diff --git a/UPDATING b/UPDATING index 494af0ecf95..3aa2b81856c 100644 --- a/UPDATING +++ b/UPDATING @@ -23,6 +23,33 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 6.x IS SLOW: developers choose to disable these features on build machines to maximize performance. +20040928: + If enabled, the default is now to run named in a chroot + "sandbox." For users with existing configurations in + /etc/namedb the migration should be simple. Upgrade your + world as usual, then after installworld but before + mergemaster do the following: + + If named is running: /etc/rc.d/named stop + cd /etc + mv namedb namedb.bak + mkdir -p /var/named/etc/namedb + cp -Rp namedb.bak/* /var/named/etc/namedb/ + mergemaster (with your usual options) + If using the generated localhost* files: + cd /var/named/etc/namedb + /bin/sh make-localhost + rm -f localhost-v6.rev localhost.rev + /etc/rc.d/named start + + If you are using a custom configuration, or if you have + customised the named_* variables in /etc/rc.conf[.local] + then you may have to adjust the instructions accordingly. + It is suggested that you carefully examine the new named + variables in /etc/defaults/rc.conf and the options in + /var/named/etc/namedb/named.conf to see if they might + now be more suitable. + 20040925: BIND 9 has been imported into the base, and is now fully functional. BIND 8 has now been removed. There are numerous diff --git a/etc/Makefile b/etc/Makefile index aec71ff77e2..6de36121b2b 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -179,12 +179,17 @@ distrib-dirs: mtree -eU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.usr.dist -p ${DESTDIR}/usr mtree -eU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.include.dist \ -p ${DESTDIR}/usr/include -.if !defined(NO_SENDMAIL) - mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/ -.endif -.if defined(WITH_BIND_LIBS) && !defined(NO_BIND) +.if !defined(NO_BIND) +.if defined(WITH_BIND_LIBS) mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BIND.include.dist \ -p ${DESTDIR}/usr/include +.endif + mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BIND.chroot.dist \ + -p ${DESTDIR}/var/named + ln -s ${DESTDIR}/var/named/etc/namedb ${DESTDIR}/etc/namedb +.endif +.if !defined(NO_SENDMAIL) + mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/ .endif cd ${DESTDIR}/; rm -f ${DESTDIR}/sys; ln -s usr/src/sys sys cd ${DESTDIR}/usr/share/man/en.ISO8859-1; ln -sf ../man* . diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index b61295820e9..90d341f024e 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -164,7 +164,7 @@ named_enable="NO" # Run named, the DNS server (or NO). named_program="/usr/sbin/named" # path to named, if you want a different one. named_flags="-u bind" # Flags for named named_pidfile="/var/run/named/pid" # Must set this in named.conf as well -named_chrootdir="" # Chroot directory (or "" not to auto-chroot it) +named_chrootdir="/var/named" # Chroot directory (or "" not to auto-chroot it) named_chroot_autoupdate="YES" # Automatically install/update chrooted # components of named. See /etc/rc.d/named. named_symlink_enable="YES" # Symlink the chrooted pid file diff --git a/etc/mtree/BIND.chroot.dist b/etc/mtree/BIND.chroot.dist index c4662a06de5..510678cb447 100644 --- a/etc/mtree/BIND.chroot.dist +++ b/etc/mtree/BIND.chroot.dist @@ -5,16 +5,13 @@ /set type=dir uname=root gname=wheel mode=0755 . - dev + dev mode=0555 .. etc -/set type=dir uname=bind gname=wheel mode=0755 - namedb -/set type=dir uname=root gname=wheel mode=0755 + namedb uname=bind master .. -/set type=dir uname=bind gname=wheel mode=0755 - slave + slave uname=bind .. .. .. diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist index 93c7046b648..874b13663d2 100644 --- a/etc/mtree/BSD.root.dist +++ b/etc/mtree/BSD.root.dist @@ -32,10 +32,6 @@ .. mtree .. - namedb - s uname=bind gname=bind mode=0750 - .. - .. ntp mode=0700 .. pam.d diff --git a/etc/mtree/BSD.var.dist b/etc/mtree/BSD.var.dist index 0293852c834..2b5b37e0136 100644 --- a/etc/mtree/BSD.var.dist +++ b/etc/mtree/BSD.var.dist @@ -47,6 +47,8 @@ .. msgs uname=daemon .. + named uname=root + .. preserve .. run diff --git a/etc/namedb/make-localhost b/etc/namedb/make-localhost index f3f0b1d20ba..60fbe49441a 100755 --- a/etc/namedb/make-localhost +++ b/etc/namedb/make-localhost @@ -32,16 +32,18 @@ fi date=`date +"%Y%m%d"` -mv -f localhost-v6.rev localhost-v6.rev.BAK 2>/dev/null +mkdir -p master + +mv -f master/localhost-v6.rev master/localhost-v6.rev.BAK 2>/dev/null sed -e "s/@host@/$fullhost/g" \ -e "s/@domain@/$domain/g" \ -e "s/@date@/$date/g" \ - < PROTO.localhost-v6.rev > localhost-v6.rev + < PROTO.localhost-v6.rev > master/localhost-v6.rev -mv -f localhost.rev localhost.rev.BAK 2>/dev/null +mv -f master/localhost.rev master/localhost.rev.BAK 2>/dev/null exec sed -e "s/@host@/$fullhost/g" \ -e "s/@domain@/$domain/g" \ -e "s/@date@/$date/g" \ - < PROTO.localhost.rev > localhost.rev + < PROTO.localhost.rev > master/localhost.rev diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf index 5b7a71847d6..3b45e0c7d31 100644 --- a/etc/namedb/named.conf +++ b/etc/namedb/named.conf @@ -7,8 +7,9 @@ // or cause huge amounts of useless Internet traffic. options { - directory "/etc/namedb"; - pid-file "/var/run/named/pid"; + directory "/etc/namedb"; + pid-file "/var/run/named/pid"; + dump-file "/var/dump/named_dump.db"; // In addition to the "forwarders" clause, you can force your name // server to never initiate queries of its own, but always ask its @@ -63,19 +64,19 @@ zone "." { zone "0.0.127.IN-ADDR.ARPA" { type master; - file "localhost.rev"; + file "master/localhost.rev"; }; // RFC 3152 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" { type master; - file "localhost-v6.rev"; + file "master/localhost-v6.rev"; }; // RFC 1886 -- deprecated zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" { type master; - file "localhost-v6.rev"; + file "master/localhost-v6.rev"; }; // NB: Do not use the IP addresses below, they are faked, and only diff --git a/etc/rc.d/named b/etc/rc.d/named index c915afd1083..514e6c6eb90 100755 --- a/etc/rc.d/named +++ b/etc/rc.d/named @@ -29,19 +29,37 @@ extra_commands="reload" # chroot_autoupdate() { - # Copy devices if necessary. Preserve everything (perms, - # ownership, mod times). + # Create (or update) the chroot directory structure # - if [ ! -c "${named_chrootdir}/dev/null" ]; then - rm -f "${named_chrootdir}/dev/null" - ( cd /dev ; /bin/pax -rw -pe null "${named_chrootdir}/dev" ) - fi - if [ ! -c "${named_chrootdir}/dev/random" ]; then - rm -f "${named_chrootdir}/dev/random" - ( cd /dev ; /bin/pax -rw -pe random "${named_chrootdir}/dev" ) + if [ -f /etc/mtree/BIND.chroot.dist ]; then + mtree -deU -f /etc/mtree/BIND.chroot.dist \ + -p ${named_chrootdir} + else + warn "/etc/mtree/BIND.chroot.dist missing," + warn "chroot directory structure not updated" fi - # Copy local timezone information if it's not up-to-date. + # Create /etc/namedb symlink + # + if [ ! -L /etc/namedb ]; then + if [ -d /etc/namedb ]; then + warn "named chroot: /etc/namedb is a directory!" + elif [ -e /etc/namedb ]; then + warn "named chroot: /etc/namedb exists!" + else + ln -s ${named_chrootdir}/etc/namedb /etc/namedb + fi + fi + + # Mount a devfs in the chroot directory if needed + # + if [ ! -c ${named_chrootdir}/dev/random -o \ + ! -c ${named_chrootdir}/dev/null ]; then + umount ${named_chrootdir}/dev 2>/dev/null + mount_devfs devfs ${named_chrootdir}/dev + fi + + # Copy local timezone information if it is not up to date. # if [ -f /etc/localtime ]; then cmp -s /etc/localtime "${named_chrootdir}/etc/localtime" || \ @@ -62,15 +80,17 @@ named_precmd() local confgen_chroot # Is the user using a sandbox? + # if [ -n "$named_chrootdir" ]; then rc_flags="$rc_flags -t $named_chrootdir" - confgen_chroot="-t${named_chrootdir}" + confgen_chroot="-t${named_chrootdir} -u bind" checkyesno named_chroot_autoupdate && chroot_autoupdate else named_symlink_enable=NO fi # Create an rndc.key file for the user if none exists + # if [ ! -f "${named_chrootdir}/etc/namedb/rndc.key" -a \ ! -f "${named_chrootdir}/etc/namedb/rndc.conf" ]; then rndc-confgen -a -b256 ${confgen_chroot}