[Bug 1886528] Re: BIND9: unable to set effective uid to 0: Operation not permitted
[Expired for bind9 (Ubuntu) because there has been no activity for 60 days.] ** Changed in: bind9 (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886528 Title: BIND9: unable to set effective uid to 0: Operation not permitted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1886528/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1886528] Re: BIND9: unable to set effective uid to 0: Operation not permitted
I just installed bind9 on a fresh ubuntu 20.04 system, and it started up just fine, even with apparmor enabled out of the box: ps: /usr/sbin/named (enforce) 2696 ?Ssl0:00 /usr/sbin/named -f -u bind ports: # ss -lnp|grep -E "^tcp.*:53" tcp LISTEN 0 1010.0.100.87:53 0.0.0.0:* users:(("named",pid=2696,fd=55),("named",pid=2696,fd=54),("named",pid=2696,fd=53),("named",pid=2696,fd=52),("named",pid=2696,fd=51)) tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* users:(("named",pid=2696,fd=46),("named",pid=2696,fd=45),("named",pid=2696,fd=44),("named",pid=2696,fd=43),("named",pid=2696,fd=42)) tcp LISTEN 0 4096127.0.0.53%lo:53 0.0.0.0:* users:(("systemd-resolve",pid=150,fd=13)) tcp LISTEN 0 10[fe80::216:3eff:fed6:7653]%eth0:53 [::]:* users:(("named",pid=2696,fd=75),("named",pid=2696,fd=74),("named",pid=2696,fd=73),("named",pid=2696,fd=72),("named",pid=2696,fd=71)) tcp LISTEN 0 10 [::1]:53 [::]:* users:(("named",pid=2696,fd=65),("named",pid=2696,fd=64),("named",pid=2696,fd=63),("named",pid=2696,fd=62),("named",pid=2696,fd=61)) You will have to share more information about what is going on in your environment. The usual culprits of bind not starting up are: - invalid config - something else listening on :53 already. Note in the ss output above I have systemd-resolve listening on 127.0.0.53:53, but that doesn't conflict with bind because it's a different ip address. In particular, also check for "listen" options in /etc/bind: grep listen -r /etc/bind -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886528 Title: BIND9: unable to set effective uid to 0: Operation not permitted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1886528/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1886528] Re: BIND9: unable to set effective uid to 0: Operation not permitted
Unfortunately, those are all the logs I have. I can spin up another fresh VM and run again, however. The interesting thing is that bind9 is still started, it's just not listening on TCP port 53 on any address/interface. I thought of capabilities because A: it binds correctly without them enabled, and B: that "operation not permitted" error seemed that it couldn't "sudo" to root in order to bind to that privileged port before switching over to the "bind" user for the rest of the process. (Apologies in advance for incorrect terminology; I'm not that knowledgeable on the bind9 startup process) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886528 Title: BIND9: unable to set effective uid to 0: Operation not permitted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1886528/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1886528] Re: BIND9: unable to set effective uid to 0: Operation not permitted
Hi, I'm not sure the capabilities error is the cause of bind9 failing to start up. In 9.16.3 upstream says this is just a spurious log message what was silenced in that release: https://downloads.isc.org/isc/bind9/9.16.3/RELEASE-NOTES-bind-9.16.3.html """ When running on a system with support for Linux capabilities, named drops root privileges very soon after system startup. This was causing a spurious log message, "unable to set effective uid to 0: Operation not permitted", which has now been silenced. [GL #1042] [GL #1090] """ Do you have more log entries? Maybe the real failure is listed further down. ** Changed in: bind9 (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886528 Title: BIND9: unable to set effective uid to 0: Operation not permitted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1886528/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1886528] Re: BIND9: unable to set effective uid to 0: Operation not permitted
** Description changed: What happens? Vanilla install of 20.04, installed bind9 fresh out of the box. Error in summary prevents named from listening on port 53 to service requests. What's expected to happen? named should bind to port 53 to service requests. lsb_release -rd Description:Ubuntu 20.04 LTS Release:20.04 apt-cache policy bind9 bind9: - Installed: 1:9.16.1-0ubuntu2.2 - Candidate: 1:9.16.1-0ubuntu2.2 - Version table: - *** 1:9.16.1-0ubuntu2.2 500 - 500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages - 500 http://us.archive.ubuntu.com/ubuntu focal-security/main amd64 Packages - 100 /var/lib/dpkg/status - 1:9.16.1-0ubuntu2 500 - 500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages + Installed: 1:9.16.1-0ubuntu2.2 + Candidate: 1:9.16.1-0ubuntu2.2 + Version table: + *** 1:9.16.1-0ubuntu2.2 500 + 500 http://us.archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages + 500 http://us.archive.ubuntu.com/ubuntu focal-security/main amd64 Packages + 100 /var/lib/dpkg/status + 1:9.16.1-0ubuntu2 500 + 500 http://us.archive.ubuntu.com/ubuntu focal/main amd64 Packages - - Relevant log snippet: + Relevant log snippet: - Jun 29 23:58:29 backupcore named[704]: adjusted limit on open files from 524288 to 1048576 Jun 29 23:58:29 backupcore named[704]: found 4 CPUs, using 4 worker threads Jun 29 23:58:29 backupcore named[704]: using 4 UDP listeners per interface Jun 29 23:58:29 backupcore named[704]: using up to 21000 sockets Jun 29 23:58:29 backupcore named[704]: loading configuration from '/etc/bind/named.conf' Jun 29 23:58:29 backupcore named[704]: /etc/bind/named.conf:21: option 'dnssec-enable' is obsolete and should be removed Jun 29 23:58:29 backupcore named[704]: unable to open '/etc/named.iscdlv.key'; using built-in keys instead Jun 29 23:58:29 backupcore named[704]: looking for GeoIP2 databases in '/usr/share/GeoIP' Jun 29 23:58:29 backupcore named[704]: using default UDP/IPv4 port range: [32768, 60999] Jun 29 23:58:29 backupcore named[704]: using default UDP/IPv6 port range: [32768, 60999] Jun 29 23:58:29 backupcore named[704]: listening on IPv4 interface lo, 127.0.0.1#53 Jun 29 23:58:29 backupcore named[704]: listening on IPv4 interface enp3s0, 10.0.0.6#53 Jun 29 23:58:29 backupcore named[704]: listening on IPv6 interface lo, ::1#53 Jun 29 23:58:29 backupcore named[704]: unable to set effective uid to 0: Operation not permitted Jun 29 23:58:29 backupcore named[704]: generating session key for dynamic DNS Jun 29 23:58:29 backupcore named[704]: unable to set effective uid to 0: Operation not permitted Jun 29 23:58:29 backupcore named[704]: sizing zone task pool based on 7 zones Jun 29 23:58:29 backupcore named[704]: none:100: 'max-cache-size 90%' - setting to 14251MB (out of 15835MB) Jun 29 23:58:29 backupcore named[704]: set up managed keys zone for view _default, file '/var/cache/bind/dynamic/managed-keys.bind' Jun 29 23:58:29 backupcore named[704]: none:100: 'max-cache-size 90%' - setting to 14251MB (out of 15835MB) Jun 29 23:58:29 backupcore named[704]: configuring command channel from '/etc/bind/rndc.key' Jun 29 23:58:30 backupcore named[704]: command channel listening on 127.0.0.1#953 Jun 29 23:58:30 backupcore named[704]: configuring command channel from '/etc/bind/rndc.key' Jun 29 23:58:30 backupcore named[704]: command channel listening on ::1#953 I've tried this on two fresh installs of 20.04. Doesn't happen in previous releases. Recompiled from source with --disable-linux-caps, and - the issue goes away, but I'm pretty sure that disabling capabilities is - a good idea for security reasons. + the issue goes away, but I'm pretty sure that disabling capabilities + isn't a good idea for security reasons. Happy to test any upstream versions/PPAs, if needed. I disabled AppArmor, SELinux, and capabilities, and still had the same issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886528 Title: BIND9: unable to set effective uid to 0: Operation not permitted To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1886528/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs