Create a named chroot directory structure in /var/named, and use it

by default when named is enabled. Also, improve our default directory
layout by creating /var/named/etc/namedb/{master|slave} directories,
and use the former for the generated localhost* files.

Rather than using pax to copy device entries, mount devfs in the
chroot directory.

There may be some corner cases where things need to be adjusted,
but overall this structure has been well tested on a production
network, and should serve the needs of the vast majority of users.

UPDATING has instructions on how to do the conversion for those
with existing configurations.

8 files changed, 57 insertions, 34 deletions

diff --git a/etc/Makefile b/etc/Makefile
index aec71ff..6de3612 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -179,13 +179,18 @@ distrib-dirs:
 	mtree -eU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.usr.dist -p ${DESTDIR}/usr
 	mtree -eU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.include.dist \
 		-p ${DESTDIR}/usr/include
-.if !defined(NO_SENDMAIL)
-	mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/
-.endif
-.if defined(WITH_BIND_LIBS) && !defined(NO_BIND)
+.if !defined(NO_BIND)
+.if defined(WITH_BIND_LIBS)
 	mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BIND.include.dist \
 	    -p ${DESTDIR}/usr/include
 .endif
+	mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BIND.chroot.dist \
+	    -p ${DESTDIR}/var/named
+	ln -s ${DESTDIR}/var/named/etc/namedb ${DESTDIR}/etc/namedb
+.endif
+.if !defined(NO_SENDMAIL)
+	mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/
+.endif
 	cd ${DESTDIR}/; rm -f ${DESTDIR}/sys; ln -s usr/src/sys sys
 	cd ${DESTDIR}/usr/share/man/en.ISO8859-1; ln -sf ../man* .
 	cd ${DESTDIR}/usr/share/man; \
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index b612958..90d341f 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -164,7 +164,7 @@ named_enable="NO"		# Run named, the DNS server (or NO).
 named_program="/usr/sbin/named"	# path to named, if you want a different one.
 named_flags="-u bind" 		# Flags for named
 named_pidfile="/var/run/named/pid" # Must set this in named.conf as well
-named_chrootdir=""		# Chroot directory (or "" not to auto-chroot it)
+named_chrootdir="/var/named"	# Chroot directory (or "" not to auto-chroot it)
 named_chroot_autoupdate="YES"	# Automatically install/update chrooted
 				# components of named. See /etc/rc.d/named.
 named_symlink_enable="YES"	# Symlink the chrooted pid file
diff --git a/etc/mtree/BIND.chroot.dist b/etc/mtree/BIND.chroot.dist
index c4662a0..510678c 100644
--- a/etc/mtree/BIND.chroot.dist
+++ b/etc/mtree/BIND.chroot.dist
@@ -5,16 +5,13 @@
 
 /set type=dir uname=root gname=wheel mode=0755
 .
-    dev
+    dev             mode=0555
     ..
     etc
-/set type=dir uname=bind gname=wheel mode=0755
-        namedb
-/set type=dir uname=root gname=wheel mode=0755
+        namedb      uname=bind
             master
             ..
-/set type=dir uname=bind gname=wheel mode=0755
-            slave
+            slave   uname=bind
             ..
         ..
     ..
diff --git a/etc/mtree/BSD.root.dist b/etc/mtree/BSD.root.dist
index 93c7046..874b136 100644
--- a/etc/mtree/BSD.root.dist
+++ b/etc/mtree/BSD.root.dist
@@ -32,10 +32,6 @@
         ..
         mtree
         ..
-        namedb
-            s               uname=bind gname=bind mode=0750
-            ..
-        ..
         ntp             mode=0700
         ..
         pam.d
diff --git a/etc/mtree/BSD.var.dist b/etc/mtree/BSD.var.dist
index 0293852..2b5b37e 100644
--- a/etc/mtree/BSD.var.dist
+++ b/etc/mtree/BSD.var.dist
@@ -47,6 +47,8 @@
     ..
     msgs            uname=daemon
     ..
+    named           uname=root
+    ..
     preserve
     ..
     run
diff --git a/etc/namedb/make-localhost b/etc/namedb/make-localhost
index f3f0b1d..60fbe49 100755
--- a/etc/namedb/make-localhost
+++ b/etc/namedb/make-localhost
@@ -32,16 +32,18 @@ fi
 
 date=`date +"%Y%m%d"`
 
-mv -f localhost-v6.rev localhost-v6.rev.BAK 2>/dev/null
+mkdir -p master
+
+mv -f master/localhost-v6.rev master/localhost-v6.rev.BAK 2>/dev/null
 
 sed -e "s/@host@/$fullhost/g" \
 	-e "s/@domain@/$domain/g" \
 	-e "s/@date@/$date/g" \
-	< PROTO.localhost-v6.rev > localhost-v6.rev
+	< PROTO.localhost-v6.rev > master/localhost-v6.rev
 
-mv -f localhost.rev localhost.rev.BAK 2>/dev/null
+mv -f master/localhost.rev master/localhost.rev.BAK 2>/dev/null
 
 exec sed -e "s/@host@/$fullhost/g" \
 	-e "s/@domain@/$domain/g" \
 	-e "s/@date@/$date/g" \
-	< PROTO.localhost.rev > localhost.rev
+	< PROTO.localhost.rev > master/localhost.rev
diff --git a/etc/namedb/named.conf b/etc/namedb/named.conf
index 5b7a718..3b45e0c 100644
--- a/etc/namedb/named.conf
+++ b/etc/namedb/named.conf
@@ -7,8 +7,9 @@
 // or cause huge amounts of useless Internet traffic.
 
 options {
-	directory "/etc/namedb";
-	pid-file "/var/run/named/pid";
+	directory	"/etc/namedb";
+	pid-file	"/var/run/named/pid";
+	dump-file	"/var/dump/named_dump.db";
 
 // In addition to the "forwarders" clause, you can force your name
 // server to never initiate queries of its own, but always ask its
@@ -63,19 +64,19 @@ zone "." {
 
 zone "0.0.127.IN-ADDR.ARPA" {
 	type master;
-	file "localhost.rev";
+	file "master/localhost.rev";
 };
 
 // RFC 3152
 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
 	type master;
-	file "localhost-v6.rev";
+	file "master/localhost-v6.rev";
 };
 
 // RFC 1886 -- deprecated
 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
 	type master;
-	file "localhost-v6.rev";
+	file "master/localhost-v6.rev";
 };
 
 // NB: Do not use the IP addresses below, they are faked, and only
diff --git a/etc/rc.d/named b/etc/rc.d/named
index c915afd..514e6c6 100755
--- a/etc/rc.d/named
+++ b/etc/rc.d/named
@@ -29,19 +29,37 @@ extra_commands="reload"
 #
 chroot_autoupdate()
 {
-	# Copy devices if necessary. Preserve everything (perms,
-	# ownership, mod times).
+	# Create (or update) the chroot directory structure
 	#
-	if [ ! -c "${named_chrootdir}/dev/null" ]; then
-	rm -f "${named_chrootdir}/dev/null"
-		( cd /dev ; /bin/pax -rw -pe null "${named_chrootdir}/dev" )
+	if [ -f /etc/mtree/BIND.chroot.dist ]; then
+		mtree -deU -f /etc/mtree/BIND.chroot.dist \
+		    -p ${named_chrootdir}
+	else
+		warn "/etc/mtree/BIND.chroot.dist missing,"
+		warn "chroot directory structure not updated"
+	fi
+
+	# Create /etc/namedb symlink
+	#
+	if [ ! -L /etc/namedb ]; then
+		if [ -d /etc/namedb ]; then
+			warn "named chroot: /etc/namedb is a directory!"
+		elif [ -e /etc/namedb ]; then
+			warn "named chroot: /etc/namedb exists!"
+		else
+			ln -s ${named_chrootdir}/etc/namedb /etc/namedb
+		fi
 	fi
-	if [ ! -c "${named_chrootdir}/dev/random" ]; then
-	rm -f "${named_chrootdir}/dev/random"
-		( cd /dev ; /bin/pax -rw -pe random "${named_chrootdir}/dev" )
+
+	# Mount a devfs in the chroot directory if needed
+	#
+	if [ ! -c ${named_chrootdir}/dev/random -o \
+	    ! -c ${named_chrootdir}/dev/null ]; then
+		umount ${named_chrootdir}/dev 2>/dev/null
+		mount_devfs devfs ${named_chrootdir}/dev
 	fi
 
-	# Copy local timezone information if it's not up-to-date.
+	# Copy local timezone information if it is not up to date.
 	#
 	if [ -f /etc/localtime ]; then
 		cmp -s /etc/localtime "${named_chrootdir}/etc/localtime" || \
@@ -62,15 +80,17 @@ named_precmd()
 	local confgen_chroot
 
 	# Is the user using a sandbox?
+	#
 	if [ -n "$named_chrootdir" ]; then
 		rc_flags="$rc_flags -t $named_chrootdir"
-		confgen_chroot="-t${named_chrootdir}"
+		confgen_chroot="-t${named_chrootdir} -u bind"
 		checkyesno named_chroot_autoupdate && chroot_autoupdate
 	else
 		named_symlink_enable=NO
 	fi
 
 	# Create an rndc.key file for the user if none exists
+	#
 	if [ ! -f "${named_chrootdir}/etc/namedb/rndc.key" -a \
 	    ! -f "${named_chrootdir}/etc/namedb/rndc.conf" ]; then
 		rndc-confgen -a -b256 ${confgen_chroot}