From nobody Mon Sep 23 12:41:11 2024 X-Original-To: stable@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XC2ff2sDjz52Cp1 for ; Mon, 23 Sep 2024 12:41:14 +0000 (UTC) (envelope-from wjw@digiware.nl) Received: from mail.digiware.nl (smtp.digiware.nl [176.74.240.9]) by mx1.freebsd.org (Postfix) with ESMTP id 4XC2ff0lZzz4tR9; Mon, 23 Sep 2024 12:41:14 +0000 (UTC) (envelope-from wjw@digiware.nl) Authentication-Results: mx1.freebsd.org; none Received: from [IPV6:2001:4cb8:3:1:6955:7daf:a820:d096] (unknown [IPv6:2001:4cb8:3:1:6955:7daf:a820:d096]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail.digiware.nl (Postfix) with ESMTPSA id 494B39C4B9; Mon, 23 Sep 2024 14:41:12 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=digiware.nl; s=medusa-2017; t=1727095272; bh=Ze1rWJlkyR/1xdA6UostkiUevgaO3Eir7QLXbw9f3OM=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=SRYaYnZsjrmifyZGDKY+zU0FwRTDmYT0mfnh/yp1qdPfoHqkcS/bfOiSJm7vHURRS 2jGhUIWJC9TusEZoaHThGsGIdY8AUyQQEx7LMpYW64tMAX7JUs/+ho5D9VHv4wb/tH Zmf4pASFl3Ki5gjlo5xY+ZF2cJWP2r5eND/SkCPHCStU31hg+rr5z1gzP8x5FsfJwn RyYpQrL4oRREZBSwmaUZ2tIhlBjazsnettGREftIoAK0hdGSdImtbcaKx6ZwLov17J t+/JdRN/VDFSFGpQG+7kpGIIsahpGt575ZPwrObokTDTdHb0Jpu47F6XfHytSzDLJs r8fvWwSVa2xuw== Message-ID: <62e6becd-3ff9-468e-82de-73b6514a3ac5@digiware.nl> Date: Mon, 23 Sep 2024 14:41:11 +0200 List-Id: Production branch of FreeBSD source code List-Archive: https://lists.freebsd.org/archives/freebsd-stable List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-stable@freebsd.org Sender: owner-freebsd-stable@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: BIND 9.19.24 not listening to rndc port (953) Content-Language: en-US, nl To: Matthew Seaman , Dan Mack Cc: stable@freebsd.org References: <38321p06-q966-p811-oqpq-q679qpo9pp31@yvfgf.mnoonqbm.arg> <20240702.112250.268297637701792446.sthaug@nethelp.no> <18s0oq25-816s-84ns-41np-47402182ns46@yvfgf.mnoonqbm.arg> <20240702.191333.1782316333681428598.sthaug@nethelp.no> <35410f21-8e52-a853-ad21-4fd05d0f8b3c@macktronics.com> <1c138b97-2cc3-992c-f9ad-a944c0638163@macktronics.com> From: Willem Jan Withagen In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Server: router10G.digiware.nl X-Rspamd-Action: no action X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:28878, ipnet:176.74.224.0/19, country:NL] X-Rspamd-Queue-Id: 4XC2ff0lZzz4tR9 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated On 23/09/2024 13:50, Matthew Seaman wrote: > On 22/09/2024 16:34, Willem Jan Withagen wrote: >> >> >> On 19/09/2024 20:04, Dan Mack wrote: >>> On Thu, 19 Sep 2024, Matthew Seaman wrote: >>> >>>> On 19/09/2024 18:16, Dan Mack wrote: >>>>>  On Tue, 2 Jul 2024, sthaug@nethelp.no wrote: >>>>> >>>>>>>>  So we set uid 53 (bind) at 0.083518302, and then try to bind >>>>>>>> to port >>>>>>>>  953 at 0.093282161. >>>>>>> >>>>>>>  Are you going to poe a bug with the bind people? >>>>>> >>>>>>  Already did: >>>>>> https://gitlab.isc.org/isc-projects/bind9/-/issues/4793 >>>>>> >>>>>>  Steinar Haug, AS2116 >>>>> >>>>>  Probably everyone knows but this still happens in the bind920-9.20.1 >>>>>  package. >>>>> >>>>>  However, BIND 9.20.2 was released yesterday with a change to when >>>>> bind >>>>>  drops privilege levels so perhaps we will have a working version >>>>> when the >>>>>  port / package is updated. >>>> >>>> The update was already committed: >>>> >>>> https://cgit.freebsd.org/ports/commit/?id=06790657ec8a80f894db824e7a9cadd71ec4e292 >>>> >>>> >>>>     Cheers, >>>> >>>>     Matthew >>> >>> Thank you!   Was about to try a build myself but now I don't have to >>> :-) >>> >> Untill that time I choose to set the highest privileged port to 952... >>      net.inet.ip.portrange.reservedhigh=952 > > mac_portacl(4) is useful in these situations.  It allows you to > specify users that can bind to a specified secure port without needing > root privileges. I know, but this was the easiest "fix" for this, I could think off... Especially whilest we are waiting for an updated version in ports/pkgs. That does things like they used to. And with mac_portacl(4) you need to consider IF you have any other ports < 1024 in use. Since they will possibly now be covered by MAC protection. (like snmp or others) Lots of ways those can be overruled, like security.mac.portacl.suser_exempt. So good reason to read the man pages before you load. --WjW