Attachment #151361 for bug #196520




start_postcmd=named_poststart
reload_cmd=named_reload
stop_cmd=named_stop
stop_postcmd=named_poststop

named_enable=${named_enable:-"NO"}		# Run named, the DNS server (or NO).
named_program=${named_program:-"%%PREFIX%%/sbin/named"}	# Path to named, if you want a different one.
named_conf=${named_conf:-"%%ETCDIR%%/named.conf"}	# Path to the configuration file
named_flags=${named_flags:-""}			# Use this for flags OTHER than -u and -c
named_uid=${named_uid:-"bind"}			# User to run named as
named_chrootdir=${named_chrootdir:-""}		# Chroot directory, not enabled by default
named_chroot_autoupdate="YES"			# Automatically install/update chrooted components
named_symlink_enable="YES"			# Symlink the chrooted pid file
named_wait=${named_wait:-"NO"}			# Wait for working name service before exiting
named_wait_host=${named_wait_host:-"localhost"}	# Hostname to check if named_wait is enabled
named_auto_forward=${named_auto_forward:-"NO"}	# Set up forwarders from /etc/resolv.conf
named_auto_forward_only=${named_auto_forward_only:-"NO"}	# Do "forward only" instead of "forward first"
%%NATIVE_PKCS11%%named_pkcs11_engine=${named_pkcs11_engine:-""}	# Path to the PKCS#11 library to use.
named_confdir="${named_conf%/*}" 		# Will be altered for chroot.

# If running in a chroot cage, ensure that the appropriate files
# exist inside the cage, as well as helper symlinks into the cage
# from outside.
#
# As this is called after the is_running and required_dir checks
# are made in run_rc_command(), we can safely assume ${named_chrootdir}
# exists and named isn't running at this point (unless forcestart
# is used).
#
chroot_autoupdate()
{
	local file backupfiles

	# Create (or update) the chroot directory structure
	#
	if [ -r %%PREFIX%%/etc/mtree/BIND.chroot.dist ]; then
		mtree -deU -f %%PREFIX%%/etc/mtree/BIND.chroot.dist \
		    -p ${named_chrootdir}
	else
		warn "%%PREFIX%%/etc/mtree/BIND.chroot.dist missing,"
		warn "chroot directory structure not updated"
	fi

	# Use named_confdir without local-prefix inside chrootdir (e.g. remove /usr/local)
	named_confdir="${named_chrootdir}`echo ${named_conf%/*} | sed -e 's|%%PREFIX%%||'`"

	# Create (or update) the configuration directory symlink
	#
	if [ ! -L "${named_conf%/*}" ]; then
		if [ -d "${named_conf%/*}" ]; then
			sed -i "" -e '/^[[:blank:]]*directory/ s|%%PREFIX%%||;/[[:blank:]]file[[:blank:]]/ s|%%PREFIX%%||' ${named_conf}
			backupfiles="`find ${named_confdir} -type f`"
			if [ -n "${backupfiles}" ]; then
				tar cPzf /var/backups/named-chroot-files.tgz "${backupfiles}"
				warn "Saved files before overwriting into \"/var/backups/named-chroot-files.tgz\"!"
			fi
			rm -R ${named_confdir}
			mv "${named_conf%/*}" "${named_confdir%/*}"
		fi
	fi

	# Make sure it points to the right place.
	ln -shf ${named_confdir} ${named_conf%/*}

	# Adjust named_conf for chrootdir without local-prefix
	named_conf="${named_confdir##${named_chrootdir}}/${named_conf##*/}"

	# Mount a devfs in the chroot directory if needed
	#
	if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
		umount ${named_chrootdir}/dev 2>/dev/null
		devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
		devfs -m ${named_chrootdir}/dev rule apply path null unhide
		devfs -m ${named_chrootdir}/dev rule apply path random unhide
	else
		if [ -c ${named_chrootdir}/dev/null -a \
		    -c ${named_chrootdir}/dev/random ]; then
			info "named chroot: using pre-mounted devfs."
		else
			err 1 "named chroot: devfs cannot be mounted from" \
			    "within a jail. Thus a chrooted named cannot" \
			    "be run from within a jail." \
			    "To run named without chrooting it, set" \
			    "named_chrootdir=\"\" in /etc/rc.conf."
		fi
	fi

	# Copy and/or update key files to the chroot /etc
	#
	for file in localtime protocols services; do
		if [ -r /etc/$file ]; then
			cmp -s /etc/$file "${named_chrootdir}/etc/$file" ||
			    cp -p /etc/$file "${named_chrootdir}/etc/$file"
		fi
	done
}

# Make symlinks to the correct pid file
#
make_symlinks()
{
	checkyesno named_symlink_enable &&
	    ln -fs "${named_chrootdir}${pidfile}" ${pidfile}
}

named_poststart()
{
	make_symlinks

	if checkyesno named_wait; then
		until ${command%/sbin/named}/bin/host $named_wait_host >/dev/null 2>&1; do
			echo "	Waiting for nameserver to resolve $named_wait_host"

  	fi
}

named_poststop()
{
	if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
		if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
			umount ${named_chrootdir}/dev 2>/dev/null || true
		else
			warn "named chroot:" \
			    "cannot unmount devfs from inside jail!"
		fi
	fi
}

create_file()
{
	if [ -e "$1" ]; then
		unlink $1
	fi
	> $1
	chown root:wheel $1
	chmod 644 $1
}

named_prestart()


	piddir=`/usr/bin/dirname ${pidfile}`
	if [ ! -d ${piddir} ]; then
		mkdir -m 0755 ${piddir}
		chown ${named_uid}:${named_uid} ${piddir}
	fi

	command_args="-u ${named_uid:=root} -c $named_conf $command_args"

%%NATIVE_PKCS11%%	if [ -z "$named_pkcs11_engine"]; then
%%NATIVE_PKCS11%%	  err 3 "named_pkcs11_engine has to be set to the PKCS#11 engine's library you want to use"
%%NATIVE_PKCS11%%	elif [ ! -f $named_pkcs11_engine ]; then

%%NATIVE_PKCS11%%
	local line nsip firstns

	# Is the user using a sandbox?
	#
	if [ -n "$named_chrootdir" ]; then
		rc_flags="$rc_flags -t $named_chrootdir"
		checkyesno named_chroot_autoupdate && chroot_autoupdate
	else
		named_symlink_enable=NO
	fi

	command_args="-u ${named_uid:=root} -c $named_conf $command_args"

	# Create an rndc.key file for the user if none exists
	#
	confgen_command="${command%/named}/rndc-confgen -a -b256 -u $named_uid \

	local checkconf

	checkconf="${command%/named}/named-checkconf"
	if ! checkyesno named_chroot_autoupdate && [ -n "$named_chrootdir" ]; then
		checkconf="$checkconf -t $named_chrootdir"
	fi

	# Create a forwarder configuration based on /etc/resolv.conf
	if checkyesno named_auto_forward; then

	$checkconf $named_conf || err 3 'named-checkconf for $named_conf failed'
}

# Updating the following variables requires that rc.conf be loaded first
#
required_dirs="$named_chrootdir"	# if it is set, it must exist

run_rc_command "$1"

Return to bug 196520

Lines 21-41 Link Here

(-)dns/bind910/files/named.in (-5 / +127 lines)
21	start_postcmd=named_poststart	21	start_postcmd=named_poststart
22	reload_cmd=named_reload	22	reload_cmd=named_reload
23	stop_cmd=named_stop	23	stop_cmd=named_stop
		24	stop_postcmd=named_poststop
24		25
25	named_enable=${named_enable:-"NO"} # Run named, the DNS server (or NO).	26	named_enable=${named_enable:-"NO"} # Run named, the DNS server (or NO).
26	named_program=${named_program:-"%%PREFIX%%/sbin/named"} # Path to named, if you want a different one.	27	named_program=${named_program:-"%%PREFIX%%/sbin/named"} # Path to named, if you want a different one.
27	named_conf=${named_conf:-"%%ETCDIR%%/named.conf"} # Path to the configuration file	28	named_conf=${named_conf:-"%%ETCDIR%%/named.conf"} # Path to the configuration file
28	named_flags=${named_flags:-""} # Use this for flags OTHER than -u and -c	29	named_flags=${named_flags:-""} # Use this for flags OTHER than -u and -c
29	named_uid=${named_uid:-"bind"} # User to run named as	30	named_uid=${named_uid:-"bind"} # User to run named as
		31	named_chrootdir=${named_chrootdir:-""} # Chroot directory, not enabled by default
		32	named_chroot_autoupdate="YES" # Automatically install/update chrooted components
		33	named_symlink_enable="YES" # Symlink the chrooted pid file
30	named_wait=${named_wait:-"NO"} # Wait for working name service before exiting	34	named_wait=${named_wait:-"NO"} # Wait for working name service before exiting
31	named_wait_host=${named_wait_host:-"localhost"} # Hostname to check if named_wait is enabled	35	named_wait_host=${named_wait_host:-"localhost"} # Hostname to check if named_wait is enabled
32	named_auto_forward=${named_auto_forward:-"NO"} # Set up forwarders from /etc/resolv.conf	36	named_auto_forward=${named_auto_forward:-"NO"} # Set up forwarders from /etc/resolv.conf
33	named_auto_forward_only=${named_auto_forward_only:-"NO"} # Do "forward only" instead of "forward first"	37	named_auto_forward_only=${named_auto_forward_only:-"NO"} # Do "forward only" instead of "forward first"
34	%%NATIVE_PKCS11%%named_pkcs11_engine=${named_pkcs11_engine:-""} # Path to the PKCS#11 library to use.	38	%%NATIVE_PKCS11%%named_pkcs11_engine=${named_pkcs11_engine:-""} # Path to the PKCS#11 library to use.
35	named_confdir="${named_conf%/*}" # Not a configuration directive but makes rclint happy.	39	named_confdir="${named_conf%/*}" # Will be altered for chroot.
		40
		41	# If running in a chroot cage, ensure that the appropriate files
		42	# exist inside the cage, as well as helper symlinks into the cage
		43	# from outside.
		44	#
		45	# As this is called after the is_running and required_dir checks
		46	# are made in run_rc_command(), we can safely assume ${named_chrootdir}
		47	# exists and named isn't running at this point (unless forcestart
		48	# is used).
		49	#
		50	chroot_autoupdate()
		51	{
		52	local file backupfiles
		53
		54	# Create (or update) the chroot directory structure
		55	#
		56	if [ -r %%PREFIX%%/etc/mtree/BIND.chroot.dist ]; then
		57	mtree -deU -f %%PREFIX%%/etc/mtree/BIND.chroot.dist \
		58	-p ${named_chrootdir}
		59	else
		60	warn "%%PREFIX%%/etc/mtree/BIND.chroot.dist missing,"
		61	warn "chroot directory structure not updated"
		62	fi
		63
		64	# Use named_confdir without local-prefix inside chrootdir (e.g. remove /usr/local)
		65	named_confdir="${named_chrootdir}`echo ${named_conf%/*} \| sed -e 's\|%%PREFIX%%\|\|'`"
		66
		67	# Create (or update) the configuration directory symlink
		68	#
		69	if [ ! -L "${named_conf%/*}" ]; then
		70	if [ -d "${named_conf%/*}" ]; then
		71	sed -i "" -e '/^[[:blank:]]*directory/ s\|%%PREFIX%%\|\|;/[[:blank:]]file[[:blank:]]/ s\|%%PREFIX%%\|\|' ${named_conf}
		72	backupfiles="`find ${named_confdir} -type f`"
		73	if [ -n "${backupfiles}" ]; then
		74	tar cPzf /var/backups/named-chroot-files.tgz "${backupfiles}"
		75	warn "Saved files before overwriting into \"/var/backups/named-chroot-files.tgz\"!"
		76	fi
		77	rm -R ${named_confdir}
		78	mv "${named_conf%/}" "${named_confdir%/}"
		79	fi
		80	fi
		81
		82	# Make sure it points to the right place.
		83	ln -shf ${named_confdir} ${named_conf%/*}
		84
		85	# Adjust named_conf for chrootdir without local-prefix
		86	named_conf="${named_confdir##${named_chrootdir}}/${named_conf##*/}"
		87
		88	# Mount a devfs in the chroot directory if needed
		89	#
		90	if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
		91	umount ${named_chrootdir}/dev 2>/dev/null
		92	devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
		93	devfs -m ${named_chrootdir}/dev rule apply path null unhide
		94	devfs -m ${named_chrootdir}/dev rule apply path random unhide
		95	else
		96	if [ -c ${named_chrootdir}/dev/null -a \
		97	-c ${named_chrootdir}/dev/random ]; then
		98	info "named chroot: using pre-mounted devfs."
		99	else
		100	err 1 "named chroot: devfs cannot be mounted from" \
		101	"within a jail. Thus a chrooted named cannot" \
		102	"be run from within a jail." \
		103	"To run named without chrooting it, set" \
104	"named_chrootdir=\"\" in /etc/rc.conf."
105	fi
106	fi
107
108	# Copy and/or update key files to the chroot /etc
109	#
110	for file in localtime protocols services; do
111	if [ -r /etc/$file ]; then
112	cmp -s /etc/$file "${named_chrootdir}/etc/$file" \|\|
113	cp -p /etc/$file "${named_chrootdir}/etc/$file"
114	fi
115	done
116	}
117
118	# Make symlinks to the correct pid file
119	#
120	make_symlinks()
121	{
122	checkyesno named_symlink_enable &&
123	ln -fs "${named_chrootdir}${pidfile}" ${pidfile}
124	}
36		125
37	named_poststart()	126	named_poststart()
38	{	127	{
		128	make_symlinks
		129
39	if checkyesno named_wait; then	130	if checkyesno named_wait; then
40	until ${command%/sbin/named}/bin/host $named_wait_host >/dev/null 2>&1; do	131	until ${command%/sbin/named}/bin/host $named_wait_host >/dev/null 2>&1; do
41	echo " Waiting for nameserver to resolve $named_wait_host"	132	echo " Waiting for nameserver to resolve $named_wait_host"
Lines 83-94 Link Here
83	fi	174	fi
84	}	175	}
85		176
		177	named_poststop()
		178	{
		179	if [ -n "${named_chrootdir}" -a -c ${named_chrootdir}/dev/null ]; then
		180	if [ `${SYSCTL_N} security.jail.jailed` -eq 0 ]; then
		181	umount ${named_chrootdir}/dev 2>/dev/null \|\| true
		182	else
		183	warn "named chroot:" \
		184	"cannot unmount devfs from inside jail!"
		185	fi
		186	fi
		187	}
		188
86	create_file()	189	create_file()
87	{	190	{
88	if [ -e "$1" ]; then	191	if [ -e "$1" ]; then
89	unlink $1	192	unlink $1
90	fi	193	fi
91	install -o root -g wheel -m 0644 /dev/null $1	194	> $1
		195	chown root:wheel $1
		196	chmod 644 $1
92	}	197	}
93		198
94	named_prestart()	199	named_prestart()
Lines 101-111 Link Here
101		206
102	piddir=`/usr/bin/dirname ${pidfile}`	207	piddir=`/usr/bin/dirname ${pidfile}`
103	if [ ! -d ${piddir} ]; then	208	if [ ! -d ${piddir} ]; then
104	install -d -o ${named_uid} -g ${named_uid} ${piddir}	209	mkdir -m 0755 ${piddir}
		210	chown ${named_uid}:${named_uid} ${piddir}
105	fi	211	fi
106		212
107	command_args="-u ${named_uid:=root} -c $named_conf $command_args"
108
109	%%NATIVE_PKCS11%% if [ -z "$named_pkcs11_engine"]; then	213	%%NATIVE_PKCS11%% if [ -z "$named_pkcs11_engine"]; then
110	%%NATIVE_PKCS11%% err 3 "named_pkcs11_engine has to be set to the PKCS#11 engine's library you want to use"	214	%%NATIVE_PKCS11%% err 3 "named_pkcs11_engine has to be set to the PKCS#11 engine's library you want to use"
111	%%NATIVE_PKCS11%% elif [ ! -f $named_pkcs11_engine ]; then	215	%%NATIVE_PKCS11%% elif [ ! -f $named_pkcs11_engine ]; then
Lines 116-121 Link Here
116	%%NATIVE_PKCS11%%	220	%%NATIVE_PKCS11%%
117	local line nsip firstns	221	local line nsip firstns
118		222
		223	# Is the user using a sandbox?
		224	#
		225	if [ -n "$named_chrootdir" ]; then
		226	rc_flags="$rc_flags -t $named_chrootdir"
		227	checkyesno named_chroot_autoupdate && chroot_autoupdate
		228	else
		229	named_symlink_enable=NO
		230	fi
		231
		232	command_args="-u ${named_uid:=root} -c $named_conf $command_args"
		233
119	# Create an rndc.key file for the user if none exists	234	# Create an rndc.key file for the user if none exists
120	#	235	#
121	confgen_command="${command%/named}/rndc-confgen -a -b256 -u $named_uid \	236	confgen_command="${command%/named}/rndc-confgen -a -b256 -u $named_uid \
Lines 135-140 Link Here
135	local checkconf	250	local checkconf
136		251
137	checkconf="${command%/named}/named-checkconf"	252	checkconf="${command%/named}/named-checkconf"
		253	if ! checkyesno named_chroot_autoupdate && [ -n "$named_chrootdir" ]; then
		254	checkconf="$checkconf -t $named_chrootdir"
		255	fi
138		256
139	# Create a forwarder configuration based on /etc/resolv.conf	257	# Create a forwarder configuration based on /etc/resolv.conf
140	if checkyesno named_auto_forward; then	258	if checkyesno named_auto_forward; then
Lines 210-213 Link Here
210	$checkconf $named_conf \|\| err 3 'named-checkconf for $named_conf failed'	328	$checkconf $named_conf \|\| err 3 'named-checkconf for $named_conf failed'
211	}	329	}
212		330
		331	# Updating the following variables requires that rc.conf be loaded first
		332	#
		333	required_dirs="$named_chrootdir" # if it is set, it must exist
		334
213	run_rc_command "$1"	335	run_rc_command "$1"