [32768, 60999]
Jun 14 10:06:22 ns1 named[11687]: listening on IPv6 interfaces, port 53
Jun 14 10:06:22 ns1 named[11687]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 14 10:06:22 ns1 named[11687]: listening on IPv4 interface em1, 193.0.19.191#53
Jun 14 10:06:22 ns1 named[11687]: unable to set effective uid to 0: Operation not permitted
Jun 14 10:06:22 ns1 named[11687]: generating session key for dynamic DNS
Jun 14 10:06:22 ns1 named[11687]: unable to set effective uid to 0: Operation not permitted
Jun 14 10:06:22 ns1 named[11687]: sizing zone task pool based on 1 zones
Jun 14 10:06:22 ns1 named[11687]: none:99: 'max-cache-size 90%' - setting to 57795MB (out of 64217MB)
Jun 14 10:06:22 ns1 named[11687]: using built-in root key for view _default
Jun 14 10:06:22 ns1 named[11687]: set up managed keys zone for view _default, file 'managed-keys.bind'
...It seems named is attempting to regain root privileges, but failing. Is this intentional? And if so, what am I missing to make this work correctly?