mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-24 10:21:10 -05:00
18 lines
922 B
Text
18 lines
922 B
Text
Q: Why doesn't -u work on Linux 2.2.x?
|
|
|
|
A: Linux threads do not fully implement the Posix threads (pthreads) standard.
|
|
In particular, setuid() operates only on the current thread, not the full
|
|
process. Because of this limitation, BIND 9 cannot use setuid() on Linux as it
|
|
can on all other supported platforms. setuid() cannot be called before
|
|
creating threads, since the server does not start listening on reserved ports
|
|
until after threads have started.
|
|
|
|
In the 2.3.99-pre3 and newer kernels, the ability to preserve capabilities
|
|
across a setuid() call is present. This allows BIND 9 to call setuid() early,
|
|
while retaining the ability to bind reserved ports. This is a Linux-specific
|
|
hack.
|
|
|
|
On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
|
|
of a security risk than a root process that has not dropped privileges.
|
|
|
|
If Linux threads ever work correctly, this restriction will go away.
|