Date: Mon, 23 Sep 2024 14:41:11 +0200 From: Willem Jan Withagen <wjw@digiware.nl> To: Matthew Seaman <matthew@FreeBSD.org>, Dan Mack <mack@macktronics.com> Cc: stable@freebsd.org Subject: Re: BIND 9.19.24 not listening to rndc port (953) Message-ID: <62e6becd-3ff9-468e-82de-73b6514a3ac5@digiware.nl> In-Reply-To: <cbf903e7-66fa-4b66-8e21-cb682b63f30f@FreeBSD.org> References: <38321p06-q966-p811-oqpq-q679qpo9pp31@yvfgf.mnoonqbm.arg> <20240702.112250.268297637701792446.sthaug@nethelp.no> <18s0oq25-816s-84ns-41np-47402182ns46@yvfgf.mnoonqbm.arg> <20240702.191333.1782316333681428598.sthaug@nethelp.no> <35410f21-8e52-a853-ad21-4fd05d0f8b3c@macktronics.com> <d14d2b27-6dd8-41df-aef7-3040ae98d629@FreeBSD.org> <1c138b97-2cc3-992c-f9ad-a944c0638163@macktronics.com> <e7608524-43b6-4b04-a058-6ebe70833070@digiware.nl> <cbf903e7-66fa-4b66-8e21-cb682b63f30f@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23/09/2024 13:50, Matthew Seaman wrote: > On 22/09/2024 16:34, Willem Jan Withagen wrote: >> >> >> On 19/09/2024 20:04, Dan Mack wrote: >>> On Thu, 19 Sep 2024, Matthew Seaman wrote: >>> >>>> On 19/09/2024 18:16, Dan Mack wrote: >>>>> On Tue, 2 Jul 2024, sthaug@nethelp.no wrote: >>>>> >>>>>>>> So we set uid 53 (bind) at 0.083518302, and then try to bind >>>>>>>> to port >>>>>>>> 953 at 0.093282161. >>>>>>> >>>>>>> Are you going to poe a bug with the bind people? >>>>>> >>>>>> Already did: >>>>>> https://gitlab.isc.org/isc-projects/bind9/-/issues/4793 >>>>>> >>>>>> Steinar Haug, AS2116 >>>>> >>>>> Probably everyone knows but this still happens in the bind920-9.20.1 >>>>> package. >>>>> >>>>> However, BIND 9.20.2 was released yesterday with a change to when >>>>> bind >>>>> drops privilege levels so perhaps we will have a working version >>>>> when the >>>>> port / package is updated. >>>> >>>> The update was already committed: >>>> >>>> https://cgit.freebsd.org/ports/commit/?id=06790657ec8a80f894db824e7a9cadd71ec4e292 >>>> >>>> >>>> Cheers, >>>> >>>> Matthew >>> >>> Thank you! Was about to try a build myself but now I don't have to >>> :-) >>> >> Untill that time I choose to set the highest privileged port to 952... >> net.inet.ip.portrange.reservedhigh=952 > > mac_portacl(4) is useful in these situations. It allows you to > specify users that can bind to a specified secure port without needing > root privileges. I know, but this was the easiest "fix" for this, I could think off... Especially whilest we are waiting for an updated version in ports/pkgs. That does things like they used to. And with mac_portacl(4) you need to consider IF you have any other ports < 1024 in use. Since they will possibly now be covered by MAC protection. (like snmp or others) Lots of ways those can be overruled, like security.mac.portacl.suser_exempt. So good reason to read the man pages before you load. --WjW
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62e6becd-3ff9-468e-82de-73b6514a3ac5>