Re: problem running named in non 0 rdomain

2012-01-03 Thread Russell Garrison 
On Sun, Jan 1, 2012 at 5:40 PM, Stuart Henderson s...@spacehopper.org wrote:

 I'm pretty sure the child will be inheriting the rdomain from the process
 which forked it.


I can offer the anecdote that when I ran sshd using the route -exec
wrapper my child session would exist in whatever rdomain was hosting
the daemon. Ended up backing away from this approach and sticking with
pf rules, so I didn't have sshd parent processes littering my machine.
I'll assume you don't want to use pf to land queries on the daemon, so
the next question is did you try creating a loopback address in the
non-zero rdomain to get the control port you need?

Re: problem running named in non 0 rdomain

2012-01-03 Thread Pete Vickers 
On 1. jan. 2012, at 23.40, Stuart Henderson wrote:

 On 2012-01-01, Pete Vickers p...@systemnet.no wrote:
 snippet from /etc/named-gn.conf :
 controls {
   inet 10.20.30.2 port 954 allow {10.20.30.2;} keys {rndc-key;};
 };

 then it also fails and complains thus:

 Jan  1 09:01:49 ns0 named[8504]: [child]: disallowed port 954
 Jan  1 09:01:49 ns0 named[8504]: /etc/named-gn.conf:19: couldn't add
command
 channel 10.20.30.2#954: permission denied
 Jan  1 09:01:49 ns0 named[8504]: running

 So I guess that named's (unprivileged?) child does not honour (inherit?)
the
 parent's rdomain, and thus cannot bind to either rdomain '0' or '1',
 succesfully ?

 The child process only allows binding to ports 53/953/921, see
 usr.sbin/bind/lib/isc/unix/privsep.c line 190.

 I'm pretty sure the child will be inheriting the rdomain from the process
 which forked it.


ahh. Indeed. Once I used an approved port, it appear happy even in the
non-defualt table:

root@ns0 ~ # route -T 1 exec rndc -s 10.20.30.2 status
number of zones: 3
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running


thanks for the clue.

/Pete

Re: problem running named in non 0 rdomain

2012-01-01 Thread Stuart Henderson 
On 2012-01-01, Pete Vickers p...@systemnet.no wrote:
 snippet from /etc/named-gn.conf :
 controls {
inet 10.20.30.2 port 954 allow {10.20.30.2;} keys {rndc-key;};
 };

 then it also fails and complains thus:

 Jan  1 09:01:49 ns0 named[8504]: [child]: disallowed port 954
 Jan  1 09:01:49 ns0 named[8504]: /etc/named-gn.conf:19: couldn't add command
 channel 10.20.30.2#954: permission denied
 Jan  1 09:01:49 ns0 named[8504]: running

 So I guess that named's (unprivileged?) child does not honour (inherit?) the
 parent's rdomain, and thus cannot bind to either rdomain '0' or '1',
 succesfully ?

The child process only allows binding to ports 53/953/921, see
usr.sbin/bind/lib/isc/unix/privsep.c line 190.

I'm pretty sure the child will be inheriting the rdomain from the process
which forked it.