BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

Gasoo
Hello

I build my own bind9 RPM for RHEL6 and RHEL7.
With the new version I get two errors when starting named.

Mar 25 16:41:56 dnsserver named[1348]: using default UDP/IPv4 port
range: [1024, 65535]
Mar 25 16:41:56 dnsserver named[1348]: listening on IPv4 interface lo,
127.0.0.1#53
Mar 25 16:41:56 dnsserver named[1348]: listening on IPv4 interface eth0,
192.168.10.100#53
Mar 25 16:41:56 dnsserver named[1348]: unable to set effective uid to 0:
Operation not permitted
Mar 25 16:41:56 dnsserver named[1348]: generating session key for
dynamic DNS
Mar 25 16:41:56 dnsserver named[1348]: unable to set effective uid to 0:
Operation not permitted
Mar 25 16:41:56 dnsserver named[1348]: sizing zone task pool based on 10
zones

 From what I understand, the process named is running as user named already.
After it writes /var/run/named/named.pid, it tries to set the uid back to 0.
The same again after /var/run/named/session.key is written.

Bind is running in a chroot environment and the files are created with
the uid/gid of named.
As far as I can see, everything is working fine.

Why does named want to set the uid of itself back to 0?
Has anyone seen this as well?


Kind Regards
Stephan
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

Anand Buddhdev
On 28/03/2019 14:40, Gasoo wrote:

Hi Stephan,

> Mar 25 16:41:56 dnsserver named[1348]: unable to set effective uid to 0:
> Operation not permitted

[snip]

> Why does named want to set the uid of itself back to 0?
> Has anyone seen this as well?

I'm not sure why it's doing that, but I think I know the reason for this
error message. The release notes of 9.14.0 say that on Linux, BIND uses
libcap to set certain privileges. However, if the /usr/sbin/named binary
is not marked as being able to use privileges, then it won't be able to
set certain privileges.

There are 2 possible options:

1. The simple one is to configure BIND with the "--disable-linux-caps"
option. The notes say that this comes at the cost of some security, but
it's not clear what the risks are.

2. In your SPEC file, you could mark the /usr/sbin/named binary
specially, so that it can use linux capabilities. For example, in the
%files section, you'd do something like:

%caps(cap_net_raw=ep) /path/to/named

But I still don't actually know what capabilities need to be set. The
above is just an example. Perhaps one of the BIND developers can shed
some light here.

Later when I have some time, I'm going to try and do some process
tracing to figure it out as well.

Regards,
Anand Buddhdev
RIPE NCC
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

Tony Finch
Anand Buddhdev <[hidden email]> wrote:
>
> I'm not sure why it's doing that, but I think I know the reason for this
> error message. The release notes of 9.14.0 say that on Linux, BIND uses
> libcap to set certain privileges. However, if the /usr/sbin/named binary
> is not marked as being able to use privileges, then it won't be able to
> set certain privileges.

I have not noticed these errors on my toy server. I had a look at the code
and I thought Stephan's explanation was correct. My guess is that he is
starting named without root privileges, so it is unable to switch back and
forth between users when it is starting up. It switches users so files
are created with the correct privileges, and as Stephan said, that is when
the warnings are emitted. It might be a combination of starting as an
unprivileged user and also providing the -u command line option.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/
responsible stewardship of the earth and its resources
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

Anand Buddhdev
On 02/04/2019 17:12, Tony Finch wrote:

Hi Tony,

> I have not noticed these errors on my toy server. I had a look at the code
> and I thought Stephan's explanation was correct. My guess is that he is
> starting named without root privileges, so it is unable to switch back and
> forth between users when it is starting up. It switches users so files
> are created with the correct privileges, and as Stephan said, that is when
> the warnings are emitted. It might be a combination of starting as an
> unprivileged user and also providing the -u command line option.

On my CentOS 7 test server, I start BIND 9.14.0 as root, like this:

named -f -u named

or

named -g -u named

It still emits those warnings.

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

Gasoo
Hello Anand / Tony

On 02/04/2019 20.25, Anand Buddhdev wrote:

> On 02/04/2019 17:12, Tony Finch wrote:
>
> Hi Tony,
>
>> I have not noticed these errors on my toy server. I had a look at the code
>> and I thought Stephan's explanation was correct. My guess is that he is
>> starting named without root privileges, so it is unable to switch back and
>> forth between users when it is starting up. It switches users so files
>> are created with the correct privileges, and as Stephan said, that is when
>> the warnings are emitted. It might be a combination of starting as an
>> unprivileged user and also providing the -u command line option.
> On my CentOS 7 test server, I start BIND 9.14.0 as root, like this:
>
> named -f -u named
>
> or
>
> named -g -u named
>
> It still emits those warnings.

I also tried to start it manually as root on both, RHEL6 and 7:

named -u named -c /etc/named/named.conf -4 -t /var/named/chroot -g

The error message is also displayed twice on both systems.


I removed Linux capabilities with "--disable-linux-caps" and
unsurprisingly, the error messages are not displayed anymore.
However, there are some drawbacks regarding security (According to the
release notes) and I don't see any other reason to disable it.

Thank you for pointing out the caps setting in the SPEC file, I haven't
thought about that.
However, I couldn't find anything about which Linux capabilities
must/should be set in the SPEC file.


Kind Regards
Stephan
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: BIND 9.14.0: unable to set effective uid to 0: Operation not permitted

@lbutlr
In reply to this post by Anand Buddhdev
On Apr 2, 2019, at 03:03, Anand Buddhdev <[hidden email]> wrote:
> 1. The simple one is to configure BIND with the "--disable-linux-caps"
> option. The notes say that this comes at the cost of some security, but
> it's not clear what the risks are.

I think it is just the cost of the added security caps provides.

--
Tuesday’s dead
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users