[Opendnssec-user] zone fetcher can't bind udp/ipv4 socket: Permission denied

Markus Lauer mlauer at key-systems.net
Thu Dec 16 11:52:07 UTC 2010


I read some code and found:

inside engine_start in engine.c:

http://trac.opendnssec.org/browser/tags/OpenDNSSEC-1.2.0rc2/signer/src/daemon/engine.c?rev=4219#L932

- here engine_setup is called, which drops privs (engine_privdrop)

http://trac.opendnssec.org/browser/tags/OpenDNSSEC-1.2.0rc2/signer/src/daemon/engine.c?rev=4219#L955

- Later then zonefetcher is started.

I think there are no privs left to drop in zone_fetcher.c - they are already 
dropped in engine.c. Therefore I can not bind my sockets, I think.






Am Donnerstag 16 Dezember 2010, 12:07:16 schrieb Markus Lauer:
> Hi Rickard,
> 
> The code is very clear and straight forward.
> 
> I tried trunk again, but unfortunatly ports do not listen...
> 
> Am Donnerstag 16 Dezember 2010, 11:57:07 schrieben Sie:
> > On 16 dec 2010, at 11.42, Rick van Rein wrote:
> > >> Can anyone confirm this is fixed and zonefetcher can be run as
> > >> non-root (while listing on port 53).
> > > 
> > > Non-root processes cannot listen to ports < 1024 on UNIX systems.
> > 
> > It first binds to the socket:
> > http://trac.opendnssec.org/browser/trunk/OpenDNSSEC/signer/src/tools/zone
> > _f etcher.c#L1425
> > 
> > Then drop privileges:
> > http://trac.opendnssec.org/browser/trunk/OpenDNSSEC/signer/src/tools/zone
> > _f etcher.c#L1438
> > 
> > The process must be started with root privileges and will then drop to
> > the user / group specified in conf.xml
> > 
> > // Rickard
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user




More information about the Opendnssec-user mailing list