1. Remove the named_rcng variable. Mike's caution in this area was a good
thing, but we're ready to move on. 2. Remove the -g default argument in named_flags. It doesn't actually do what most users think it does, and what most users want it to do is already accomplished with a proper default group for the bind user, which we have. Also, the -g knob does something entirely different in BIND 9, which leads to a lot of needless confusion/aggravation. 3. In the rc.d script, don't bogusly override $command, or $rc_flags. Both are adequately handled in rc.conf[.local]. 4. DO properly override $rc_flags if user has named_chrootdir set. This may need to be revisited, but should be ok for now. 5. Protect all chrootdir-related bits under that variable, instead of named_rcng. There is more work to be done here, especially in the area of BIND 9 compatibility, but this is a start at least. Prompted in part by (legitmate) grousing from: kuriyama, Randy Bush
This commit is contained in:
parent
4984053548
commit
454914fc9f
@ -145,12 +145,9 @@ inetd_flags="-wW -C 60" # Optional flags to inetd
|
||||
# named. It may be possible to run named in a sandbox, man security for
|
||||
# details.
|
||||
#
|
||||
named_rcng="NO" # XXX Temporary. Enable to use new rc
|
||||
# functionality in support of named. See
|
||||
# variables below.
|
||||
named_enable="NO" # Run named, the DNS server (or NO).
|
||||
named_program="/usr/sbin/named" # path to named, if you want a different one.
|
||||
named_flags="-u bind -g bind" # Flags for named
|
||||
named_flags="-u bind" # Flags for named
|
||||
named_pidfile="/var/run/named/pid" # Pid file
|
||||
named_chrootdir="" # Chroot directory (or "" not to auto-chroot it)
|
||||
named_chroot_autoupdate="YES" # Automatically install/update chrooted
|
||||
|
@ -13,12 +13,9 @@
|
||||
|
||||
name="named"
|
||||
rcvar=`set_rcvar`
|
||||
command="/usr/sbin/${name}"
|
||||
start_precmd="named_precmd"
|
||||
required_dirs="$named_chrootdir" # if it is set, it must exist
|
||||
extra_commands="reload"
|
||||
nuser=bind
|
||||
ngroup=bind
|
||||
|
||||
# If running in a chroot cage, ensure that the appropriate files
|
||||
# exist inside the cage, as well as helper symlinks into the cage
|
||||
@ -64,28 +61,16 @@ make_symlinks()
|
||||
{
|
||||
ln -fs "${named_chrootdir}${named_pidfile}" ${named_pidfile}
|
||||
ln -fs "${named_chrootdir}/var/run/ndc" /var/run/ndc
|
||||
|
||||
}
|
||||
|
||||
named_precmd()
|
||||
{
|
||||
! checkyesno named_rcng && return 0
|
||||
# Is the user using a sandbox?
|
||||
if [ -z "$named_chrootdir" ]; then
|
||||
rc_flags="-u $nuser -g $ngroup $rc_flags"
|
||||
return 0
|
||||
if [ -n "$named_chrootdir" ]; then
|
||||
rc_flags="$rc_flags -t $named_chrootdir"
|
||||
checkyesno named_chroot_autoupdate && chroot_autoupdate
|
||||
checkyesno named_symlink_enable && make_symlinks
|
||||
fi
|
||||
|
||||
# Do the following checks only if the user wants them done
|
||||
checkyesno named_chroot_autoupdate && chroot_autoupdate
|
||||
|
||||
# Make the symlinks only if the user wants them done.
|
||||
checkyesno named_symlink_enable && make_symlinks
|
||||
|
||||
# Change run_rc_commands()'s internal copy of $named_flags
|
||||
#
|
||||
! checkyesno named_rcng && return
|
||||
rc_flags="-u $nuser -g $ngroup -t ${named_chrootdir} $rc_flags"
|
||||
}
|
||||
|
||||
load_rc_config $name
|
||||
|
@ -1027,18 +1027,6 @@ is set to
|
||||
.Dq Li YES ,
|
||||
these are the flags to pass to
|
||||
.Xr inetd 8 .
|
||||
.It Va named_rcng
|
||||
.Pq Vt bool
|
||||
If set to
|
||||
.Dq Li YES
|
||||
use new functionality provided in the
|
||||
.Pa /etc/rc.d/named
|
||||
script to facilitate a
|
||||
.Xr chroot 8
|
||||
instance of
|
||||
.Xr named 8 .
|
||||
This variable is experimental.
|
||||
It may be removed or changed in the near future.
|
||||
.It Va named_enable
|
||||
.Pq Vt bool
|
||||
If set to
|
||||
|
Loading…
x
Reference in New Issue
Block a user