d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Create a named chroot directory structure in /var/named, and use it

Browse Source 
by default when named is enabled. Also, improve our default directory
layout by creating /var/named/etc/namedb/{master|slave} directories,
and use the former for the generated localhost* files.

Rather than using pax to copy device entries, mount devfs in the
chroot directory.

There may be some corner cases where things need to be adjusted,
but overall this structure has been well tested on a production
network, and should serve the needs of the vast majority of users.

UPDATING has instructions on how to do the conversion for those
with existing configurations.
This commit is contained in:
dougb 2004-09-28 09:46:00 +00:00
parent bda38e6727
commit 8ab73bd19f
9 changed files with 85 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
UPDATING
View File

@ -23,6 +23,33 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 6.x IS SLOW:
developers choose to disable these features on build machines
to maximize performance.
20040928:
If enabled, the default is now to run named in a chroot
"sandbox." For users with existing configurations in
/etc/namedb the migration should be simple. Upgrade your
world as usual, then after installworld but before
mergemaster do the following:
If named is running: /etc/rc.d/named stop
cd /etc
mv namedb namedb.bak
mkdir -p /var/named/etc/namedb
cp -Rp namedb.bak/* /var/named/etc/namedb/
mergemaster (with your usual options)
If using the generated localhost* files:
cd /var/named/etc/namedb
/bin/sh make-localhost
rm -f localhost-v6.rev localhost.rev
/etc/rc.d/named start
If you are using a custom configuration, or if you have
customised the named_* variables in /etc/rc.conf[.local]
then you may have to adjust the instructions accordingly.
It is suggested that you carefully examine the new named
variables in /etc/defaults/rc.conf and the options in
/var/named/etc/namedb/named.conf to see if they might
now be more suitable.
20040925:
BIND 9 has been imported into the base, and is now fully
functional. BIND 8 has now been removed. There are numerous

13
etc/Makefile
View File

@ -179,12 +179,17 @@ distrib-dirs:
mtree -eU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.usr.dist -p ${DESTDIR}/usr
mtree -eU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.include.dist \
-p ${DESTDIR}/usr/include
.if !defined(NO_SENDMAIL)
mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/
.endif
.if defined(WITH_BIND_LIBS) && !defined(NO_BIND)
.if !defined(NO_BIND)
.if defined(WITH_BIND_LIBS)
mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BIND.include.dist \
-p ${DESTDIR}/usr/include
.endif
mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BIND.chroot.dist \
-p ${DESTDIR}/var/named
ln -s ${DESTDIR}/var/named/etc/namedb ${DESTDIR}/etc/namedb
.endif
.if !defined(NO_SENDMAIL)
mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/
.endif
cd ${DESTDIR}/; rm -f ${DESTDIR}/sys; ln -s usr/src/sys sys
cd ${DESTDIR}/usr/share/man/en.ISO8859-1; ln -sf ../man* .

2
etc/defaults/rc.conf
View File

@ -164,7 +164,7 @@ named_enable="NO" # Run named, the DNS server (or NO).
named_program="/usr/sbin/named" # path to named, if you want a different one.
named_flags="-u bind" # Flags for named
named_pidfile="/var/run/named/pid" # Must set this in named.conf as well
named_chrootdir="" # Chroot directory (or "" not to auto-chroot it)
named_chrootdir="/var/named" # Chroot directory (or "" not to auto-chroot it)
named_chroot_autoupdate="YES" # Automatically install/update chrooted
# components of named. See /etc/rc.d/named.
named_symlink_enable="YES" # Symlink the chrooted pid file

9
etc/mtree/BIND.chroot.dist
View File

@ -5,16 +5,13 @@
/set type=dir uname=root gname=wheel mode=0755
.
dev
dev mode=0555
..
etc
/set type=dir uname=bind gname=wheel mode=0755
namedb
/set type=dir uname=root gname=wheel mode=0755
namedb uname=bind
master
..
/set type=dir uname=bind gname=wheel mode=0755
slave
slave uname=bind
..
..
..

4
etc/mtree/BSD.root.dist
View File

@ -32,10 +32,6 @@
..
mtree
..
namedb
s uname=bind gname=bind mode=0750
..
..
ntp mode=0700
..
pam.d

2
etc/mtree/BSD.var.dist
View File

@ -47,6 +47,8 @@
..
msgs uname=daemon
..
named uname=root
..
preserve
..
run

10
etc/namedb/make-localhost
View File

@ -32,16 +32,18 @@ fi
date=`date +"%Y%m%d"`
mv -f localhost-v6.rev localhost-v6.rev.BAK 2>/dev/null
mkdir -p master
mv -f master/localhost-v6.rev master/localhost-v6.rev.BAK 2>/dev/null
sed -e "s/@host@/$fullhost/g" \
-e "s/@domain@/$domain/g" \
-e "s/@date@/$date/g" \
< PROTO.localhost-v6.rev > localhost-v6.rev
< PROTO.localhost-v6.rev > master/localhost-v6.rev
mv -f localhost.rev localhost.rev.BAK 2>/dev/null
mv -f master/localhost.rev master/localhost.rev.BAK 2>/dev/null
exec sed -e "s/@host@/$fullhost/g" \
-e "s/@domain@/$domain/g" \
-e "s/@date@/$date/g" \
< PROTO.localhost.rev > localhost.rev
< PROTO.localhost.rev > master/localhost.rev

11
etc/namedb/named.conf
View File

@ -7,8 +7,9 @@
// or cause huge amounts of useless Internet traffic.
options {
directory "/etc/namedb";
pid-file "/var/run/named/pid";
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
@ -63,19 +64,19 @@ zone "." {
zone "0.0.127.IN-ADDR.ARPA" {
type master;
file "localhost.rev";
file "master/localhost.rev";
};
// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
type master;
file "localhost-v6.rev";
file "master/localhost-v6.rev";
};
// RFC 1886 -- deprecated
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
type master;
file "localhost-v6.rev";
file "master/localhost-v6.rev";
};
// NB: Do not use the IP addresses below, they are faked, and only

42
etc/rc.d/named
View File

@ -29,19 +29,37 @@ extra_commands="reload"
#
chroot_autoupdate()
{
# Copy devices if necessary. Preserve everything (perms,
# ownership, mod times).
# Create (or update) the chroot directory structure
#
if [ ! -c "${named_chrootdir}/dev/null" ]; then
rm -f "${named_chrootdir}/dev/null"
( cd /dev ; /bin/pax -rw -pe null "${named_chrootdir}/dev" )
fi
if [ ! -c "${named_chrootdir}/dev/random" ]; then
rm -f "${named_chrootdir}/dev/random"
( cd /dev ; /bin/pax -rw -pe random "${named_chrootdir}/dev" )
if [ -f /etc/mtree/BIND.chroot.dist ]; then
mtree -deU -f /etc/mtree/BIND.chroot.dist \
-p ${named_chrootdir}
else
warn "/etc/mtree/BIND.chroot.dist missing,"
warn "chroot directory structure not updated"
fi
# Copy local timezone information if it's not up-to-date.
# Create /etc/namedb symlink
#
if [ ! -L /etc/namedb ]; then
if [ -d /etc/namedb ]; then
warn "named chroot: /etc/namedb is a directory!"
elif [ -e /etc/namedb ]; then
warn "named chroot: /etc/namedb exists!"
else
ln -s ${named_chrootdir}/etc/namedb /etc/namedb
fi
fi
# Mount a devfs in the chroot directory if needed
#
if [ ! -c ${named_chrootdir}/dev/random -o \
! -c ${named_chrootdir}/dev/null ]; then
umount ${named_chrootdir}/dev 2>/dev/null
mount_devfs devfs ${named_chrootdir}/dev
fi
# Copy local timezone information if it is not up to date.
#
if [ -f /etc/localtime ]; then
cmp -s /etc/localtime "${named_chrootdir}/etc/localtime" || \
@ -62,15 +80,17 @@ named_precmd()
local confgen_chroot
# Is the user using a sandbox?
#
if [ -n "$named_chrootdir" ]; then
rc_flags="$rc_flags -t $named_chrootdir"
confgen_chroot="-t${named_chrootdir}"
confgen_chroot="-t${named_chrootdir} -u bind"
checkyesno named_chroot_autoupdate && chroot_autoupdate
else
named_symlink_enable=NO
fi
# Create an rndc.key file for the user if none exists
#
if [ ! -f "${named_chrootdir}/etc/namedb/rndc.key" -a \
! -f "${named_chrootdir}/etc/namedb/rndc.conf" ]; then
rndc-confgen -a -b256 ${confgen_chroot}