Here is the file info: glang@nstv1:/export/local/ISC> ls -ld bind-9.10.3/sbin bind-9.10.3/sbin/named drwxrwsr-x. 2 incadmin network 4096 Sep 26 10:39 bind-9.10.3/sbin -rwsr-xr-x. 2 root network 10095219 Sep 26 09:16 bind-9.10.3/sbin/named glang@nstv1:/export/local/ISC>
If I run "named" as user 'glang' without the "-u" option, it works fine -- "named" runs as root (due to the suid file bit) and it listens on port 53 of the configured ip addresses. If I run "named" as user 'glang' with the "-u incadmin" option, it does not work fine -- it runs with the change of process owner to 'incadmin', but it does not listen on any ip addresses. If I run "named" as user 'root' with the "-u incadmin" option, it works fine -- it listens on the configured ip's and it changes the owner of the process to 'incadmin'. -- Gordon A. Lang On Sun, Sep 27, 2015 at 9:09 AM, Niall O'Reilly <niall.orei...@ucd.ie> wrote: > On Sat, 26 Sep 2015 17:27:56 +0100, > Gordon Lang wrote: > > > > CHANGE: I did not properly characterized the problem in my original > > post, so here is the real situation. > > > > If the bash shell from which I launch "named" is owned by root, then > > "named" runs perfectly using the "-u" option, even listening on the > > tun/tap interfaces. > > But if I run "named" as a regular user, relying on the SUID file > > setting to elevate privileges, then named fails to listen on any > > addresses. > > I believe the differences I saw before related to tun/tap interfaces > > were due to testing on different RedHat platforms, but this revised > > problem statement describes what is happening on both platforms. > > > > So the real problem is this: It seems I can use the SUID file bit to > > allow a regular user to launch named, OR I can use the "-u" option of > > "named" to lower the privileges after launch (requiring native root > > privileges to launch), but I can't use both at the same time. > > > > Can anyone shed any light on this scenario? > > I'm missing some information which might help me understand the > problem: the user and group to which your named belong. > > Best regards, > Niall O'Reilly > > -- -- Gordon A. Lang
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
