[grsec] regression wrt bind9 / getifaddrs
Cyril Chaboisseau
cyril.chaboisseau at free.fr
Thu Sep 3 19:26:45 EDT 2009
Hi,
I just wanted to share a bug in grsec introduced right after 2.6.30.4
that was just corrected (maybe this mail could help others to sort it
out as there is no other reference to it from the forums or Google).
There seems to have been a regression in grsec
2.1.14-2.6.30.5-200908252105 that has just been reverted with version
released 2 days ago : 2.1.14-2.6.30.5-200909021910
the bug had the following symptoms on bind9/named :
when launched from a non-privileged account (user 'bind' in my case),
named was not able to bind port 53 on the IPv4 address (neither tcp nor
udp) but could bind on port 953 for rndc as well as 53 on imy IPv6
interfaces.
here is the log:
named[9080]: loading configuration from '/etc/bind/named.conf'
named[9080]: using default UDP/IPv4 port range: [1024, 65535]
named[9080]: using default UDP/IPv6 port range: [1024, 65535]
named[9080]: ifiter_getifaddrs.c:85: unexpected error:
named[9080]: getting interface addresses: getifaddrs: Operation not permitted
named[9080]: not listening on any interfaces
nevertheless, I could succeed launching named from the root account
The culprit was some extra tests on GRKERNSEC_PROC_USER and USERGROUP in
function cap_netlink_send()
Apparently, no other programs / daemon seemed to have suffered from this
bug which was a bit weird.
Thanks for your hard work on grsecurity
--
Cyril Chaboisseau
More information about the grsecurity
mailing list