BIND vs. mac_portacl
Kövesdán Gábor
gabor.kovesdan at t-hosting.hu
Mon Jul 4 22:16:58 GMT 2005
Hello,
I've loaded the mac_portacl module but BIND doesn't properly work with
it. My sysctl values:
net.inet.ip.portrange.reservedlow: 0
net.inet.ip.portrange.reservedhigh: 0
security.mac.portacl.rules:
uid:55:tcp:53,uid:55:udp:53,uid:55:tcp:953,uid:55:udp:953
security.mac.portacl.port_high: 1023
security.mac.portacl.suser_exempt: 1
security.mac.portacl.enabled: 1
Thus, my system behaves in the standard UNIX way, root should be able to
bind to privileged ports. It is very common that softwares bind to a
privileged port as root and then change tu an unprivileged user. So does
BIND with the -u switch, but when I start it in this way with this
command line: /usr/local/bind/sbin/named -u bind -t /usr/local/bind -c
/etc/named.conf
, I get:
Jul 4 23:58:13 server named[18476]: socket.c:2885: unexpected error:
Jul 4 23:58:13 server named[18476]: bind: Operation not permitted
Jul 4 23:58:13 server named[18476]: socket.c:2885: unexpected error:
Jul 4 23:58:13 server named[18476]: bind: Operation not permitted
Jul 4 23:58:13 server named[18476]: socket.c:2885: unexpected error:
Jul 4 23:58:13 server named[18476]: bind: Operation not permitted
Jul 4 23:58:13 server named[18476]: socket.c:2885: unexpected error:
Jul 4 23:58:13 server named[18476]: bind: Operation not permitted
Jul 4 23:58:13 server named[18476]: socket.c:2885: unexpected error:
Jul 4 23:58:13 server named[18476]: bind: Operation not permitted
The bind user has the uid 55. I've added a rule for it, as You can see,
but it doesn't help. I get this error with the ruleset can be seen
above, and also without any rules. But apache works. It can change to
the www user. Proftpd can change to the proftpd user. BIND is the only
one that doesn't work. What's wrong?
Cheers,
Gábor Kövesdán
More information about the freebsd-stable
mailing list