[Opendnssec-user] zone fetcher can't bind udp/ipv4 socket: Permission denied
Markus Lauer
mlauer at key-systems.net
Thu Dec 16 11:52:07 UTC 2010
I read some code and found:
inside engine_start in engine.c:
http://trac.opendnssec.org/browser/tags/OpenDNSSEC-1.2.0rc2/signer/src/daemon/engine.c?rev=4219#L932
- here engine_setup is called, which drops privs (engine_privdrop)
http://trac.opendnssec.org/browser/tags/OpenDNSSEC-1.2.0rc2/signer/src/daemon/engine.c?rev=4219#L955
- Later then zonefetcher is started.
I think there are no privs left to drop in zone_fetcher.c - they are already
dropped in engine.c. Therefore I can not bind my sockets, I think.
Am Donnerstag 16 Dezember 2010, 12:07:16 schrieb Markus Lauer:
> Hi Rickard,
>
> The code is very clear and straight forward.
>
> I tried trunk again, but unfortunatly ports do not listen...
>
> Am Donnerstag 16 Dezember 2010, 11:57:07 schrieben Sie:
> > On 16 dec 2010, at 11.42, Rick van Rein wrote:
> > >> Can anyone confirm this is fixed and zonefetcher can be run as
> > >> non-root (while listing on port 53).
> > >
> > > Non-root processes cannot listen to ports < 1024 on UNIX systems.
> >
> > It first binds to the socket:
> > http://trac.opendnssec.org/browser/trunk/OpenDNSSEC/signer/src/tools/zone
> > _f etcher.c#L1425
> >
> > Then drop privileges:
> > http://trac.opendnssec.org/browser/trunk/OpenDNSSEC/signer/src/tools/zone
> > _f etcher.c#L1438
> >
> > The process must be started with root privileges and will then drop to
> > the user / group specified in conf.xml
> >
> > // Rickard
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list