Privilege seperation for named. Allows named to handle address/interface

changes without restart. If you use non-standard ports in named configuration
make sure they are > 1024. Also /var/named/etc/rndc.key (if any) must be
readable by group named.

Initial work and testing by itojun@, jakob@, hints, help from henning@,
avsm@, beck@. ok henning, beck, avsm, deraadt

1 files changed, 12 insertions, 1 deletions

diff --git a/usr.sbin/bind/lib/isc/unix/socket.c b/usr.sbin/bind/lib/isc/unix/socket.c
index ec0bd2cd8f1..3cfc215e735 100644
--- a/usr.sbin/bind/lib/isc/unix/socket.c
+++ b/usr.sbin/bind/lib/isc/unix/socket.c
@@ -44,6 +44,7 @@
 #include <isc/net.h>
 #include <isc/platform.h>
 #include <isc/print.h>
+#include <isc/privsep.h>
 #include <isc/region.h>
 #include <isc/socket.h>
 #include <isc/strerror.h>
@@ -229,6 +230,8 @@ struct isc_socketmgr {
 static isc_socketmgr_t *socketmgr = NULL;
 #endif /* ISC_PLATFORM_USETHREADS */
 
+static int privsep = 0;
+
 #define CLOSED		0	/* this one must be zero */
 #define MANAGED		1
 #define CLOSE_PENDING	2
@@ -2800,7 +2803,9 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
 						ISC_MSG_FAILED, "failed"));
 		/* Press on... */
 	}
-	if (bind(sock->fd, &sockaddr->type.sa, sockaddr->length) < 0) {
+	if ((privsep ?
+	    isc_priv_bind(sock->fd, &sockaddr->type.sa, sockaddr->length) :
+	    bind(sock->fd, &sockaddr->type.sa, sockaddr->length)) < 0) {
 		UNLOCK(&sock->lock);
 		switch (errno) {
 		case EACCES:
@@ -2827,6 +2832,12 @@ isc_socket_bind(isc_socket_t *sock, isc_sockaddr_t *sockaddr) {
 	return (ISC_R_SUCCESS);
 }
 
+isc_result_t
+isc_socket_privsep(int flag) {
+	privsep = flag;
+	return (ISC_R_SUCCESS);
+}
+
 /*
  * Set up to listen on a given socket.  We do this by creating an internal
  * event that will be dispatched when the socket has read activity.  The