From owner-freebsd-stable@FreeBSD.ORG Mon Jul 4 22:16:57 2005 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB0C516A41C for ; Mon, 4 Jul 2005 22:16:57 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from viefep14-int.chello.at (viefep14-int.chello.at [213.46.255.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20D9E43D46 for ; Mon, 4 Jul 2005 22:16:56 +0000 (GMT) (envelope-from gabor.kovesdan@t-hosting.hu) Received: from [80.98.156.20] by viefep14-int.chello.at (InterMail vM.6.01.04.04 201-2131-118-104-20050224) with ESMTP id <20050704221654.SHEC7053.viefep14-int.chello.at@[80.98.156.20]> for ; Tue, 5 Jul 2005 00:16:54 +0200 Message-ID: <42C9B584.8040805@t-hosting.hu> Date: Tue, 05 Jul 2005 00:17:40 +0200 From: =?ISO-8859-1?Q?K=F6vesd=E1n_G=E1bor?= User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: BIND vs. mac_portacl X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jul 2005 22:16:58 -0000 Hello, I've loaded the mac_portacl module but BIND doesn't properly work with it. My sysctl values: net.inet.ip.portrange.reservedlow: 0 net.inet.ip.portrange.reservedhigh: 0 security.mac.portacl.rules: uid:55:tcp:53,uid:55:udp:53,uid:55:tcp:953,uid:55:udp:953 security.mac.portacl.port_high: 1023 security.mac.portacl.suser_exempt: 1 security.mac.portacl.enabled: 1 Thus, my system behaves in the standard UNIX way, root should be able to bind to privileged ports. It is very common that softwares bind to a privileged port as root and then change tu an unprivileged user. So does BIND with the -u switch, but when I start it in this way with this command line: /usr/local/bind/sbin/named -u bind -t /usr/local/bind -c /etc/named.conf , I get: Jul 4 23:58:13 server named[18476]: socket.c:2885: unexpected error: Jul 4 23:58:13 server named[18476]: bind: Operation not permitted Jul 4 23:58:13 server named[18476]: socket.c:2885: unexpected error: Jul 4 23:58:13 server named[18476]: bind: Operation not permitted Jul 4 23:58:13 server named[18476]: socket.c:2885: unexpected error: Jul 4 23:58:13 server named[18476]: bind: Operation not permitted Jul 4 23:58:13 server named[18476]: socket.c:2885: unexpected error: Jul 4 23:58:13 server named[18476]: bind: Operation not permitted Jul 4 23:58:13 server named[18476]: socket.c:2885: unexpected error: Jul 4 23:58:13 server named[18476]: bind: Operation not permitted The bind user has the uid 55. I've added a rule for it, as You can see, but it doesn't help. I get this error with the ruleset can be seen above, and also without any rules. But apache works. It can change to the www user. Proftpd can change to the proftpd user. BIND is the only one that doesn't work. What's wrong? Cheers, Gábor Kövesdán