fabbde3ece
the jail case specifically. In case we find a proper pre-seeded devfs in the chroot path (mounted from the base system) permit starting chrooted else give proper warn/error messages. PR: conf/103489 Reviewed by: dougb MFC after: 5 days
174 lines
4.3 KiB
Bash
Executable File
174 lines
4.3 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# $FreeBSD$
|
|
#
|
|
|
|
# PROVIDE: named
|
|
# REQUIRE: SERVERS cleanvar
|
|
# KEYWORD: shutdown
|
|
|
|
. /etc/rc.subr
|
|
|
|
name="named"
|
|
rcvar=named_enable
|
|
|
|
command="/usr/sbin/named"
|
|
extra_commands="reload"
|
|
|
|
start_precmd="named_precmd"
|
|
start_postcmd="make_symlinks"
|
|
reload_cmd="named_reload"
|
|
stop_cmd="named_stop"
|
|
stop_postcmd="named_poststop"
|
|
|
|
# If running in a chroot cage, ensure that the appropriate files
|
|
# exist inside the cage, as well as helper symlinks into the cage
|
|
# from outside.
|
|
#
|
|
# As this is called after the is_running and required_dir checks
|
|
# are made in run_rc_command(), we can safely assume ${named_chrootdir}
|
|
# exists and named isn't running at this point (unless forcestart
|
|
# is used).
|
|
#
|
|
chroot_autoupdate()
|
|
{
|
|
local file
|
|
|
|
# Create (or update) the chroot directory structure
|
|
#
|
|
if [ -r /etc/mtree/BIND.chroot.dist ]; then
|
|
mtree -deU -f /etc/mtree/BIND.chroot.dist \
|
|
-p ${named_chrootdir}
|
|
else
|
|
warn "/etc/mtree/BIND.chroot.dist missing,"
|
|
warn "chroot directory structure not updated"
|
|
fi
|
|
|
|
# Create /etc/namedb symlink
|
|
#
|
|
if [ ! -L /etc/namedb ]; then
|
|
if [ -d /etc/namedb ]; then
|
|
warn "named chroot: /etc/namedb is a directory!"
|
|
elif [ -e /etc/namedb ]; then
|
|
warn "named chroot: /etc/namedb exists!"
|
|
else
|
|
ln -s ${named_chrootdir}/etc/namedb /etc/namedb
|
|
fi
|
|
else
|
|
# Make sure it points to the right place.
|
|
ln -shf ${named_chrootdir}/etc/namedb /etc/namedb
|
|
fi
|
|
|
|
# Mount a devfs in the chroot directory if needed
|
|
#
|
|
if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
|
|
umount ${named_chrootdir}/dev 2>/dev/null
|
|
devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
|
|
devfs -m ${named_chrootdir}/dev rule apply path null unhide
|
|
devfs -m ${named_chrootdir}/dev rule apply path random unhide
|
|
else
|
|
if [ -c ${named_chrootdir}/dev/null -a \
|
|
-c ${named_chrootdir}/dev/random ]; then
|
|
info "named chroot: using pre-mounted devfs."
|
|
else
|
|
err 1 "named chroot: devfs cannot be mounted from" \
|
|
"within a jail. Thus a chrooted named cannot" \
|
|
"be run from within a jail." \
|
|
"To run named without chrooting it, set" \
|
|
"named_chrootdir=\"\" in /etc/rc.conf."
|
|
fi
|
|
fi
|
|
|
|
# Copy and/or update key files to the chroot /etc
|
|
#
|
|
for file in localtime protocols services; do
|
|
if [ -r /etc/$file ]; then
|
|
cmp -s /etc/$file "${named_chrootdir}/etc/$file" ||
|
|
cp -p /etc/$file "${named_chrootdir}/etc/$file"
|
|
fi
|
|
done
|
|
}
|
|
|
|
# Make symlinks to the correct pid file
|
|
#
|
|
make_symlinks()
|
|
{
|
|
checkyesno named_symlink_enable &&
|
|
ln -fs "${named_chrootdir}${pidfile}" ${pidfile}
|
|
}
|
|
|
|
named_reload()
|
|
{
|
|
${command%/named}/rndc reload
|
|
}
|
|
|
|
named_stop()
|
|
{
|
|
# This duplicates an undesirably large amount of code from the stop
|
|
# routine in rc.subr in order to use rndc to shut down the process,
|
|
# and to give it a second chance in case rndc fails.
|
|
rc_pid=$(check_pidfile $pidfile $command)
|
|
if [ -z "$rc_pid" ]; then
|
|
[ -n "$rc_fast" ] && return 0
|
|
_run_rc_notrunning
|
|
return 1
|
|
fi
|
|
echo 'Stopping named.'
|
|
if ${command%/named}/rndc stop 2>/dev/null; then
|
|
wait_for_pids $rc_pid
|
|
else
|
|
echo -n 'rndc failed, trying kill: '
|
|
kill -TERM $rc_pid
|
|
wait_for_pids $rc_pid
|
|
fi
|
|
}
|
|
|
|
named_poststop()
|
|
{
|
|
if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
|
|
if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
|
|
umount ${named_chrootdir}/dev 2>/dev/null || true
|
|
else
|
|
warn "named chroot:" \
|
|
"cannot unmount devfs from inside jail!"
|
|
fi
|
|
fi
|
|
}
|
|
|
|
named_precmd()
|
|
{
|
|
# Is the user using a sandbox?
|
|
#
|
|
if [ -n "$named_chrootdir" ]; then
|
|
rc_flags="$rc_flags -t $named_chrootdir"
|
|
checkyesno named_chroot_autoupdate && chroot_autoupdate
|
|
else
|
|
named_symlink_enable=NO
|
|
fi
|
|
|
|
# Create an rndc.key file for the user if none exists
|
|
#
|
|
if [ -s "${named_chrootdir}/etc/namedb/rndc.conf" ]; then
|
|
return 0
|
|
fi
|
|
confgen_command="${command%/named}/rndc-confgen -a -b256 -u $named_uid \
|
|
-c ${named_chrootdir}/etc/namedb/rndc.key"
|
|
if [ -s "${named_chrootdir}/etc/namedb/rndc.key" ]; then
|
|
case `stat -f%Su ${named_chrootdir}/etc/namedb/rndc.key` in
|
|
root|$named_uid) ;;
|
|
*) $confgen_command ;;
|
|
esac
|
|
else
|
|
$confgen_command
|
|
fi
|
|
}
|
|
|
|
load_rc_config $name
|
|
# Updating the following variables requires that rc.conf be loaded first
|
|
#
|
|
required_dirs="$named_chrootdir" # if it is set, it must exist
|
|
pidfile="${named_pidfile:-/var/run/named/pid}"
|
|
command_args="-u ${named_uid:=root}"
|
|
|
|
run_rc_command "$1"
|