diff options
author | dougb <dougb@FreeBSD.org> | 2004-09-28 09:46:00 +0000 |
---|---|---|
committer | dougb <dougb@FreeBSD.org> | 2004-09-28 09:46:00 +0000 |
commit | a0c7847c5ba90a7ccc3ba1ea38781396bffaffe6 (patch) | |
tree | adec461a57e953379f28f1be08a23b3081ed6d6a /etc | |
parent | d3ceec948f3a65b58d702b97a626bcd5a6120632 (diff) | |
download | FreeBSD-src-a0c7847c5ba90a7ccc3ba1ea38781396bffaffe6.zip FreeBSD-src-a0c7847c5ba90a7ccc3ba1ea38781396bffaffe6.tar.gz |
Create a named chroot directory structure in /var/named, and use it
by default when named is enabled. Also, improve our default directory
layout by creating /var/named/etc/namedb/{master|slave} directories,
and use the former for the generated localhost* files.
Rather than using pax to copy device entries, mount devfs in the
chroot directory.
There may be some corner cases where things need to be adjusted,
but overall this structure has been well tested on a production
network, and should serve the needs of the vast majority of users.
UPDATING has instructions on how to do the conversion for those
with existing configurations.
Diffstat (limited to 'etc')
-rw-r--r-- | etc/Makefile | 13 | ||||
-rw-r--r-- | etc/defaults/rc.conf | 2 | ||||
-rw-r--r-- | etc/mtree/BIND.chroot.dist | 9 | ||||
-rw-r--r-- | etc/mtree/BSD.root.dist | 4 | ||||
-rw-r--r-- | etc/mtree/BSD.var.dist | 2 | ||||
-rwxr-xr-x | etc/namedb/make-localhost | 10 | ||||
-rw-r--r-- | etc/namedb/named.conf | 11 | ||||
-rwxr-xr-x | etc/rc.d/named | 40 |
8 files changed, 57 insertions, 34 deletions
diff --git a/etc/Makefile b/etc/Makefile index aec71ff..6de3612 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -179,13 +179,18 @@ distrib-dirs: mtree -eU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.usr.dist -p ${DESTDIR}/usr mtree -eU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.include.dist \ -p ${DESTDIR}/usr/include -.if !defined(NO_SENDMAIL) - mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/ -.endif -.if defined(WITH_BIND_LIBS) && !defined(NO_BIND) +.if !defined(NO_BIND) +.if defined(WITH_BIND_LIBS) mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BIND.include.dist \ -p ${DESTDIR}/usr/include .endif + mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BIND.chroot.dist \ + -p ${DESTDIR}/var/named + ln -s ${DESTDIR}/var/named/etc/namedb ${DESTDIR}/etc/namedb +.endif +.if !defined(NO_SENDMAIL) + mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/ +.endif cd ${DESTDIR}/; rm -f ${DESTDIR}/sys; ln -s usr/src/sys sys cd ${DESTDIR}/usr/share/man/en.ISO8859-1; ln -sf ../man* . cd ${DESTDIR}/usr/share/man; \ diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf index b612958..90d341f 100644 --- a/etc/defaults/rc.conf +++ b/etc/defaults/rc.conf @@ -164,7 +164,7 @@ named_enable="NO" # Run named, the DNS server (or NO). named_program="/usr/sbin/named" # path to named, if you want a different one. named_flags="-u bind" # Flags for named named_pidfile="/var/run/named/pid" # Must set this in named.conf as well -named_chrootdir="" # Chroot directory (or "" not to auto-chroot it) +named_chrootdir="/var/named" # Chroot directory (or "" not to auto-chroot it) named_chroot_autoupdate="YES" # Automatically install/update chrooted # components of named. See /etc/rc.d/named. named_symlink_enable="YES" # Symlink the chrooted pid file diff --git a/etc/mtree/BIND.chroot.dist b/etc/mtree/BIND.chroot.dist index c4662a0..510678c 100644 --- a/etc/mtree/BIND.chroot.dist +++ b/etc/mtree/BIND.chroot.dist @@ -5,16 +5,13 @@ /set type=dir uname=root gname=wheel mode=0755 . - dev + dev mode=0555 .. etc -/set type=dir uname=bind gname=wheel mode=0755 - namedb -/set type=dir uname=root gname=wheel mode=0755 + namedb uname=bind master .. -/set type=dir uname=bind gname=wheel mode=0755 - slave + slave uname=bind .. .. .. diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist index 93c7046..874b136 100644 --- a/etc/mtree/BSD.root.dist +++ b/etc/mtree/BSD.root.dist @@ -32,10 +32,6 @@ .. mtree .. - namedb - s uname=bind gname=bind mode=0750 - .. - .. ntp mode=0700 .. pam.d diff --git a/etc/mtree/BSD.var.dist b/etc/mtree/BSD.var.dist index 0293852..2b5b37e 100644 --- a/etc/mtree/BSD.var.dist +++ b/etc/mtree/BSD.var.dist @@ -47,6 +47,8 @@ .. msgs uname=daemon .. + named uname=root + .. preserve .. run diff --git a/etc/namedb/make-localhost b/etc/namedb/make-localhost index f3f0b1d..60fbe49 100755 --- a/etc/namedb/make-localhost +++ b/etc/namedb/make-localhost @@ -32,16 +32,18 @@ fi date=`date +"%Y%m%d"` -mv -f localhost-v6.rev localhost-v6.rev.BAK 2>/dev/null +mkdir -p master + +mv -f master/localhost-v6.rev master/localhost-v6.rev.BAK 2>/dev/null sed -e "s/@host@/$fullhost/g" \ -e "s/@domain@/$domain/g" \ -e "s/@date@/$date/g" \ - < PROTO.localhost-v6.rev > localhost-v6.rev + < PROTO.localhost-v6.rev > master/localhost-v6.rev -mv -f localhost.rev localhost.rev.BAK 2>/dev/null +mv -f master/localhost.rev master/localhost.rev.BAK 2>/dev/null exec sed -e "s/@host@/$fullhost/g" \ -e "s/@domain@/$domain/g" \ -e "s/@date@/$date/g" \ - < PROTO.localhost.rev > localhost.rev + < PROTO.localhost.rev > master/localhost.rev diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf index 5b7a718..3b45e0c 100644 --- a/etc/namedb/named.conf +++ b/etc/namedb/named.conf @@ -7,8 +7,9 @@ // or cause huge amounts of useless Internet traffic. options { - directory "/etc/namedb"; - pid-file "/var/run/named/pid"; + directory "/etc/namedb"; + pid-file "/var/run/named/pid"; + dump-file "/var/dump/named_dump.db"; // In addition to the "forwarders" clause, you can force your name // server to never initiate queries of its own, but always ask its @@ -63,19 +64,19 @@ zone "." { zone "0.0.127.IN-ADDR.ARPA" { type master; - file "localhost.rev"; + file "master/localhost.rev"; }; // RFC 3152 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" { type master; - file "localhost-v6.rev"; + file "master/localhost-v6.rev"; }; // RFC 1886 -- deprecated zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" { type master; - file "localhost-v6.rev"; + file "master/localhost-v6.rev"; }; // NB: Do not use the IP addresses below, they are faked, and only diff --git a/etc/rc.d/named b/etc/rc.d/named index c915afd..514e6c6 100755 --- a/etc/rc.d/named +++ b/etc/rc.d/named @@ -29,19 +29,37 @@ extra_commands="reload" # chroot_autoupdate() { - # Copy devices if necessary. Preserve everything (perms, - # ownership, mod times). + # Create (or update) the chroot directory structure # - if [ ! -c "${named_chrootdir}/dev/null" ]; then - rm -f "${named_chrootdir}/dev/null" - ( cd /dev ; /bin/pax -rw -pe null "${named_chrootdir}/dev" ) + if [ -f /etc/mtree/BIND.chroot.dist ]; then + mtree -deU -f /etc/mtree/BIND.chroot.dist \ + -p ${named_chrootdir} + else + warn "/etc/mtree/BIND.chroot.dist missing," + warn "chroot directory structure not updated" + fi + + # Create /etc/namedb symlink + # + if [ ! -L /etc/namedb ]; then + if [ -d /etc/namedb ]; then + warn "named chroot: /etc/namedb is a directory!" + elif [ -e /etc/namedb ]; then + warn "named chroot: /etc/namedb exists!" + else + ln -s ${named_chrootdir}/etc/namedb /etc/namedb + fi fi - if [ ! -c "${named_chrootdir}/dev/random" ]; then - rm -f "${named_chrootdir}/dev/random" - ( cd /dev ; /bin/pax -rw -pe random "${named_chrootdir}/dev" ) + + # Mount a devfs in the chroot directory if needed + # + if [ ! -c ${named_chrootdir}/dev/random -o \ + ! -c ${named_chrootdir}/dev/null ]; then + umount ${named_chrootdir}/dev 2>/dev/null + mount_devfs devfs ${named_chrootdir}/dev fi - # Copy local timezone information if it's not up-to-date. + # Copy local timezone information if it is not up to date. # if [ -f /etc/localtime ]; then cmp -s /etc/localtime "${named_chrootdir}/etc/localtime" || \ @@ -62,15 +80,17 @@ named_precmd() local confgen_chroot # Is the user using a sandbox? + # if [ -n "$named_chrootdir" ]; then rc_flags="$rc_flags -t $named_chrootdir" - confgen_chroot="-t${named_chrootdir}" + confgen_chroot="-t${named_chrootdir} -u bind" checkyesno named_chroot_autoupdate && chroot_autoupdate else named_symlink_enable=NO fi # Create an rndc.key file for the user if none exists + # if [ ! -f "${named_chrootdir}/etc/namedb/rndc.key" -a \ ! -f "${named_chrootdir}/etc/namedb/rndc.conf" ]; then rndc-confgen -a -b256 ${confgen_chroot} |