From owner-svn-src-stable-7@FreeBSD.ORG Tue Dec 29 07:13:18 2009 Return-Path: Delivered-To: svn-src-stable-7@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B187106566B; Tue, 29 Dec 2009 07:13:18 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 16A438FC14; Tue, 29 Dec 2009 07:13:18 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id nBT7DI54014574; Tue, 29 Dec 2009 07:13:18 GMT (envelope-from dougb@svn.freebsd.org) Received: (from dougb@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id nBT7DIbl014570; Tue, 29 Dec 2009 07:13:18 GMT (envelope-from dougb@svn.freebsd.org) Message-Id: <200912290713.nBT7DIbl014570@svn.freebsd.org> From: Doug Barton Date: Tue, 29 Dec 2009 07:13:18 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org X-SVN-Group: stable-7 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r201173 - in stable/7/etc: mtree namedb rc.d X-BeenThere: svn-src-stable-7@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 7-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Dec 2009 07:13:18 -0000 Author: dougb Date: Tue Dec 29 07:13:17 2009 New Revision: 201173 URL: http://svn.freebsd.org/changeset/base/201173 Log: MFC r200448: Since the change to rc.subr in r198162 it's not necessary to specify command in the rc.d script if we have a corresponding ${name}_program entry, which we do for named. Rename named_precmd to named_prestart to make it more clear and match convention. Move the command_args definition related to -u up into _prestart(). It (and the associated $named_uid value) are only used there, and unlike required_* and pidfile don't need to be used until this stage. Fix a silly bug that would only have affected people who were using the new named_wait or named_auto_forward features, AND had set up an rndc.conf file instead of using the automatically generated rndc.key. For named_conf: Add "-c $named_conf" to command_args if it's not set to the default. If it is set to the default and we're using the base BIND it's not necessary. If we're using BIND from the ports the user is likely to have included it in _flags (due to long necessity for doing so) so don't duplicate that if it's set. Add $named_conf to required_files MFC r200563: The named process needs to have a "working directory" that it can write to. This is specified in "options { directory }" in named.conf. So, create /etc/namedb/working with appropriate permissions, and update the entry in named.conf to match. In addition to specifying the working directory, file and path names in named.conf can be specified relative to the directory listed. However, since that directory is now different from /etc/namedb (where the configuration, zone, rndc.*, and other files are located) further update named.conf to specify all file names with fully qualified paths. Also update the comment about file and path names so users know this should be done for all file/path names in the file. This change will eliminate the 'working directory is not writable' messages at boot time without sacrificing security. It will also allow for features in newer versions of BIND (9.7+) to work as designed. Modified: stable/7/etc/mtree/BIND.chroot.dist stable/7/etc/namedb/named.conf stable/7/etc/rc.d/named Directory Properties: stable/7/etc/ (props changed) Modified: stable/7/etc/mtree/BIND.chroot.dist ============================================================================== --- stable/7/etc/mtree/BIND.chroot.dist Tue Dec 29 07:08:48 2009 (r201172) +++ stable/7/etc/mtree/BIND.chroot.dist Tue Dec 29 07:13:17 2009 (r201173) @@ -15,6 +15,8 @@ .. slave uname=bind .. + working uname=bind + .. .. .. /set type=dir uname=bind gname=wheel mode=0755 Modified: stable/7/etc/namedb/named.conf ============================================================================== --- stable/7/etc/namedb/named.conf Tue Dec 29 07:08:48 2009 (r201172) +++ stable/7/etc/namedb/named.conf Tue Dec 29 07:13:17 2009 (r201173) @@ -9,8 +9,9 @@ // or cause huge amounts of useless Internet traffic. options { - // Relative to the chroot directory, if any - directory "/etc/namedb"; + // All file and path names are relative to the chroot directory, + // if any, and should be fully qualified. + directory "/etc/namedb/working"; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; @@ -74,7 +75,7 @@ options { // Also, make sure to enable it in /etc/rc.conf. // The traditional root hints mechanism. Use this, OR the slave zones below. -zone "." { type hint; file "named.root"; }; +zone "." { type hint; file "/etc/namedb/named.root"; }; /* Slaving the following zones from the root name servers has some significant advantages: @@ -94,7 +95,7 @@ zone "." { type hint; file "named.root"; /* zone "." { type slave; - file "slave/root.slave"; + file "/etc/namedb/slave/root.slave"; masters { 192.5.5.241; // F.ROOT-SERVERS.NET. }; @@ -102,7 +103,7 @@ zone "." { }; zone "arpa" { type slave; - file "slave/arpa.slave"; + file "/etc/namedb/slave/arpa.slave"; masters { 192.5.5.241; // F.ROOT-SERVERS.NET. }; @@ -110,7 +111,7 @@ zone "arpa" { }; zone "in-addr.arpa" { type slave; - file "slave/in-addr.arpa.slave"; + file "/etc/namedb/slave/in-addr.arpa.slave"; masters { 192.5.5.241; // F.ROOT-SERVERS.NET. }; @@ -125,116 +126,116 @@ zone "in-addr.arpa" { 2. No spurious traffic will be sent from your network to the roots */ // RFC 1912 -zone "localhost" { type master; file "master/localhost-forward.db"; }; -zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; }; -zone "255.in-addr.arpa" { type master; file "master/empty.db"; }; +zone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; }; +zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; +zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // RFC 1912-style zone for IPv6 localhost address -zone "0.ip6.arpa" { type master; file "master/localhost-reverse.db"; }; +zone "0.ip6.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; }; // "This" Network (RFCs 1912 and 3330) -zone "0.in-addr.arpa" { type master; file "master/empty.db"; }; +zone "0.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // Private Use Networks (RFC 1918) -zone "10.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "17.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "18.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "19.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "20.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "21.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "22.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "23.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "24.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "25.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "26.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "27.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "28.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "29.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "30.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "31.172.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "168.192.in-addr.arpa" { type master; file "master/empty.db"; }; +zone "10.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "16.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "17.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "18.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "19.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "20.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "21.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "22.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "23.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "24.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "25.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "26.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "27.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "28.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "29.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "30.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "31.172.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "168.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // Link-local/APIPA (RFCs 3330 and 3927) -zone "254.169.in-addr.arpa" { type master; file "master/empty.db"; }; +zone "254.169.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // TEST-NET for Documentation (RFC 3330) -zone "2.0.192.in-addr.arpa" { type master; file "master/empty.db"; }; +zone "2.0.192.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // Router Benchmark Testing (RFC 3330) -zone "18.198.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "19.198.in-addr.arpa" { type master; file "master/empty.db"; }; +zone "18.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "19.198.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // IANA Reserved - Old Class E Space -zone "240.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "241.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "242.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "243.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "244.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "245.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "246.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "247.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "248.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "249.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "250.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "251.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "252.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "253.in-addr.arpa" { type master; file "master/empty.db"; }; -zone "254.in-addr.arpa" { type master; file "master/empty.db"; }; +zone "240.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "241.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "242.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "243.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "244.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "245.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "246.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "247.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "248.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "249.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "250.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "251.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "252.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "253.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "254.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // IPv6 Unassigned Addresses (RFC 4291) -zone "1.ip6.arpa" { type master; file "master/empty.db"; }; -zone "3.ip6.arpa" { type master; file "master/empty.db"; }; -zone "4.ip6.arpa" { type master; file "master/empty.db"; }; -zone "5.ip6.arpa" { type master; file "master/empty.db"; }; -zone "6.ip6.arpa" { type master; file "master/empty.db"; }; -zone "7.ip6.arpa" { type master; file "master/empty.db"; }; -zone "8.ip6.arpa" { type master; file "master/empty.db"; }; -zone "9.ip6.arpa" { type master; file "master/empty.db"; }; -zone "a.ip6.arpa" { type master; file "master/empty.db"; }; -zone "b.ip6.arpa" { type master; file "master/empty.db"; }; -zone "c.ip6.arpa" { type master; file "master/empty.db"; }; -zone "d.ip6.arpa" { type master; file "master/empty.db"; }; -zone "e.ip6.arpa" { type master; file "master/empty.db"; }; -zone "0.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "1.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "2.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "3.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "4.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "5.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "6.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "7.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "8.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "9.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "a.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "b.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "0.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "1.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "2.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "3.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "4.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "5.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "6.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "7.e.f.ip6.arpa" { type master; file "master/empty.db"; }; +zone "1.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "3.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "4.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "5.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "6.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "7.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "8.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "9.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "a.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "b.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "c.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "d.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "e.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "0.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "1.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "2.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "3.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "4.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "5.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "6.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "7.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "8.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "9.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "a.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "b.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "0.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "1.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "2.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "3.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "4.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "5.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "6.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "7.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // IPv6 ULA (RFC 4193) -zone "c.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "d.f.ip6.arpa" { type master; file "master/empty.db"; }; +zone "c.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "d.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // IPv6 Link Local (RFC 4291) -zone "8.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "9.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "a.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "b.e.f.ip6.arpa" { type master; file "master/empty.db"; }; +zone "8.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "9.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "a.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "b.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // IPv6 Deprecated Site-Local Addresses (RFC 3879) -zone "c.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "d.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "e.e.f.ip6.arpa" { type master; file "master/empty.db"; }; -zone "f.e.f.ip6.arpa" { type master; file "master/empty.db"; }; +zone "c.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "d.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "e.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; +zone "f.e.f.ip6.arpa" { type master; file "/etc/namedb/master/empty.db"; }; // IP6.INT is Deprecated (RFC 4159) -zone "ip6.int" { type master; file "master/empty.db"; }; +zone "ip6.int" { type master; file "/etc/namedb/master/empty.db"; }; // NB: Do not use the IP addresses below, they are faked, and only // serve demonstration/documentation purposes! @@ -265,17 +266,16 @@ zone "example.org" { allow-update { key "exampleorgkey"; }; - file "dynamic/example.org"; + file "/etc/namedb/dynamic/example.org"; }; */ /* Example of a slave reverse zone zone "1.168.192.in-addr.arpa" { type slave; - file "slave/1.168.192.in-addr.arpa"; + file "/etc/namedb/slave/1.168.192.in-addr.arpa"; masters { 192.168.1.1; }; }; */ - Modified: stable/7/etc/rc.d/named ============================================================================== --- stable/7/etc/rc.d/named Tue Dec 29 07:08:48 2009 (r201172) +++ stable/7/etc/rc.d/named Tue Dec 29 07:13:17 2009 (r201173) @@ -12,10 +12,9 @@ name="named" rcvar=named_enable -command="/usr/sbin/named" extra_commands="reload" -start_precmd="named_precmd" +start_precmd="named_prestart" start_postcmd="named_poststart" reload_cmd="named_reload" stop_cmd="named_stop" @@ -155,8 +154,17 @@ create_file () { chmod 644 $1 } -named_precmd() +named_prestart() { + command_args="-u ${named_uid:=root}" + + if [ ! "$named_conf" = '/etc/namedb/named.conf' ]; then + case "$named_flags" in + -c*|*' -c'*) ;; # No need to add it + *) command_args="-c $named_conf $command_args" ;; + esac + fi + local line nsip firstns # Is the user using a sandbox? @@ -170,11 +178,11 @@ named_precmd() # Create an rndc.key file for the user if none exists # - if [ -s "${named_chrootdir}/etc/namedb/rndc.conf" ]; then - return 0 - fi confgen_command="${command%/named}/rndc-confgen -a -b256 -u $named_uid \ -c ${named_chrootdir}/etc/namedb/rndc.key" + if [ -s "${named_chrootdir}/etc/namedb/rndc.conf" ]; then + unset confgen_command + fi if [ -s "${named_chrootdir}/etc/namedb/rndc.key" ]; then case `stat -f%Su ${named_chrootdir}/etc/namedb/rndc.key` in root|$named_uid) ;; @@ -260,10 +268,11 @@ named_precmd() } load_rc_config $name + # Updating the following variables requires that rc.conf be loaded first # required_dirs="$named_chrootdir" # if it is set, it must exist +required_files="${named_conf:=/etc/namedb/named.conf}" pidfile="${named_pidfile:-/var/run/named/pid}" -command_args="-u ${named_uid:=root}" run_rc_command "$1"