Subject: pkg/19099: improvements to net/named9 (libbind, automatic rndc config, etc., etc.)
To: None <gnats-bugs@gnats.netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: netbsd-bugs
Date: 11/18/2002 23:32:50
>Number: 19099
>Category: pkg
>Synopsis: improvements to net/named9 (libbind, automatic rndc config, etc., etc.)
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: pkg-manager
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Mon Nov 18 20:33:01 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Greg A. Woods
>Release: pkgsrc-2002/11/17
>Organization:
Planix, Inc.; Toronto, Ontario; Canada
>Environment:
System: NetBSD 1.5W
Architecture: i386
Machine: i386
>Description:
Here are some improvements to the net/named9 package
- fix pidfile handling so that it doesn't leave all (or at least
named's) RC.D scripts wide open to exploit by the user 'named'
runs as (without this fix /var/run must either be writable by
this user, or at least the named.pid file must be!!!! GRRR!!!!)
(with such a lax attitude to security as this is it any wonder
new exploits continue to appear in BIND code?)
- rename the package from 'bind' to 'bind9' so as to make it
properly distinguishable from BIND-8 (a similar change needs to
be made to net/bind8) (this helps avoid issues with
audit-packages, as well as making it clearly obvious as to the
origins of an installed package -- it now matches its pkgsrc
module name, for instance)
- build and install libbind, the ported and presumably updated
BIND-8 resolver library for use with BIND-9 (WARNING: I've not
yet checked to see if the recent buf-ovflw fixes are included in
this version of the code).
- use RCD_SCRIPTS and <mk/bsd.pkg.install.mk>
- install a startup script for lwresd
- create a user and group for named to run as
- create a user and group for DNS administration (which
allows rndc usage)
- patch rndc-confgen so that it also sets the group owner of the
key file to be the primary group-id of the user. (this thing
really needs '-g group' and '-m mode' parameters too, but at
least with the group-id set we can chmod the file in the RC.D)
- many improvements to the named9 RC.D script, including:
- automatically configure rndc if necessary (allows rndc
to be a drop-in replacement for the old BIND-8 ndc)
- add a proper "status" sub-command
- minor fixes to the DESCR file (from the newer docs)
Still to be done:
- verify that the libbind bugs have indeed been fixed.
- fix the grotty way the PLIST is updated for doc files.
>How-To-Repeat:
>Fix:
Index: net/bind9/DESCR
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/net/bind9/DESCR,v
retrieving revision 1.2
diff -c -r1.2 DESCR
*** net/bind9/DESCR 27 Nov 2001 03:38:40 -0000 1.2
--- net/bind9/DESCR 9 Dec 2001 01:56:36 -0000
***************
*** 1,14 ****
! BIND version 9 is a major rewrite of nearly all aspects of the
! underlying BIND architecture. This re-architecting of BIND was
! necessitated by the expected demands of:
!
! - Domain name system growth, particularly in very large
! zones such as .COM
! - Protocol enhancements necessary to securely query and
! update zones
! - Protocol enhancements necessary to take advantage of
! certain architectural features of IP version 6
!
! The 9.0.0 release, and this release candidate, is aimed at
! early adopters and those who wish to make use of new 9.0
! features, such as IPv6 and DNSSEC secure resolution support.
--- 1,19 ----
! BIND, the Berkeley Internet Name Daemon, version 9 is a major
! rewrite of nearly all aspects of the underlying BIND architecture. Some
! of the important features of BIND-9 are:
! - DNS Security
! DNSSEC (signed zones)
! TSIG (signed DNS requests)
! - IP version 6
! Answers DNS queries on IPv6 sockets
! IPv6 resource records (A6, DNAME, etc.)
! Bitstring Labels
! Experimental IPv6 Resolver Library
! - DNS Protocol Enhancements
! IXFR, DDNS, Notify, EDNS0
! Improved standards conformance
! - Views
! One server process can provide multiple "views" of the
! DNS namespace to different clients.
! - Multiprocessor Support
! - Improved Portability Architecture
Index: net/bind9/Makefile
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/net/bind9/Makefile,v
retrieving revision 1.45
diff -c -r1.45 Makefile
*** net/bind9/Makefile 6 Oct 2002 16:44:53 -0000 1.45
--- net/bind9/Makefile 19 Nov 2002 03:34:58 -0000
***************
*** 2,21 ****
#
DISTNAME= bind-${BIND_VERSION}
CATEGORIES= net
MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/
MAINTAINER= hubertf@NetBSD.org
HOMEPAGE= http://www.isc.org/products/BIND/
! COMMENT= Version 9 of the Berkeley Internet Name Daemon, implementation of DNS
BIND_VERSION= 9.2.1
DIST_SUBDIR= bind/${BIND_VERSION}
- # IPv6 ready, automatically detected
.include "../../mk/bsd.prefs.mk"
BUILD_DEFS+= USE_INET6
! # No need to set USE_INET6, will auto-detect.
USE_BUILDLINK2= yes
USE_LIBTOOL= yes
--- 2,56 ----
#
DISTNAME= bind-${BIND_VERSION}
+ PKGNAME= bind9-${BIND_VERSION}
CATEGORIES= net
MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/
MAINTAINER= hubertf@NetBSD.org
HOMEPAGE= http://www.isc.org/products/BIND/
! COMMENT= Version 9 of the Berkeley Internet Name Daemon, an implementation of the DNS
!
! # different versions cannot be built if it's already installed....
! # also conflicts with ../net/bind8
! CONFLICTS= bind-[0-9]*
BIND_VERSION= 9.2.1
DIST_SUBDIR= bind/${BIND_VERSION}
.include "../../mk/bsd.prefs.mk"
+
+ RCD_SCRIPTS+= named9
+ RCD_SCRIPT_SRC.named9= ${FILESDIR}/named.sh
+ RCD_SCRIPTS+= lwresd
+
+ # IPv6 ready, automatically detected
BUILD_DEFS+= USE_INET6
! # XXX should explicitly set USE_INET6, but will auto-detect.
!
! NAMED_USER?= dns
! NAMED_USER_ID?= 40
! NAMED_GROUP?= dns
! NAMED_group_ID?= 40
! NAMED_ADMIN_USER?= dnsadmin
! NAMED_ADMIN_USER_ID?= 41
! NAMED_ADMIN_GROUP?= dnsadmin
! NAMED_ADMIN_GROUP_ID?= 41
!
! PKG_GROUPS+= ${NAMED_GROUP}:${NAMED_GROUP_ID}
! PKG_GROUPS+= ${NAMED_ADMIN_GROUP}:${NAMED_ADMIN_GROUP_ID}
!
! PKG_USERS+= ${NAMED_USER}:${NAMED_GROUP}:${NAMED_USER_ID}:Named\\ Runtime\\ User:/var/named
! PKG_USERS+= ${NAMED_ADMIN_USER}:${NAMED_ADMIN_GROUP}:${NAMED_ADMIN_USER_ID}:Named\\ Administrator:${PREFIX}/etc/namedb:${SH}
!
! FILES_SUBST+= NAMED_USER=${NAMED_USER:Q}
! FILES_SUBST+= NAMED_USER_ID=${NAMED_USER_ID:Q}
! FILES_SUBST+= NAMED_GROUP=${NAMED_GROUP:Q}
! FILES_SUBST+= NAMED_GROUP_ID=${NAMED_GROUP_ID:Q}
!
! FILES_SUBST+= NAMED_ADMIN_USER=${NAMED_ADMIN_USER:Q}
! FILES_SUBST+= NAMED_ADMIN_USER_ID=${NAMED_ADMIN_USER_ID:Q}
! FILES_SUBST+= NAMED_ADMIN_GROUP=${NAMED_ADMIN_GROUP:Q}
! FILES_SUBST+= NAMED_ADMIN_GROUP_ID=${NAMED_ADMIN_GROUP_ID:Q}
USE_BUILDLINK2= yes
USE_LIBTOOL= yes
***************
*** 31,45 ****
# include at the bottom to use OpenSSL shipped with BIND9.
CONFIGURE_ARGS+=--with-openssl=${SSLBASE}
! PTHREAD_OPTS+= native
! post-build:
! ${SED} \
! -e 's|@PREFIX@|${PREFIX}|' \
! <${FILESDIR}/named.sh >${WRKDIR}/named
! ${SED} \
! -e 's|@PREFIX@|${PREFIX}|' \
! <${FILESDIR}/lwresd.sh >${WRKDIR}/lwresd
# include/isc/ipv6.h is installed on non-ipv6 platforms
IPV6H= ""
--- 66,74 ----
# include at the bottom to use OpenSSL shipped with BIND9.
CONFIGURE_ARGS+=--with-openssl=${SSLBASE}
! CONFIGURE_ARGS+=--enable-libbind
! PTHREAD_OPTS+= native
# include/isc/ipv6.h is installed on non-ipv6 platforms
IPV6H= ""
***************
*** 57,75 ****
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/bind9/misc
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/bind9/rfc
${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/bind9
${INSTALL_DATA} ${WRKSRC}/doc/arm/* ${PREFIX}/share/doc/bind9/arm
${INSTALL_DATA} ${WRKSRC}/doc/draft/* ${PREFIX}/share/doc/bind9/draft
${INSTALL_DATA} ${WRKSRC}/doc/misc/* ${PREFIX}/share/doc/bind9/misc
${INSTALL_DATA} ${WRKSRC}/doc/rfc/* ${PREFIX}/share/doc/bind9/rfc
${CP} ${PKGDIR}/PLIST ${PLIST_SRC}
(cd ${PREFIX}; ${FIND} share/doc/bind9 -type f -print ) >> ${PLIST_SRC}
(cd ${PREFIX}; ${FIND} share/doc/bind9 -type d -print ) | \
${SED} -e 's/^/@dirrm /' | ${SORT} -r >> ${PLIST_SRC}
- ${INSTALL_SCRIPT} ${WRKDIR}/named ${PREFIX}/etc/rc.d/named9
- ${INSTALL_SCRIPT} ${WRKDIR}/lwresd ${PREFIX}/etc/rc.d/lwresd
.include "../../mk/pthread.buildlink2.mk"
.include "../../security/openssl/buildlink2.mk"
.include "../../mk/bsd.pkg.mk"
.if defined(PTHREAD_TYPE) && (${PTHREAD_TYPE} == "none")
--- 86,105 ----
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/bind9/misc
${INSTALL_DATA_DIR} ${PREFIX}/share/doc/bind9/rfc
${INSTALL_DATA} ${WRKSRC}/README ${PREFIX}/share/doc/bind9
+ @${ECHO_MSG} "This next bit is rather grotty!"
${INSTALL_DATA} ${WRKSRC}/doc/arm/* ${PREFIX}/share/doc/bind9/arm
${INSTALL_DATA} ${WRKSRC}/doc/draft/* ${PREFIX}/share/doc/bind9/draft
${INSTALL_DATA} ${WRKSRC}/doc/misc/* ${PREFIX}/share/doc/bind9/misc
${INSTALL_DATA} ${WRKSRC}/doc/rfc/* ${PREFIX}/share/doc/bind9/rfc
+ @${ECHO_MSG} "And this next bit is really REALLY grotty!"
${CP} ${PKGDIR}/PLIST ${PLIST_SRC}
(cd ${PREFIX}; ${FIND} share/doc/bind9 -type f -print ) >> ${PLIST_SRC}
(cd ${PREFIX}; ${FIND} share/doc/bind9 -type d -print ) | \
${SED} -e 's/^/@dirrm /' | ${SORT} -r >> ${PLIST_SRC}
.include "../../mk/pthread.buildlink2.mk"
.include "../../security/openssl/buildlink2.mk"
+ .include "../../mk/bsd.pkg.install.mk"
.include "../../mk/bsd.pkg.mk"
.if defined(PTHREAD_TYPE) && (${PTHREAD_TYPE} == "none")
Index: net/bind9/PLIST
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/net/bind9/PLIST,v
retrieving revision 1.4
diff -c -r1.4 PLIST
*** net/bind9/PLIST 20 Aug 2002 01:38:17 -0000 1.4
--- net/bind9/PLIST 19 Nov 2002 03:21:38 -0000
***************
*** 6,11 ****
--- 6,34 ----
bin/nsupdate
etc/rc.d/lwresd
etc/rc.d/named9
+ bind/include/fd_setsize.h
+ bind/include/hesiod.h
+ bind/include/irp.h
+ bind/include/irs.h
+ bind/include/netdb.h
+ bind/include/netgroup.h
+ bind/include/res_update.h
+ bind/include/resolv.h
+ bind/include/arpa/inet.h
+ bind/include/arpa/nameser.h
+ bind/include/arpa/nameser_compat.h
+ bind/include/isc/assertions.h
+ bind/include/isc/ctl.h
+ bind/include/isc/dst.h
+ bind/include/isc/eventlib.h
+ bind/include/isc/heap.h
+ bind/include/isc/irpmarshall.h
+ bind/include/isc/list.h
+ bind/include/isc/logging.h
+ bind/include/isc/memcluster.h
+ bind/include/isc/misc.h
+ bind/include/isc/tree.h
+ bind/include/sys/bitypes.h
include/dns/a6.h
include/dns/acl.h
include/dns/adb.h
***************
*** 168,173 ****
--- 191,201 ----
include/lwres/netdb.h
include/lwres/platform.h
include/lwres/result.h
+ lib/libbind.a
+ lib/libbind.la
+ lib/libbind.so
+ lib/libbind.so.0
+ lib/libbind.so.0.1
lib/libdns.a
lib/libdns.la
lib/libdns.so
***************
*** 203,208 ****
--- 231,240 ----
sbin/named-checkzone
sbin/rndc
sbin/rndc-confgen
+ @dirrm bind/include/arpa
+ @dirrm bind/include/isc
+ @dirrm bind/include/sys
+ @dirrm bind/include
@dirrm include/lwres
@dirrm include/isccc
@dirrm include/isccfg
Index: net/bind9/distinfo
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/net/bind9/distinfo,v
retrieving revision 1.7
diff -c -r1.7 distinfo
*** net/bind9/distinfo 27 Jun 2002 07:33:26 -0000 1.7
--- net/bind9/distinfo 19 Nov 2002 00:57:11 -0000
***************
*** 2,7 ****
--- 2,9 ----
SHA1 (bind/9.2.1/bind-9.2.1.tar.gz) = 6ea711ce3b786b3c5fab89273b4132061745c846
Size (bind/9.2.1/bind-9.2.1.tar.gz) = 5021044 bytes
+ SHA1 (patch-aa) = 75df55a15cfe916bf193b26f29763359f24c11e5
SHA1 (patch-ab) = 1d3d82e3e01ac38e8a1b1d98e018849e8fe071bf
SHA1 (patch-ac) = 1696adfab7392e0f150d34931b808e51ad017938
SHA1 (patch-ai) = 916d2cdadd420b34e908f3c128e864bf271ebb6a
+ SHA1 (patch-zz) = bfa14077c64b449d0b50bad4fd12228b188fbf26
Index: net/bind9/files/named.sh
===================================================================
RCS file: /cvs/master/m-NetBSD/main/pkgsrc/net/bind9/files/named.sh,v
retrieving revision 1.2
diff -c -r1.2 named.sh
*** net/bind9/files/named.sh 23 Sep 2002 14:40:52 -0000 1.2
--- net/bind9/files/named.sh 19 Nov 2002 04:05:55 -0000
***************
*** 1,30 ****
! #!/bin/sh
#
# $NetBSD: named.sh,v 1.2 2002/09/23 14:40:52 grant Exp $
#
# PROVIDE: named
! # REQUIRE: SERVERS
. /etc/rc.subr
! name="named"
! rcvar=${name}9
command="@PREFIX@/sbin/${name}"
pidfile="/var/run/${name}.pid"
! extra_commands="reload"
load_rc_config ${name}9 # check /etc/rc.conf.d/named9
named_precmd()
{
! # Die if $named is also set (i.e. the system's named is not disabled
if checkyesno named ; then
! warn \
! "disable 'named' when setting 'named9'!"
return 1
fi
}
start_precmd="named_precmd"
run_rc_command "$1"
--- 1,69 ----
! #! /bin/sh
#
# $NetBSD: named.sh,v 1.2 2002/09/23 14:40:52 grant Exp $
#
# PROVIDE: named
! # REQUIRE: SERVERS mountall
! # BEFORE: DAEMON
! # KEYWORD: shutdown
!
! # XXX note the service provided should be something like "dnssrvr"
. /etc/rc.subr
! name="named" # This causes us to inherit $named_flags ...
! rcvar=${name}9 # ... but this gives us a separate yes/no var
!
! named_runtime_user="@NAMED_USER@" # DO NOT name this var 'named_user'!!!!
! named_admin_user="@NAMED_ADMIN_USER@"
! named_admin_group="@NAMED_ADMIN_GROUP@"
!
command="@PREFIX@/sbin/${name}"
+ command_args="-u ${named_runtime_user}"
pidfile="/var/run/${name}.pid"
+ required_files="/etc/${name}.conf"
! extra_commands="status info"
load_rc_config ${name}9 # check /etc/rc.conf.d/named9
named_precmd()
{
! # Die if $named is also set (i.e. if the original system version
! # of named is not disabled)
if checkyesno named ; then
! warn "disable 'named' when setting 'named9'!"
return 1
fi
+
+ # Running rndc-confgen -a allows BIND 9 and rndc to be used as
+ # drop-in replacements for BIND 8 and ndc, with no changes to
+ # the existing BIND 8 named.conf file.
+ #
+ # Even if custom configuration has been done via a "controls"
+ # clause in /etc/named.conf and with /etc/rndc.conf, it won't
+ # hurt to have an /etc/rndc.key file sitting around.
+ #
+ # WARNING: Use of /dev/random could "hang" waiting for random
+ # data, but use of /dev/urandom may not be random enough!
+ #
+ if [ ! -f /etc/rndc.key ]; then
+ @PREFIX@/sbin/rndc-confgen -r /dev/urandom -a -u ${named_admin_user}
+ chmod 640 /etc/rndc.key
+ # XXX chgrp may not be on root fs!!! ### /usr/bin/chgrp ${named_admin_group} /etc/rndc.key
+ fi
}
start_precmd="named_precmd"
+
+ named_statuscmd()
+ {
+ rndc status
+ if [ $? -ne 0 -a ! -f ${pidfile} ] ; then
+ warn "${command} probably not running...."
+ else
+ ps -up $(cat ${pidfile})
+ fi
+ }
+ status_cmd="named_statuscmd"
run_rc_command "$1"
Index: net/bind9/patches/patch-aa
===================================================================
RCS file: net/bind9/patches/patch-aa
diff -N net/bind9/patches/patch-aa
*** /dev/null 1 Jan 1970 00:00:00 -0000
--- net/bind9/patches/patch-aa 8 Dec 2001 20:25:51 -0000
***************
*** 0 ****
--- 1,33 ----
+ $NetBSD$
+
+ --- bin/named/server.c.orig 1 Dec 2001 03:32:20 -0000
+ +++ bin/named/server.c 7 Dec 2001 19:29:19 -0000
+ @@ -1950,6 +1950,14 @@
+ }
+ }
+
+ + obj = NULL;
+ + if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
+ + ns_os_writepidfile(cfg_obj_asstring(obj));
+ + else if (ns_g_lwresdonly)
+ + ns_os_writepidfile(lwresd_g_defaultpidfile);
+ + else
+ + ns_os_writepidfile(ns_g_defaultpidfile);
+ +
+ /*
+ * Relinquish root privileges.
+ */
+ @@ -2031,13 +2039,6 @@
+ }
+ }
+
+ - obj = NULL;
+ - if (ns_config_get(maps, "pid-file", &obj) == ISC_R_SUCCESS)
+ - ns_os_writepidfile(cfg_obj_asstring(obj));
+ - else if (ns_g_lwresdonly)
+ - ns_os_writepidfile(lwresd_g_defaultpidfile);
+ - else
+ - ns_os_writepidfile(ns_g_defaultpidfile);
+
+ obj = NULL;
+ result = ns_config_get(maps, "statistics-file", &obj);
Index: net/bind9/patches/patch-zz
===================================================================
RCS file: net/bind9/patches/patch-zz
diff -N net/bind9/patches/patch-zz
*** /dev/null 1 Jan 1970 00:00:00 -0000
--- net/bind9/patches/patch-zz 19 Nov 2002 00:42:46 -0000
***************
*** 0 ****
--- 1,26 ----
+ #ident "@(#)$Id$"
+
+ Index: bin/rndc/unix/os.c
+ ===================================================================
+ RCS file: /cvs/misc/bind-9/bin/rndc/unix/os.c,v
+ retrieving revision 1.1.1.1
+ diff -c -c -r1.1.1.1 bin/rndc/unix/os.c
+ *** bin/rndc/unix/os.c 1 Dec 2001 03:32:22 -0000 1.1.1.1
+ --- bin/rndc/unix/os.c 18 Nov 2002 22:05:23 -0000
+ ***************
+ *** 38,44 ****
+ errno = EINVAL;
+ return (-1);
+ }
+ ! return (fchown(fileno(fd), pw->pw_uid, -1));
+ }
+
+ FILE *
+ --- 38,44 ----
+ errno = EINVAL;
+ return (-1);
+ }
+ ! return (fchown(fileno(fd), pw->pw_uid, pw->pw_gid));
+ }
+
+ FILE *
>Release-Note:
>Audit-Trail:
>Unformatted: