bind 9.18 running named does not try an alternative port when bind fails with EACCES / ISC_R_NOPERM
Summary
Running named as non-root user, when attempting to use a port that is already in use, such as by NFS daemons, the returned errno EACCES from bind(3c) is not handled with BIND 9.18.
BIND version used
named -V
BIND 9.18.11 (Stable Release) <id:1f554ac>
running on SunOS i86pc 5.11 11.4.57.142.0
built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--libdir=/usr/lib/dns/amd64' '--disable-static' '\
--enable-devpoll' '--enable-pthread-rwlock' '--enable-fixed-rrset' '--enable-full-report' '--with-gssapi=krb5-config' '--sysconfdir=/etc' '--localstatedir\
=/var' 'CC=/usr/gcc/12/bin/gcc' 'CFLAGS=-m64 -fPIC -DPIC -O3 -ffile-prefix-map=/builds/smarshal/35228627-BIND-9.18/components/bind=.' 'LDFLAGS=' 'CPPFLAGS\
=-m64' 'PKG_CONFIG_PATH=/usr/openssl/3/lib/64/pkgconfig:/usr/lib/amd64/pkgconfig'
compiled by GCC 12.2.0
compiled with OpenSSL version: OpenSSL 3.0.8 7 Feb 2023
linked to OpenSSL version: OpenSSL 3.0.8 7 Feb 2023
compiled with libuv version: 1.44.1
linked to libuv version: 1.44.1
compiled with libnghttp2 version: 1.47.0
linked to libnghttp2 version: 1.47.0
compiled with libxml2 version: 2.10.3
linked to libxml2 version: 21003
compiled with json-c version: 0.16
linked to json-c version: 0.16
compiled with zlib version: 1.2.13
linked to zlib version: 1.2.13
threads support is enabled
DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448
DS algorithms: SHA-1 SHA-256 SHA-384
HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512
TKEY mode 2 support (Diffie-Hellman): yes
TKEY mode 3 support (GSS-API): yes
default paths:
named configuration: /etc/named.conf
rndc configuration: /etc/rndc.conf
DNSSEC root key: /etc/bind.keys
nsupdate session key: /var/run/named/session.key
named PID file: /var/run/named/named.pid
named lock file: /var/run/named/named.lockNote, BIND 9.16 does not have the issue as seen.
Steps to reproduce
Configure an alternative user for running bind. https://docs.oracle.com/cd/E37838_01/html/E61011/dnsref-38.html#scrolltoc
Run named,
named -g -c ./named.conf -4 -u dns -d90
What is the current bug behavior?
ISC_R_NOPERM is not handled, The query is cancelled:
31-Mar-2023 14:16:04.638 dispatch f1dbcb370: UDP response f1de088a0: connected: permission denied
31-Mar-2023 14:16:05.135 dispatch f1dbcb370: UDP response f1de088a0: connect callback: permission denied
31-Mar-2023 14:16:05.135 permission denied resolving 'localhost/A/IN': 192.33.4.12#53
31-Mar-2023 14:16:05.135 dispatch f1dbcb370: UDP response f1de088a0: canceling response: operation canceled, none/not reading (none/not reading), requests\ 1What is the expected correct behavior?
Treat the same as for ISC_R_ADDRINUSE (errno EADDRINUSE 125 /Address already in use/)
31-Mar-2023 14:21:46.138 dispatch a6a9a6140: UDP response a6abd48a0: connected: permission denied
31-Mar-2023 14:21:46.138 dispatch a6a9a6140: UDP response a6abd48a0: connected: success
31-Mar-2023 14:21:46.138 dispatch a6a9a6140: UDP response a6abd48a0: attaching handle a6aa1c610 to a6abd48b0
31-Mar-2023 14:21:46.138 dispatch a6a9a6140: UDP response a6abd48a0: reading
31-Mar-2023 14:21:46.187 dispatch a6a9a6140: UDP response a6abd48a0: connect callback: successRelevant configuration files
Configured BIND to use a limited udp port range so that it clashes with another system process, simply to speed up the port collision
use-v4-udp-ports {range 4043 4048;};
Relevant logs and/or screenshots
As above.
Possible fixes
Treat NOPERM the same as ADDRINUSE
diff -r bf093fc731c6 lib/dns/dispatch.c
--- a/lib/dns/dispatch.c Wed Mar 29 10:08:27 2023 -0700
+++ b/lib/dns/dispatch.c Wed Mar 29 10:26:05 2023 -0700
@@ -1916,6 +1916,7 @@
resp->state = DNS_DISPATCHSTATE_CONNECTED;
udp_startrecv(handle, resp);
break;
+ case ISC_R_NOPERM: /* fall-through */
case ISC_R_ADDRINUSE: {
in_port_t localport = 0;
isc_result_t result;