Skip to content

Privilege dropping regression in BIND 9.19.5 with --disable-linux-caps

Summary

Permissions problem running named as a non-root user
### BIND version used
BIND 9.19.5 (Development Release) <id:5b2fed2>
running on Linux x86_64 6.0.0 #1 SMP PREEMPT_DYNAMIC Mon Oct 3 08:32:01 EEST 2022
built by make with  '--sysconfdir=/etc' '--with-openssl' '--with-libxml2' '--disable-linux-caps' '--localstatedir=/var' 'PKG_CONFIG_PATH=/usr/local/lib64/pkgconfig:/usr/local/share/pkgconfig:/usr/lib64/pkgconfig:/usr/share/pkgconfig'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 1.1.1q  5 Jul 2022
linked to OpenSSL version: OpenSSL 1.1.1q  5 Jul 2022
compiled with libuv version: 1.44.2
linked to libuv version: 1.44.2
compiled with libnghttp2 version: 1.50.0
linked to libnghttp2 version: 1.50.0
compiled with libxml2 version: 2.9.14
linked to libxml2 version: 20914
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.12
linked to zlib version: 1.2.12
threads support is enabled

default paths:
  named configuration:  /etc/named.conf
  rndc configuration:   /etc/rndc.conf
  DNSSEC root key:      /etc/bind.keys
  nsupdate session key: /var/run/named/session.key
  named PID file:       /var/run/named/named.pid
  named lock file:      /var/run/named/named.lock

Steps to reproduce

Run: named -u nobody

What is the current bug behavior?

05-Oct-2022 16:01:19.254 /etc/named.conf:99: couldn't add command channel 127.0.0.1#953: permission denied
05-Oct-2022 16:01:19.254 listening on IPv4 interface lo, 127.0.0.1#53
05-Oct-2022 16:01:19.255 creating IPv4 interface lo failed; interface ignored
05-Oct-2022 16:01:19.255 listening on IPv4 interface eth0, 192.168.0.2#53
05-Oct-2022 16:01:19.255 creating IPv4 interface eth0 failed; interface ignored

What is the expected correct behavior?

05-Oct-2022 16:02:18.323 command channel listening on 127.0.0.1#953
05-Oct-2022 16:02:18.323 listening on IPv4 interface lo, 127.0.0.1#53
05-Oct-2022 16:02:18.324 listening on IPv4 interface eth0, 192.168.0.2#53

Relevant configuration files

Configuration files are the same in both cases

Relevant logs and/or screenshots

See log snippets above

Possible fixes

(If you can, link to the line of code that might be responsible for the problem.)

Edited by Michał Kępień
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information