Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package bind for openSUSE:Factory checked in at 2021-01-30 13:55:34
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/bind (Old)
and /work/SRC/openSUSE:Factory/.bind.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind"
Sat Jan 30 13:55:34 2021 rev:161 rq:866745 version:9.16.11
Changes:
--------
--- /work/SRC/openSUSE:Factory/bind/bind.changes 2021-01-08 17:34:13.377125978 +0100
+++ /work/SRC/openSUSE:Factory/.bind.new.28504/bind.changes 2021-01-30 13:55:36.941943402 +0100
@@ -1,0 +2,20 @@
+Thu Jan 21 08:00:03 UTC 2021 - Josef M��llers
+
+- Upgrade to version 9.16.11
+ * Bug fixing (please check CHANGES file in the source RPM)
+ * Functional change:
+ policy none;", named now
+ permits a safe transition to insecure mode and publishes
+ the CDS and CDNSKEY DELETE records, as described in RFC 8078.
+
+ Remove useless Makefiles and Makefile skeleton files in
+ /usr/share/doc/packages/bind/contrib/
+ [bind.spec, bsc#1179040]
+
+ *** MAJOR CHANGE ***
+ Changed protection of/against "named" from chroot jail to
+ systemd protection. This obsoletes subpackage named-chrootenv.
+ Kudos to Matthias Gerstner
+ [bind.spec, bind-chrootenv.conf, vendor-files.tar.bz2, bsc#1180294]
+
+-------------------------------------------------------------------
Old:
----
bind-9.16.10.tar.xz
bind-9.16.10.tar.xz.sha512.asc
bind-chrootenv.conf
New:
----
bind-9.16.11.tar.xz
bind-9.16.11.tar.xz.sha512.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ bind.spec ++++++
--- /var/tmp/diff_new_pack.ZxdYqF/_old 2021-01-30 13:55:37.777945055 +0100
+++ /var/tmp/diff_new_pack.ZxdYqF/_new 2021-01-30 13:55:37.777945055 +0100
@@ -1,7 +1,7 @@
#
# spec file for package bind
#
-# Copyright (c) 2020 SUSE LLC
+# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,17 +20,17 @@
# Note that the sonums are LIBINTERFACE - LIBAGE
%define bind9_sonum 1600
%define libbind9 libbind9-%{bind9_sonum}
-%define dns_sonum 1610
+%define dns_sonum 1611
%define libdns libdns%{dns_sonum}
%define irs_sonum 1601
%define libirs libirs%{irs_sonum}
-%define isc_sonum 1608
+%define isc_sonum 1609
%define libisc libisc%{isc_sonum}
%define isccc_sonum 1600
%define libisccc libisccc%{isccc_sonum}
-%define isccfg_sonum 1602
+%define isccfg_sonum 1603
%define libisccfg libisccfg%{isccfg_sonum}
-%define ns_sonum 1606
+%define ns_sonum 1607
%define libns libns%{ns_sonum}
%define VENDOR SUSE
@@ -61,7 +61,7 @@
%define _fillupdir %{_localstatedir}/adm/fillup-templates
%endif
Name: bind
-Version: 9.16.10
+Version: 9.16.11
Release: 0
Summary: Domain Name System (DNS) Server (named)
License: MPL-2.0
@@ -78,7 +78,6 @@
Source60: dlz-schema.txt
# configuation files for systemd-tmpfiles
Source70: bind.conf
-Source71: bind-chrootenv.conf
Source72: named.conf
Patch51: pie_compile.diff
Patch52: named-bootconf.diff
@@ -99,7 +98,6 @@
BuildRequires: pkgconfig(libidn2)
BuildRequires: pkgconfig(libuv)
BuildRequires: pkgconfig(libxml-2.0)
-Requires: %{name}-chrootenv
Requires: %{name}-utils
Requires(post): %fillup_prereq
Requires(post): bind-utils
@@ -215,17 +213,6 @@
%description -n %{libisccfg}
This BIND library contains the configuration file parser.
-%package chrootenv
-Summary: Chroot environment for BIND named
-# We need the named user and group, have only one authoritative place
-Group: Productivity/Networking/DNS/Servers
-Requires(pre): %{name}
-
-%description chrootenv
-This package contains all directories and files which are common to the
-chroot environment of BIND named. Most is part of the
-structure below %{_localstatedir}/lib/named.
-
%package devel
Summary: Development Libraries and Header Files of BIND
Group: Development/Libraries/C and C++
@@ -304,7 +291,7 @@
-i "${file}"
}
pushd vendor-files
-for file in docu/README tools/createNamedConfInclude config/{README,named.conf} init/named system/named.init sysconfig/{named-common,named-named,syslog-named}; do
+for file in docu/README* tools/createNamedConfInclude config/{README,named.conf} init/named system/named.init sysconfig/named-named; do
replaceStrings ${file}
done
popd
@@ -363,7 +350,7 @@
%{buildroot}/%{_datadir}/bind \
%{buildroot}/%{_datadir}/susehelp/meta/Administration/System \
%{buildroot}/%{_defaultdocdir}/bind \
- %{buildroot}%{_localstatedir}/lib/named/{etc/named.d,dev,dyn,log,master,slave,var/{lib,run/named}} \
+ %{buildroot}%{_localstatedir}/lib/named/{etc/named.d,dev,dyn,master,slave,var/{lib,run/named}} \
%{buildroot}%{_mandir}/{man1,man3,man5,man8} \
%{buildroot}%{_fillupdir} \
%{buildroot}/%{_rundir} \
@@ -383,9 +370,6 @@
mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir}
mv vendor-files/config/bind.reg %{buildroot}/%{_sysconfdir}/slp.reg.d
mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d
-for file in named.conf.include; do
- touch %{buildroot}/%{_sysconfdir}/${file}
-done
%if %{with_systemd}
for file in named; do
@@ -394,7 +378,6 @@
ln -s /sbin/service %{buildroot}%{_sbindir}/rc${file}
done
install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf
- install -D -m 0644 %{SOURCE71} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind-chrootenv.conf
install -D -m 0644 ${RPM_SOURCE_DIR}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint
install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named
install -m 0644 bind.keys %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/named.root.key
@@ -413,12 +396,7 @@
cp -p "%{SOURCE60}" "%{buildroot}/%{_sysconfdir}/openldap/schema/dlz.schema"
install -m 0754 vendor-files/tools/ldapdump %{buildroot}/%{_datadir}/bind
find %{buildroot}/%{_libdir} -type f -name '*.so*' -print0 | xargs -0 chmod 0755
-touch %{buildroot}%{_localstatedir}/lib/named%{_sysconfdir}/{localtime,named.conf.include,named.d/rndc.access.conf}
-touch %{buildroot}%{_localstatedir}/lib/named/dev/log
-ln -s ../.. %{buildroot}%{_localstatedir}/lib/named%{_localstatedir}/lib/named
-ln -s ../log %{buildroot}%{_localstatedir}/lib/named%{_localstatedir}
-ln -s ..%{_localstatedir}/lib/named%{_localstatedir}/run/named %{buildroot}/run
-for file in named-common named-named syslog-named; do
+for file in named-named; do
install -m 0644 vendor-files/sysconfig/${file} %{buildroot}%{_fillupdir}/sysconfig.${file}
done
%if %{with_sfw2}
@@ -428,7 +406,11 @@
rm doc/misc/Makefile*
find doc/arm -type f ! -name '*.html' -print0 | xargs -0 rm -f
# Create doc as we want it in bind and not bind-doc
-cp -a vendor-files/docu/README %{buildroot}/%{_defaultdocdir}/bind/README.%{VENDOR}
+for file in vendor-files/docu/README*; do
+ basename=$( basename ${file})
+ cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename}.%{VENDOR}
+done
+
mkdir -p vendor-files/config/ISC-examples
cp -a bin/tests/*.conf* vendor-files/config/ISC-examples
for d in arm; do
@@ -441,6 +423,8 @@
echo "%doc %{_defaultdocdir}/bind/${basename}" >>filelist-bind-doc
done
# ---------------------------------------------------------------------------
+# remove useless Makefiles and Makefile skeletons
+find %{buildroot}/%{_defaultdocdir}/bind \( -name Makefile -o -name Makefile.in \) -exec rm {} +
install -m 0644 bind.keys %{buildroot}%{_localstatedir}/lib/named/named.root.key
%if %{with_systemd}
mkdir -p %{buildroot}%{_sysusersdir}
@@ -480,6 +464,11 @@
%{_bindir}/systemctl daemon-reload || :
fi
%endif
+# Create the rndc.key and named.conf.include* files so they exist when named is started
+[ -e /etc/rndc.key ] || /usr/sbin/rndc-confgen -a -b 512
+[ -e /etc/named.conf.include ] || touch /etc/named.conf.include
+[ -e /etc/named.conf.include.BINDconfig ] || touch /etc/named.conf.include.BINDconfig
+chown named: /etc/rndc.key /etc/named.conf.include*
%postun
%if %{with_systemd}
@@ -503,19 +492,12 @@
%postun -n %{libisccc} -p /sbin/ldconfig
%post -n %{libisccfg} -p /sbin/ldconfig
%postun -n %{libisccfg} -p /sbin/ldconfig
-%post chrootenv
-%{fillup_only -nsa named common}
-%{fillup_only -nsa syslog named}
-%if %{with_systemd}
-%tmpfiles_create bind-chrootenv.conf
-%endif
%files
%license LICENSE
%attr(0644,root,named) %config(noreplace) /%{_sysconfdir}/named.conf
%dir %{_sysconfdir}/slp.reg.d
%attr(0644,root,root) %config /%{_sysconfdir}/slp.reg.d/bind.reg
-%attr(0644,root,named) %ghost /%{_sysconfdir}/named.conf.include
%if %{with_systemd}
%config %{_unitdir}/named.service
%{_sbindir}/named.init
@@ -581,30 +563,6 @@
%files -n %{libisccfg}
%{_libdir}/libisccfg.so.%{isccfg_sonum}*
-%files chrootenv
-%if %{with_systemd}
-%{_prefix}/lib/tmpfiles.d/bind-chrootenv.conf
-%endif
-%dir %{_var}/lib/named%{_sysconfdir}
-%dir %{_var}/lib/named%{_sysconfdir}/named.d
-%dir %{_var}/lib/named/dev
-%dir %{_var}/lib/named%{_localstatedir}
-%dir %{_var}/lib/named%{_localstatedir}/lib
-%dir %{_var}/lib/named%{_localstatedir}/run
-%attr(-,named,named) %dir %{_var}/lib/named/log
-%ghost %{_var}/lib/named%{_sysconfdir}/named.d/rndc.access.conf
-%ghost %{_var}/lib/named/dev/log
-%attr(0666, root, root) %dev(c, 1, 3) %{_var}/lib/named/dev/null
-%attr(0666, root, root) %dev(c, 1, 8) %{_var}/lib/named/dev/random
-%attr(0664, root, root) %dev(c, 1, 9) %{_var}/lib/named/dev/urandom
-%{_var}/lib/named%{_localstatedir}/lib/named
-%{_var}/lib/named%{_localstatedir}/log
-%{_fillupdir}/sysconfig.named-common
-%{_fillupdir}/sysconfig.syslog-named
-%ghost %{_var}/lib/named%{_sysconfdir}/localtime
-%attr(0644,root,named) %ghost %{_var}/lib/named%{_sysconfdir}/named.conf.include
-%attr(-,named,named) %dir %{_var}/lib/named%{_localstatedir}/run/named
-
%files devel
%dir %{_includedir}/isc
%{_includedir}/isc/errno2result.h
@@ -655,7 +613,7 @@
%{_sbindir}/rndc-confgen
%{_sbindir}/tsig-keygen
%dir %doc %{_defaultdocdir}/bind
-%{_defaultdocdir}/bind/README.%{VENDOR}
+%{_defaultdocdir}/bind/README*.%{VENDOR}
%{_defaultdocdir}/bind/.clang-format.headers
%{_mandir}/man1/arpaname.1%{ext_man}
%{_mandir}/man1/delv.1%{ext_man}
++++++ baselibs.conf ++++++
--- /var/tmp/diff_new_pack.ZxdYqF/_old 2021-01-30 13:55:37.813945126 +0100
+++ /var/tmp/diff_new_pack.ZxdYqF/_new 2021-01-30 13:55:37.813945126 +0100
@@ -1,17 +1,17 @@
libbind9-1600
-libdns1610
+libdns1611
libirs1601
-libisc1608
+libisc1609
obsoletes "bind-libs-<targettype> = <version>"
provides "bind-libs-<targettype> = <version>"
libisccc1600
-libisccfg1602
-libns1606
+libisccfg1603
+libns1607
bind-devel
requires -bind-<targettype>
requires "libbind9-1600-<targettype> = <version>"
- requires "libdns1610-<targettype> = <version>"
+ requires "libdns1611-<targettype> = <version>"
requires "libirs1601-<targettype> = <version>"
- requires "libisc1608-<targettype> = <version>"
+ requires "libisc1609-<targettype> = <version>"
requires "libisccc1600-<targettype> = <version>"
- requires "libisccfg1602-<targettype> = <version>"
+ requires "libisccfg1603-<targettype> = <version>"
++++++ bind-9.16.10.tar.xz -> bind-9.16.11.tar.xz ++++++
++++ 27939 lines of diff (skipped)
++++++ vendor-files.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/apparmor/usr.sbin.named new/vendor-files/apparmor/usr.sbin.named
--- old/vendor-files/apparmor/usr.sbin.named 2012-01-02 23:07:41.000000000 +0100
+++ new/vendor-files/apparmor/usr.sbin.named 2021-01-21 14:20:21.990662721 +0100
@@ -22,7 +22,6 @@
capability net_bind_service,
capability setgid,
capability setuid,
- capability sys_chroot,
capability sys_resource,
/** r,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/config/named.conf new/vendor-files/config/named.conf
--- old/vendor-files/config/named.conf 2020-10-23 13:43:08.242872586 +0200
+++ new/vendor-files/config/named.conf 2021-01-21 14:28:11.462642463 +0100
@@ -40,8 +40,7 @@
#dnssec-validation auto;
managed-keys-directory "/var__NSD__/named/dyn/";
- # Write dump and statistics file to the log subdirectory. The
- # pathenames are relative to the chroot jail.
+ # Write dump and statistics file to the log subdirectory.
dump-file "/var/log/named_dump.db";
statistics-file "/var/log/named.stats";
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/docu/README new/vendor-files/docu/README
--- old/vendor-files/docu/README 2006-03-13 16:56:36.000000000 +0100
+++ new/vendor-files/docu/README 2021-01-21 14:21:51.170658873 +0100
@@ -5,10 +5,8 @@
-------------------------------------
The BIND documentation is in the sub package bind-doc. All shared libraries
-are in the bind-libs package. As 'named' and lwresd are by default configured
-to run in a chroot jail bind-chrootenv is required by both packages bind and
-bind-lwresd. All DNS utilities are in the bind-utils package. Static
-libraries and header files are in bind-devel.
+are in the bind-libs package. All DNS utilities are in the bind-utils package.
+Static libraries and header files are in bind-devel.
createNamedConfInclude
----------------------
@@ -47,10 +45,6 @@
missing, the script createNamedConfInclude is called to create a new
/etc/named.conf.include file without the missing configuration snippet.
-The init script also ensures to copy all configuration files to the chroot
-jail, /var__NSD__/named/, while called with start, reload, restart, and
-try-restart.
-
rndc access
-----------
@@ -67,10 +61,8 @@
File permissions
----------------
-The BIND daemon process 'named' runs by default in a chroot jail,
-/var__NSD__/named/ and as user 'named'. You could disable the chroot behaviour by
-setting NAMED_RUN_CHROOTED with the YaST sysconfig or any editor in
-/etc/sysconfig/named to "no".
+File access permissions/restrictions are defined by appropriated directives
+in the "named.service" and "lwresd.service" systemd unit files.
The BIND package uses by default /var__NSD__/named/ to store its zone files.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/docu/README-bind.chrootenv new/vendor-files/docu/README-bind.chrootenv
--- old/vendor-files/docu/README-bind.chrootenv 1970-01-01 01:00:00.000000000 +0100
+++ new/vendor-files/docu/README-bind.chrootenv 2021-01-25 15:24:09.051584908 +0100
@@ -0,0 +1,11 @@
+With the release of bind 9.16.11, the bind-chrootenv subpackage is obsolete.
+Rather, protection is implemented through systemd's protection mechanism:
+* the servers are run with "ProtectSystem=strict", thus prohibiting the
+ service to write to arbitrary file system locations.
+* Writing is only permitted to
+ - /var/lib/named
+ - /var/run
+ - /etc/named.conf.include
+ - /etc/named.conf.include.BINDconfig
+For further restrictions/protection mechanisms refer to the
+named.service and lwresd.service unit files.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/init/lwresd new/vendor-files/init/lwresd
--- old/vendor-files/init/lwresd 2016-06-16 11:56:59.441289662 +0200
+++ new/vendor-files/init/lwresd 2021-01-21 14:24:38.658651645 +0100
@@ -59,14 +59,7 @@
cp -a /var/adm/fillup-templates/sysconfig.named-common ${SYSCONFIG_FILE}
. ${SYSCONFIG_FILE}
-if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then
- CHROOT_PREFIX="/var__NSD__/named"
- NAMED_ARGS="${NAMED_ARGS} -t ${CHROOT_PREFIX}"
-else
- CHROOT_PREFIX=""
-fi
-
-LWRESD_PID="${CHROOT_PREFIX}/var/run/named/lwresd.pid"
+LWRESD_PID="var/run/named/lwresd.pid"
function warnMessage()
{
@@ -76,70 +69,23 @@
echo -e "$1 "
}
-# Create destination directory in the chroot.
-function makeDestDir
+# Check if all needed configuration files exist.
+function checkConfigFiles
{
- if [ ! -d "${CHROOT_PREFIX}/${configfile%/*}" ]; then
- umask 0022
- mkdir -p "${CHROOT_PREFIX}/${configfile%/*}"
- fi
-}
-
-# Check if all needed configuration files exist and copy these files relativly
-# to the chroot directory if 'named' runs chrooted.
-function checkAndCopyConfigFiles
-{
- test "${checkAndCopyConfigFilesCalled}" = "yes" && return
+ test "${checkConfigFilesCalled}" = "yes" && return
# Handle known configuration files.
- if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then
- # Create link if needed, /var/run might be on tmpfs
- test -d /var/run/named && \
- rm -rf /var/run/named
- test ! -L /var/run/named && \
- ln -s ${CHROOT_PREFIX}/var/run/named /var/run/named
-
- # mount /proc for multicore CPUs (bnc#470828)
- if [ ! -e "${CHROOT_PREFIX}/proc/meminfo" ]; then
- mkdir -p "${CHROOT_PREFIX}/proc"
- mount -tproc -oro,nosuid,nodev,noexec proc ${CHROOT_PREFIX}/proc 2>/dev/null
- fi;
-
- for configfile in /etc/{localtime,lwresd.conf,resolv.conf,rndc.key}; do
- if [ ! -e ${configfile} ]; then
- case ${configfile} in
- # Don't complain if we don't have a lwresd.conf
- /etc/lwresd.conf)
- rm -f "${CHROOT_PREFIX}/${configfile}" # clean chroot env.
- continue ;;
- # Don't complain if we don't have a key.
- /etc/rndc.key) continue ;;
- *)
- warnMessage "File ${configfile} not found. Skipping."
- continue
- ;;
- esac
- fi
- makeDestDir
- rm -f ${CHROOT_PREFIX}/${configfile}
- cp -a -L ${configfile} ${CHROOT_PREFIX}/${configfile%/*}
- done
- mkdir -p ${CHROOT_PREFIX}/___lib__
- cp -r /___lib__/engines ${CHROOT_PREFIX}/___lib__/
- else
- # NAMED_RUN_CHROOTED != yes
- test -L /var/run/named && rm /var/run/named
- if [ ! -d /var/run/named ]; then
- mkdir -p /var/run/named
- chown named: /var/run/named
- fi
+ test -L /var/run/named && rm /var/run/named
+ if [ ! -d /var/run/named ]; then
+ mkdir -p /var/run/named
+ chown named: /var/run/named
fi
- export checkAndCopyConfigFilesCalled="yes"
+ export checkConfigFilesCalled="yes"
}
case "$1" in
start)
echo -n "Starting Lightweight resolver daemon "
- checkAndCopyConfigFiles
+ checkConfigFiles
startproc ${LWRESD_BIN} ${NAMED_ARGS} -u named
rc_status -v
;;
@@ -193,7 +139,7 @@
;;
force-reload|reload)
echo -n "Reload service Lightweight resolver daemon "
- checkAndCopyConfigFiles
+ checkConfigFiles
killproc -p ${LWRESD_PID} -HUP ${LWRESD_BIN}
rc_status -v
;;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/init/named new/vendor-files/init/named
--- old/vendor-files/init/named 2020-09-18 15:23:03.198833016 +0200
+++ new/vendor-files/init/named 2021-01-21 14:23:40.274654165 +0100
@@ -87,17 +87,9 @@
done
fi
-if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then
- CHROOT_PREFIX="/var__NSD__/named"
- NAMED_ARGS="${NAMED_ARGS} -t ${CHROOT_PREFIX}"
- NAMED_CHECKCONF_ARGS="-t ${CHROOT_PREFIX}"
-else
- CHROOT_PREFIX=""
-fi
-
NAMED_CHECKCONF_BIN="/usr/sbin/named-checkconf"
NAMED_CONF_META_INCLUDE_FILE_SCRIPT="/usr/share/bind/createNamedConfInclude"
-NAMED_PID="${CHROOT_PREFIX}/var/run/named/named.pid"
+NAMED_PID="/var/run/named/named.pid"
RNDC_BIN="/usr/sbin/rndc"
if [ ! -x ${NAMED_BIN} -a "$1" != "stop" ] ; then
@@ -140,20 +132,10 @@
return ${rc}
}
-# Create destination directory in the chroot.
-function makeDestDir
-{
- if [ ! -d "${CHROOT_PREFIX}/${configfile%/*}" ]; then
- umask 0022
- mkdir -p "${CHROOT_PREFIX}/${configfile%/*}"
- fi
-}
-
-# Check if all needed configuration files exist and copy these files relativly
-# to the chroot directory if 'named' runs chrooted.
-function checkAndCopyConfigFiles
+# Check if all needed configuration files exist
+function checkConfigFiles
{
- test "${checkAndCopyConfigFilesCalled}" = "yes" && return
+ test "${checkConfigFilesCalled}" = "yes" && return
# check for /etc/rndc.key
if [ ! -f /etc/rndc.key ]; then
warnMessage "File /etc/rndc.key not found. Creating it."
@@ -163,38 +145,12 @@
fi
# Handle known configuration files.
- if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then
- # Create link if needed, /var/run might be on tmpfs
- test -d /var/run/named && \
- rm -rf /var/run/named
- test ! -L /var/run/named && \
- ln -s ${CHROOT_PREFIX}/var/run/named /var/run/named
-
- NAMED_D="/etc/named.d"
- # delete old named.d
- test -z "${CHROOT_PREFIX}${NAMED_D}" || rm -rf ${CHROOT_PREFIX}${NAMED_D}
- # copy new
- cp -a -L ${NAMED_D} ${CHROOT_PREFIX}${NAMED_D%/*}
- for configfile in ${NAMED_CONF_INCLUDE_FILES} "${NAMED_CONF}" "${NAMED_CONF_META_INCLUDE_FILE}" /etc/{localtime,rndc.key,ssl/openssl.cnf}; do
- if [ ! -e ${configfile} ]; then
- warnMessage "File ${configfile} not found. Skipping."
- continue
- fi
- makeDestDir
- rm -f ${CHROOT_PREFIX}/${configfile}
- cp -a -L ${configfile} ${CHROOT_PREFIX}/${configfile%/*}
- done
- mkdir -p ${CHROOT_PREFIX}/__openssl__
- cp -r __openssl__/* ${CHROOT_PREFIX}/__openssl__
- else
- # NAMED_RUN_CHROOTED != yes
- test -L /var/run/named && rm /var/run/named
- if [ ! -d /var/run/named ]; then
- mkdir -p /var/run/named
- chown named: /var/run/named
- fi
+ test -L /var/run/named && rm /var/run/named
+ if [ ! -d /var/run/named ]; then
+ mkdir -p /var/run/named
+ chown named: /var/run/named
fi
- export checkAndCopyConfigFilesCalled="yes"
+ export checkConfigFilesCalled="yes"
}
# Check the syntax of our 'named' configuration.
@@ -202,7 +158,7 @@
{
test "${namedConfChecked}" = "yes" && return
if ! ${NAMED_CHECKCONF_BIN} ${NAMED_CHECKCONF_ARGS} >/dev/null; then
- checkAndCopyConfigFiles
+ checkConfigFiles
if ! ${NAMED_CHECKCONF_BIN} ${NAMED_CHECKCONF_ARGS}; then
rc_status -s
rc_failed 6
@@ -228,7 +184,7 @@
1) echo -n "- Warning: ${NAMED_PID} exists! " ;;
esac
initializeNamed
- checkAndCopyConfigFiles
+ checkConfigFiles
namedCheckConf
start_daemon -p ${NAMED_PID} ${NAMED_BIN} ${NAMED_ARGS} -u named
rc_status -v
@@ -313,7 +269,7 @@
if [ ${rc} -ne 0 ]; then
echo "- Warning: named not running! "
else
- checkAndCopyConfigFiles
+ checkConfigFiles
namedCheckConf
initializeNamed
${RNDC_BIN} status &>/dev/null
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/sysconfig/named-common new/vendor-files/sysconfig/named-common
--- old/vendor-files/sysconfig/named-common 2004-09-27 20:19:58.000000000 +0200
+++ new/vendor-files/sysconfig/named-common 2021-01-21 14:27:46.334643547 +0100
@@ -1,21 +1,9 @@
## Path: Network/DNS/Name Server
## Description: Names server settings
-## Type: yesno
-## Default: yes
-## ServiceRestart: lwresd,named
-#
-# Shall the DNS server 'named' or the LightWeight RESolver Daemon, lwresd run
-# in the chroot jail /var__NSD__/named/?
-#
-# Each time you start one of the daemons with the init script, /etc/named.conf,
-# /etc/named.conf.include, /etc/rndc.key, and all files listed in
-# NAMED_CONF_INCLUDE_FILES will be copied relative to /var__NSD__/named/.
-#
-# The pid file will be in /var__NSD__/named/var/run/named/ and named named.pid
-# or lwresd.pid.
-#
-NAMED_RUN_CHROOTED="yes"
+# "named" and "lwresd" are now protected/restricted by appropriate directives
+# in the "named.service" and "lwresd.service" systemd unit files.
+# As a consequence, the NAMED_RUN_CHROOTED variable is obsolete and has been removed.
## Type: string
## Default: ""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/sysconfig/named-named new/vendor-files/sysconfig/named-named
--- old/vendor-files/sysconfig/named-named 2020-08-06 14:34:50.884515125 +0200
+++ new/vendor-files/sysconfig/named-named 2021-01-21 14:25:53.326648423 +0100
@@ -1,21 +1,6 @@
-## Type: string
-## Default: ""
-## ServiceReload: named
-#
-# All mentioned config files will be copied relativ to /var__NSD__/named/, when
-# 'named' is started in the chroot jail.
-#
-# /etc/named.conf and /etc/rndc.key are always copied. Also all files from
-# include statements in named.conf.
-#
-# Filenames can be relative to /etc/named.d/.
-#
-# Please take care of the order if one file needs a setting of another.
-#
-# Example: "/etc/named-dhcpd.key ldap.dump rndc-access.conf"
-#
-# /etc/bind.keys is already included to suppress named warning about missing file.
-NAMED_CONF_INCLUDE_FILES="/etc/bind.keys"
+# NOTE: "named" and "lwresd" are now protected/resticted by directives
+# in the "named.service" and "lwresd.service" systemd unit files.
+# Therefore the NAMED_CONF_INCLUDE_FILES variable has been made obsolete
## Type: string
## Default: "createNamedConfInclude"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/sysconfig/syslog-named new/vendor-files/sysconfig/syslog-named
--- old/vendor-files/sysconfig/syslog-named 2004-09-06 23:12:41.000000000 +0200
+++ new/vendor-files/sysconfig/syslog-named 1970-01-01 01:00:00.000000000 +0100
@@ -1,13 +0,0 @@
-## Type: string
-## Default: "/var__NSD__/named/dev/log"
-## ServiceRestart: syslog
-## Config: syslog-ng
-#
-# The filename mentioned here will be added with the "-a ..." option as
-# additional socket via SYSLOGD_PARAMS when syslogd is started.
-#
-# This additional socket is needed in case that syslogd is restarted. Otherwise
-# a chrooted 'named' or 'lwresd' won't be able to continue logging.
-#
-SYSLOGD_ADDITIONAL_SOCKET_NAMED="/var__NSD__/named/dev/log"
-
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/lwresd.init new/vendor-files/system/lwresd.init
--- old/vendor-files/system/lwresd.init 2020-09-18 15:23:07.678833158 +0200
+++ new/vendor-files/system/lwresd.init 2021-01-21 14:29:12.602639825 +0100
@@ -21,14 +21,7 @@
cp -a /var/adm/fillup-templates/sysconfig.named-common ${SYSCONFIG_FILE}
. ${SYSCONFIG_FILE}
-if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then
- CHROOT_PREFIX="/var__NSD__/named"
- NAMED_ARGS="${NAMED_ARGS} -t ${CHROOT_PREFIX}"
-else
- CHROOT_PREFIX=""
-fi
-
-LWRESD_PID="${CHROOT_PREFIX}/var/run/named/lwresd.pid"
+LWRESD_PID="/var/run/named/lwresd.pid"
function warnMessage()
{
@@ -38,20 +31,10 @@
echo -e "$1 "
}
-# Create destination directory in the chroot.
-function makeDestDir
+# Check if all needed configuration files exist.
+function checkConfigFiles
{
- if [ ! -d "${CHROOT_PREFIX}/${configfile%/*}" ]; then
- umask 0022
- mkdir -p "${CHROOT_PREFIX}/${configfile%/*}"
- fi
-}
-
-# Check if all needed configuration files exist and copy these files relativly
-# to the chroot directory if 'named' runs chrooted.
-function checkAndCopyConfigFiles
-{
- test "${checkAndCopyConfigFilesCalled}" = "yes" && return
+ test "${checkConfigFilesCalled}" = "yes" && return
# check for /etc/rndc.key
if [ ! -f /etc/rndc.key ]; then
warnMessage "File /etc/rndc.key not found. Creating it."
@@ -61,55 +44,18 @@
fi
# Handle known configuration files.
- if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then
- # Create link if needed, /var/run might be on tmpfs
- test -d /var/run/named && \
- rm -rf /var/run/named
- test ! -L /var/run/named && \
- ln -s ${CHROOT_PREFIX}/var/run/named /var/run/named
-
- # mount /proc for multicore CPUs (bnc#470828)
- if [ ! -e "${CHROOT_PREFIX}/proc/meminfo" ]; then
- mkdir -p "${CHROOT_PREFIX}/proc"
- mount -tproc -oro,nosuid,nodev,noexec proc ${CHROOT_PREFIX}/proc 2>/dev/null
- fi;
-
- for configfile in /etc/{localtime,lwresd.conf,resolv.conf,rndc.key}; do
- if [ ! -e ${configfile} ]; then
- case ${configfile} in
- # Don't complain if we don't have a lwresd.conf
- /etc/lwresd.conf)
- rm -f "${CHROOT_PREFIX}/${configfile}" # clean chroot env.
- continue ;;
- # Don't complain if we don't have a key.
- /etc/rndc.key) continue ;;
- *)
- warnMessage "File ${configfile} not found. Skipping."
- continue
- ;;
- esac
- fi
- makeDestDir
- rm -f ${CHROOT_PREFIX}/${configfile}
- cp -a -L ${configfile} ${CHROOT_PREFIX}/${configfile%/*}
- done
- mkdir -p ${CHROOT_PREFIX}/__openssl__
- cp -r __openssl__/* ${CHROOT_PREFIX}/__openssl__
- else
- # NAMED_RUN_CHROOTED != yes
- test -L /var/run/named && rm /var/run/named
- if [ ! -d /var/run/named ]; then
- mkdir -p /var/run/named
- chown named: /var/run/named
- fi
+ test -L /var/run/named && rm /var/run/named
+ if [ ! -d /var/run/named ]; then
+ mkdir -p /var/run/named
+ chown named: /var/run/named
fi
- export checkAndCopyConfigFilesCalled="yes"
+ export checkConfigFilesCalled="yes"
}
case "$1" in
start)
echo -n "Starting Lightweight resolver daemon "
- checkAndCopyConfigFiles
+ checkConfigFiles
exec ${LWRESD_BIN} ${NAMED_ARGS} -u named
;;
*)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/lwresd.service new/vendor-files/system/lwresd.service
--- old/vendor-files/system/lwresd.service 2018-12-10 10:23:42.436909759 +0100
+++ new/vendor-files/system/lwresd.service 2021-01-25 14:57:34.503653713 +0100
@@ -1,12 +1,25 @@
[Unit]
Description=Lightweight Resolver Daemon
After=network.target
-Before=nss-lookup.target
+After=time-set.target
Wants=nss-lookup.target
+Wants=time-set.target
[Service]
Type=forking
ExecStart=/usr/sbin/lwresd.init start
+ProtectSystem=strict
+ReadWritePaths=/var/lib/named /var/run /etc/named.conf.include /etc/named.conf.include.BINDconfig
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
[Install]
WantedBy=multi-user.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/named.init new/vendor-files/system/named.init
--- old/vendor-files/system/named.init 2020-09-18 15:23:14.838833386 +0200
+++ new/vendor-files/system/named.init 2021-01-21 14:30:03.954637609 +0100
@@ -51,17 +51,9 @@
done
fi
-if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then
- CHROOT_PREFIX="/var__NSD__/named"
- NAMED_ARGS="${NAMED_ARGS} -t ${CHROOT_PREFIX}"
- NAMED_CHECKCONF_ARGS="-t ${CHROOT_PREFIX}"
-else
- CHROOT_PREFIX=""
-fi
-
NAMED_CHECKCONF_BIN="/usr/sbin/named-checkconf"
NAMED_CONF_META_INCLUDE_FILE_SCRIPT="/usr/share/bind/createNamedConfInclude"
-NAMED_PID="${CHROOT_PREFIX}/var/run/named/named.pid"
+NAMED_PID="var/run/named/named.pid"
RNDC_BIN="/usr/sbin/rndc"
if [ ! -x ${NAMED_BIN} -a "$1" != "stop" ] ; then
@@ -103,20 +95,10 @@
return ${rc}
}
-# Create destination directory in the chroot.
-function makeDestDir
+# Check if all needed configuration files exist.
+function checkConfigFiles
{
- if [ ! -d "${CHROOT_PREFIX}/${configfile%/*}" ]; then
- umask 0022
- mkdir -p "${CHROOT_PREFIX}/${configfile%/*}"
- fi
-}
-
-# Check if all needed configuration files exist and copy these files relativly
-# to the chroot directory if 'named' runs chrooted.
-function checkAndCopyConfigFiles
-{
- test "${checkAndCopyConfigFilesCalled}" = "yes" && return
+ test "${checkConfigFilesCalled}" = "yes" && return
# check for /etc/rndc.key
if [ ! -f /etc/rndc.key ]; then
warnMessage "File /etc/rndc.key not found. Creating it."
@@ -126,38 +108,12 @@
fi
# Handle known configuration files.
- if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then
- # Create link if needed, /var/run might be on tmpfs
- test -d /var/run/named && \
- rm -rf /var/run/named
- test ! -L /var/run/named && \
- ln -s ${CHROOT_PREFIX}/var/run/named /var/run/named
-
- NAMED_D="/etc/named.d"
- # delete old named.d
- test -z "${CHROOT_PREFIX}${NAMED_D}" || rm -rf ${CHROOT_PREFIX}${NAMED_D}
- # copy new
- cp -a -L ${NAMED_D} ${CHROOT_PREFIX}${NAMED_D%/*}
- for configfile in ${NAMED_CONF_INCLUDE_FILES} "${NAMED_CONF}" "${NAMED_CONF_META_INCLUDE_FILE}" /etc/{localtime,rndc.key,ssl/openssl.cnf}; do
- if [ ! -e ${configfile} ]; then
- warnMessage "File ${configfile} not found. Skipping."
- continue
- fi
- makeDestDir
- rm -f ${CHROOT_PREFIX}/${configfile}
- cp -a -L ${configfile} ${CHROOT_PREFIX}/${configfile%/*}
- done
- mkdir -p ${CHROOT_PREFIX}/__openssl__
- cp -r __openssl__/* ${CHROOT_PREFIX}/__openssl__
- else
- # NAMED_RUN_CHROOTED != yes
- test -L /var/run/named && rm /var/run/named
- if [ ! -d /var/run/named ]; then
- mkdir -p /var/run/named
- chown named: /var/run/named
- fi
+ test -L /var/run/named && rm /var/run/named
+ if [ ! -d /var/run/named ]; then
+ mkdir -p /var/run/named
+ chown named: /var/run/named
fi
- export checkAndCopyConfigFilesCalled="yes"
+ export checkConfigFilesCalled="yes"
}
# Check the syntax of our 'named' configuration.
@@ -165,7 +121,7 @@
{
test "${namedConfChecked}" = "yes" && return
if ! ${NAMED_CHECKCONF_BIN} ${NAMED_CHECKCONF_ARGS} >/dev/null; then
- checkAndCopyConfigFiles
+ checkConfigFiles
if ! ${NAMED_CHECKCONF_BIN} ${NAMED_CHECKCONF_ARGS}; then
exit 6
fi
@@ -184,7 +140,7 @@
fi
initializeNamed
- checkAndCopyConfigFiles
+ checkConfigFiles
namedCheckConf
start_daemon -p ${NAMED_PID} ${NAMED_BIN} ${NAMED_ARGS} -u named
;;
@@ -207,7 +163,7 @@
;;
reload)
echo -n "Reloading name server BIND "
- checkAndCopyConfigFiles
+ checkConfigFiles
namedCheckConf
initializeNamed
${RNDC_BIN} status &>/dev/null
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/named.service new/vendor-files/system/named.service
--- old/vendor-files/system/named.service 2020-11-11 11:57:09.079024113 +0100
+++ new/vendor-files/system/named.service 2021-01-25 14:57:39.263653508 +0100
@@ -10,6 +10,18 @@
ExecStart=/usr/sbin/named.init start
ExecReload=/usr/sbin/named.init reload
ExecStop=/usr/sbin/named.init stop
+ProtectSystem=strict
+ReadWritePaths=/var/lib/named /var/run /etc/named.conf.include /etc/named.conf.include.BINDconfig
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectKernelLogs=yes
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
[Install]
WantedBy=multi-user.target