Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Sep 2024 14:41:11 +0200
From:      Willem Jan Withagen <wjw@digiware.nl>
To:        Matthew Seaman <matthew@FreeBSD.org>, Dan Mack <mack@macktronics.com>
Cc:        stable@freebsd.org
Subject:   Re: BIND 9.19.24 not listening to rndc port (953)
Message-ID:  <62e6becd-3ff9-468e-82de-73b6514a3ac5@digiware.nl>
In-Reply-To: <cbf903e7-66fa-4b66-8e21-cb682b63f30f@FreeBSD.org>
References:  <38321p06-q966-p811-oqpq-q679qpo9pp31@yvfgf.mnoonqbm.arg> <20240702.112250.268297637701792446.sthaug@nethelp.no> <18s0oq25-816s-84ns-41np-47402182ns46@yvfgf.mnoonqbm.arg> <20240702.191333.1782316333681428598.sthaug@nethelp.no> <35410f21-8e52-a853-ad21-4fd05d0f8b3c@macktronics.com> <d14d2b27-6dd8-41df-aef7-3040ae98d629@FreeBSD.org> <1c138b97-2cc3-992c-f9ad-a944c0638163@macktronics.com> <e7608524-43b6-4b04-a058-6ebe70833070@digiware.nl> <cbf903e7-66fa-4b66-8e21-cb682b63f30f@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help


On 23/09/2024 13:50, Matthew Seaman wrote:
> On 22/09/2024 16:34, Willem Jan Withagen wrote:
>>
>>
>> On 19/09/2024 20:04, Dan Mack wrote:
>>> On Thu, 19 Sep 2024, Matthew Seaman wrote:
>>>
>>>> On 19/09/2024 18:16, Dan Mack wrote:
>>>>>  On Tue, 2 Jul 2024, sthaug@nethelp.no wrote:
>>>>>
>>>>>>>>  So we set uid 53 (bind) at 0.083518302, and then try to bind 
>>>>>>>> to port
>>>>>>>>  953 at 0.093282161.
>>>>>>>
>>>>>>>  Are you going to poe a bug with the bind people?
>>>>>>
>>>>>>  Already did: 
>>>>>> https://gitlab.isc.org/isc-projects/bind9/-/issues/4793
>>>>>>
>>>>>>  Steinar Haug, AS2116
>>>>>
>>>>>  Probably everyone knows but this still happens in the bind920-9.20.1
>>>>>  package.
>>>>>
>>>>>  However, BIND 9.20.2 was released yesterday with a change to when 
>>>>> bind
>>>>>  drops privilege levels so perhaps we will have a working version 
>>>>> when the
>>>>>  port / package is updated.
>>>>
>>>> The update was already committed:
>>>>
>>>> https://cgit.freebsd.org/ports/commit/?id=06790657ec8a80f894db824e7a9cadd71ec4e292 
>>>>
>>>>
>>>>     Cheers,
>>>>
>>>>     Matthew
>>>
>>> Thank you!   Was about to try a build myself but now I don't have to 
>>> :-)
>>>
>> Untill that time I choose to set the highest privileged port to 952...
>>      net.inet.ip.portrange.reservedhigh=952
>
> mac_portacl(4) is useful in these situations.  It allows you to 
> specify users that can bind to a specified secure port without needing 
> root privileges.

I know, but this was the easiest "fix" for this, I could think off...
Especially whilest we are waiting for an updated version in ports/pkgs.
That does things like they used to.

And with mac_portacl(4) you need to consider IF you have any other ports 
< 1024 in use.
Since they will possibly now be covered by MAC protection. (like snmp or 
others)
Lots of ways those can be overruled, like security.mac.portacl.suser_exempt.
So good reason to read the man pages before you load.

--WjW




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?62e6becd-3ff9-468e-82de-73b6514a3ac5>