From nobody Tue Jul 02 09:22:50 2024 X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WCyBC5G2Sz5PtZh for ; Tue, 02 Jul 2024 09:22:59 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: from bizet.nethelp.no (bizet.nethelp.no [195.1.209.4]) by mx1.freebsd.org (Postfix) with ESMTP id 4WCyBC3FV2z4VnD for ; Tue, 2 Jul 2024 09:22:59 +0000 (UTC) (envelope-from sthaug@nethelp.no) Authentication-Results: mx1.freebsd.org; none Received: from localhost (bizet.nethelp.no [195.1.209.4]) by bizet.nethelp.no (Postfix) with ESMTP id 26776646B0A; Tue, 2 Jul 2024 11:22:51 +0200 (CEST) Date: Tue, 02 Jul 2024 11:22:50 +0200 (CEST) Message-Id: <20240702.112250.268297637701792446.sthaug@nethelp.no> To: bzeeb-lists@lists.zabbadoz.net Cc: freebsd-stable@freebsd.org Subject: Re: BIND 9.19.24 not listening to rndc port (953) From: sthaug@nethelp.no In-Reply-To: <38321p06-q966-p811-oqpq-q679qpo9pp31@yvfgf.mnoonqbm.arg> References: <20240630.134609.2166404118346455953.sthaug@nethelp.no> <38321p06-q966-p811-oqpq-q679qpo9pp31@yvfgf.mnoonqbm.arg> X-Mailer: Mew version 6.9 on Emacs 29.2 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:2116, ipnet:195.1.0.0/16, country:NO] X-Rspamd-Queue-Id: 4WCyBC3FV2z4VnD >> Other info: >> >> - BIND 9.18.24 on the same host works perfectly, with no rndc issues. >> - BIND 9.19.24 on the same host also works *if I change it to run as >> root* (by default it runs as user bind). The syslog messages are gone, >> and rndc works as expected. > > That sounds like they try to open the priv port after they changed > users rather than before. I ran named under truss, and as far as I can see that is exactly what is happening: root@nlab1:/local/etc/namedb # egrep 'setuid|setresuid|127.0.0.1:953' truss.log 38461: 0.063859531 setresuid(0xffffffff,0x35,0xffffffff) = 0 (0x0) 38461: 0.064231316 setresuid(0xffffffff,0x0,0xffffffff) = 0 (0x0) 38461: 0.064999183 setresuid(0xffffffff,0x35,0xffffffff) = 0 (0x0) 38461: 0.065332218 setresuid(0xffffffff,0x0,0xffffffff) = 0 (0x0) 38461: 0.083518302 setuid(0x35) = 0 (0x0) 38461: 0.093282161 bind(59,{ AF_INET 127.0.0.1:953 },16) ERR#13 'Permission denied' So we set uid 53 (bind) at 0.083518302, and then try to bind to port 953 at 0.093282161. Steinar Haug, AS2116