From 0a54defb086ff9766dd221df99eaef2c5d9d32e0 Mon Sep 17 00:00:00 2001 From: Doug Barton Date: Sun, 14 Mar 2004 19:10:06 +0000 Subject: [PATCH] 1. Remove the named_rcng variable. Mike's caution in this area was a good thing, but we're ready to move on. 2. Remove the -g default argument in named_flags. It doesn't actually do what most users think it does, and what most users want it to do is already accomplished with a proper default group for the bind user, which we have. Also, the -g knob does something entirely different in BIND 9, which leads to a lot of needless confusion/aggravation. 3. In the rc.d script, don't bogusly override $command, or $rc_flags. Both are adequately handled in rc.conf[.local]. 4. DO properly override $rc_flags if user has named_chrootdir set. This may need to be revisited, but should be ok for now. 5. Protect all chrootdir-related bits under that variable, instead of named_rcng. There is more work to be done here, especially in the area of BIND 9 compatibility, but this is a start at least. Prompted in part by (legitmate) grousing from: kuriyama, Randy Bush --- etc/defaults/rc.conf | 5 +---- etc/rc.d/named | 23 ++++------------------- share/man/man5/rc.conf.5 | 12 ------------ 3 files changed, 5 insertions(+), 35 deletions(-) diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index fe84b8d6c35..d6b76d805c2 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -145,12 +145,9 @@ inetd_flags="-wW -C 60" # Optional flags to inetd # named. It may be possible to run named in a sandbox, man security for # details. # -named_rcng="NO" # XXX Temporary. Enable to use new rc - # functionality in support of named. See - # variables below. named_enable="NO" # Run named, the DNS server (or NO). named_program="/usr/sbin/named" # path to named, if you want a different one. -named_flags="-u bind -g bind" # Flags for named +named_flags="-u bind" # Flags for named named_pidfile="/var/run/named/pid" # Pid file named_chrootdir="" # Chroot directory (or "" not to auto-chroot it) named_chroot_autoupdate="YES" # Automatically install/update chrooted diff --git a/etc/rc.d/named b/etc/rc.d/named index 0d4cb9d4b3e..eb0d4545bca 100755 --- a/etc/rc.d/named +++ b/etc/rc.d/named @@ -13,12 +13,9 @@ name="named" rcvar=`set_rcvar` -command="/usr/sbin/${name}" start_precmd="named_precmd" required_dirs="$named_chrootdir" # if it is set, it must exist extra_commands="reload" -nuser=bind -ngroup=bind # If running in a chroot cage, ensure that the appropriate files # exist inside the cage, as well as helper symlinks into the cage @@ -64,28 +61,16 @@ make_symlinks() { ln -fs "${named_chrootdir}${named_pidfile}" ${named_pidfile} ln -fs "${named_chrootdir}/var/run/ndc" /var/run/ndc - } named_precmd() { - ! checkyesno named_rcng && return 0 # Is the user using a sandbox? - if [ -z "$named_chrootdir" ]; then - rc_flags="-u $nuser -g $ngroup $rc_flags" - return 0 + if [ -n "$named_chrootdir" ]; then + rc_flags="$rc_flags -t $named_chrootdir" + checkyesno named_chroot_autoupdate && chroot_autoupdate + checkyesno named_symlink_enable && make_symlinks fi - - # Do the following checks only if the user wants them done - checkyesno named_chroot_autoupdate && chroot_autoupdate - - # Make the symlinks only if the user wants them done. - checkyesno named_symlink_enable && make_symlinks - - # Change run_rc_commands()'s internal copy of $named_flags - # - ! checkyesno named_rcng && return - rc_flags="-u $nuser -g $ngroup -t ${named_chrootdir} $rc_flags" } load_rc_config $name diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5 index 369585c2a97..658f1d2f525 100644 --- a/share/man/man5/rc.conf.5 +++ b/share/man/man5/rc.conf.5 @@ -1027,18 +1027,6 @@ is set to .Dq Li YES , these are the flags to pass to .Xr inetd 8 . -.It Va named_rcng -.Pq Vt bool -If set to -.Dq Li YES -use new functionality provided in the -.Pa /etc/rc.d/named -script to facilitate a -.Xr chroot 8 -instance of -.Xr named 8 . -This variable is experimental. -It may be removed or changed in the near future. .It Va named_enable .Pq Vt bool If set to