From nobody Tue Jul 02 17:05:48 2024
X-Original-To: freebsd-stable@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4WD8SV0Hssz5NmQZ
	for <freebsd-stable@mlmmj.nyi.freebsd.org>; Tue, 02 Jul 2024 17:06:02 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Received: from mx-01.divo.sbone.de (mx-01.divo.sbone.de [IPv6:2003:a:140a:2200:6:594:fffe:19])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature ECDSA (P-256) client-digest SHA256)
	(Client CN "mx-01.divo.sbone.de", Issuer "E5" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4WD8ST4Lsvz4HT1
	for <freebsd-stable@freebsd.org>; Tue,  2 Jul 2024 17:06:01 +0000 (UTC)
	(envelope-from bzeeb-lists@lists.zabbadoz.net)
Authentication-Results: mx1.freebsd.org;
	none
Received: from mail.sbone.de (mail.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:1025])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	by mx-01.divo.sbone.de (Postfix) with ESMTPS id B748BA64805;
	Tue, 02 Jul 2024 17:05:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=zabbadoz.net;
	s=20240622; t=1719939950;
	bh=U0m13s3wKgcrhaFZOww4p4GKjt19o07mvDpKgCLe4Dg=;
	h=Date:From:To:cc:Subject:In-Reply-To:References;
	b=fGiy8R04W5uqfQ+c3NDuD7sP/GNG/8fBws//Wqp2F2Dd8oYpawEUFWLGqfKiPMs9d
	 Sl7LDfGFFyoS1U1TJo3GOFZUhqluCemp544hHNaF8wGXyPTr2e/3k9RXiWxLag7dqv
	 TQZo4w0Itz3Jg0cBfGjbQXNumd5+uZe5QbffS6RUzLyePZ+TBd+fW0Ftj3ZrJ8YNsA
	 +Wh4ylpqhaoVw/D5IBfOEjz1+CFom/JLob30bKXSOS9IHnhIxHBHGRCDk4ZTyAvUc9
	 hjxHdGxNXcKImuIQ4D4fkJ4sDR6jfPgx012TO1YGrmGm8bwn99HMcGTowZJSOshI2o
	 W71SQ27GMJ6jUU65UX6XzFAC4HRb/E6UjqC8T1Od4DQIEZmiGF9G/KJKvjMnELzQeQ
	 WtQR9zO7bcW2AFZWEkhlpGbTSgdA1Tli3t7zECEcLo8c+xzx2NDuIgaV6cNOoIXbUb
	 1dN1E0PNcZceSYWqYq0JqRgNSV5oSF89N0/LmtcBEYCWpvykfWA2xS6G9WXoA6QnI3
	 TFqwpkJNrmfwBlvpVFGLfLe4BsZOaXrFdJk5lXFuwLLVO/77uqNZc10PwK+4f4iwmR
	 5IRbCEcD5kYqsfv8HMb9wUFDHi3Sbsfcv3ajRrLA2h2lgheu4u0gqvAAX0e4YG3q/8
	 qrt/jIl5Kuq5bUYhICUtg+GE=
Received: from content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPS id E33AA2D029D8;
	Tue,  2 Jul 2024 17:05:50 +0000 (UTC)
X-Virus-Scanned: amavisd-new at sbone.de
Received: from mail.sbone.de ([IPv6:fde9:577b:c1a9:4902:0:7404:2:1025])
	by content-filter.t4-02.sbone.de (content-filter.t4-02.sbone.de [IPv6:fde9:577b:c1a9:4902:0:7404:2:2742]) (amavisd-new, port 10024)
	with ESMTP id hfz7ItasdMYG; Tue,  2 Jul 2024 17:05:49 +0000 (UTC)
Received: from strong-iwl0.sbone.de (strong-iwl0.sbone.de [IPv6:fde9:577b:c1a9:4902:b66b:fcff:fef3:e3d2])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.sbone.de (Postfix) with ESMTPSA id F22F32D029D2;
	Tue,  2 Jul 2024 17:05:48 +0000 (UTC)
Date: Tue, 2 Jul 2024 17:05:48 +0000 (UTC)
From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
To: sthaug@nethelp.no
cc: freebsd-stable@freebsd.org
Subject: Re: BIND 9.19.24 not listening to rndc port (953)
In-Reply-To: <20240702.112250.268297637701792446.sthaug@nethelp.no>
Message-ID: <18s0oq25-816s-84ns-41np-47402182ns46@yvfgf.mnoonqbm.arg>
References: <20240630.134609.2166404118346455953.sthaug@nethelp.no> <38321p06-q966-p811-oqpq-q679qpo9pp31@yvfgf.mnoonqbm.arg> <20240702.112250.268297637701792446.sthaug@nethelp.no>
X-OpenPGP-Key-Id: 0x14003F198FEFA3E77207EE8D2B58B8F83CCF1842
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-stable
List-Help: <mailto:stable+help@freebsd.org>
List-Post: <mailto:stable@freebsd.org>
List-Subscribe: <mailto:stable+subscribe@freebsd.org>
List-Unsubscribe: <mailto:stable+unsubscribe@freebsd.org>
X-BeenThere: freebsd-stable@freebsd.org
Sender: owner-freebsd-stable@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-Spamd-Bar: ----
X-Rspamd-Pre-Result: action=no action;
	module=replies;
	Message is reply to one we originated
X-Spamd-Result: default: False [-4.00 / 15.00];
	REPLY(-4.00)[];
	ASN(0.00)[asn:3320, ipnet:2003::/19, country:DE]
X-Rspamd-Queue-Id: 4WD8ST4Lsvz4HT1

On Tue, 2 Jul 2024, sthaug@nethelp.no wrote:

>>> Other info:
>>>
>>> - BIND 9.18.24 on the same host works perfectly, with no rndc issues.
>>> - BIND 9.19.24 on the same host also works *if I change it to run as
>>> root* (by default it runs as user bind). The syslog messages are gone,
>>> and rndc works as expected.
>>
>> That sounds like they try to open the priv port after they changed
>> users rather than before.
>
> I ran named under truss, and as far as I can see that is exactly
> what is happening:
>
> root@nlab1:/local/etc/namedb # egrep 'setuid|setresuid|127.0.0.1:953' truss.log
> 38461: 0.063859531 setresuid(0xffffffff,0x35,0xffffffff) = 0 (0x0)
> 38461: 0.064231316 setresuid(0xffffffff,0x0,0xffffffff) = 0 (0x0)
> 38461: 0.064999183 setresuid(0xffffffff,0x35,0xffffffff) = 0 (0x0)
> 38461: 0.065332218 setresuid(0xffffffff,0x0,0xffffffff) = 0 (0x0)
> 38461: 0.083518302 setuid(0x35)                  = 0 (0x0)
> 38461: 0.093282161 bind(59,{ AF_INET 127.0.0.1:953 },16) ERR#13 'Permission denied'
>
> So we set uid 53 (bind) at 0.083518302, and then try to bind to port
> 953 at 0.093282161.

Are you going to poe a bug with the bind people?

/bz

-- 
Bjoern A. Zeeb                                                     r15:7