[svlug] manners

Derek Balling dredd at megacity.org
Sat Jun 30 10:47:01 PDT 2001

Previous message: [svlug] manners
Next message: [svlug] manners
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>  > ./configure --disable-threads
>
>Good to know, actually.  I didn't know the dependency on kernel
>2.3.99-pre3 and up for dropping root privileges goes away without
>multithreading.  The manpage and docs don't cover this, nor does
>ISC's Web site.

Rick... I'm going to lose my faith in you now....  The king of 
documentation references, missing this one?

The error you get if you try (and fail) in "stock" mode is:

"-u not supported on Linux kernels older than 2.3.99-pre3 or 2.2.18 
when using threads"

Which should easily lead you to the "disable threads or upgrade the 
kernel" choice, or... you could read the FAQ in the root of the 
tarball....the FIRST question in the FAQ, at the very top where it 
could not possibly be missed:

----
Q: Why doesn't -u work on Linux 2.2.x when I build with --enable-threads?

A: Linux threads do not fully implement the Posix threads (pthreads) standard.
In particular, setuid() operates only on the current thread, not the full
process.  Because of this limitation, BIND 9 cannot use setuid() on Linux as it
can on all other supported platforms.  setuid() cannot be called before
creating threads, since the server does not start listening on reserved ports
until after threads have started.

   In the 2.2.18 or 2.3.99-pre3 and newer kernels, the ability to preserve
capabilities across a setuid() call is present.  This allows BIND 9 to call
setuid() early, while retaining the ability to bind reserved ports.  This is
a Linux-specific hack.

   On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
of a security risk than a root process that has not dropped privileges.

   If Linux threads ever work correctly, this restriction will go away.

   Configuring BIND9 with the --disable-threads option (the default) causes a
non-threaded version to be built, which will allow -u to be used.
----

-- 
+---------------------+-----------------------------------------+
| dredd at megacity.org  | "Conan! What is best in life?"          |
|  Derek J. Balling   | "To crush your enemies, see them        |
|                     |    driven before you, and to hear the   |
|                     |    lamentation of their women!"         |
+---------------------+-----------------------------------------+

Previous message: [svlug] manners
Next message: [svlug] manners
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list