Attachment 226063 Details for Bug 256849 – Extend rc.d/named to handle chrooting samba4 DLZ dependencies

[patch] Extend rc.d/named to handle chrooting samba4 DLZ dependencies

files_named.in.diff (text/plain), 7.25 KB, created by Harald Schmalzbauer on 2021-06-26 19:37:29 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Harald Schmalzbauer

Created: 2021-06-26 19:37:29 UTC

Size: 7.25 KB

patch

obsolete

>--- dns/bind916/files/named.in	2021-06-14 14:22:38.000000000 +0200
>+++ dns/bind916/files/named.in	2021-06-26 19:33:17.970546000 +0200
>@@ -16,6 +16,9 @@
> #				    Historically, was /var/named
> # named_chroot_autoupdate (bool):   Automatically install/update chrooted
> # 				    components of named.
>+# named_chroot_dlzcopy (str):	    If defined, copy dlz module dependencies,
>+#				    e.g. for samba (along with the .so itself):
>+#			     /usr/local/lib/samba4/modules/bind9/dlz_bind9_16.so
> # named_symlink_enable (bool):	    Symlink the chrooted pid file
> # named_wait (bool):		    Wait for working name service before exiting
> # named_wait_host (str):	    Hostname to check if named_wait is enabled
>@@ -53,6 +56,7 @@
> named_auto_forward=${named_auto_forward:-"NO"}
> named_auto_forward_only=${named_auto_forward_only:-"NO"}
> %%NATIVE_PKCS11%%named_pkcs11_engine=${named_pkcs11_engine:-""}
>+named_chroot_dlzcopy=${named_chroot_dlzcopy:-""}
> 
> # Not configuration variables but having them here keeps rclint happy
> required_dirs="${named_chrootdir}"
>@@ -60,6 +64,8 @@
> _named_confdir="${named_chrootdir}${_named_confdirroot}"
> _named_program_root="${named_program%/sbin/named}"
> _openssl_engines="%%ENGINES%%"
>+_samba_named_dir="/var/db/samba4/bind-dns"
>+_samba_private_dir="${_samba_named_dir%/*}/private"
> 
> # Needed if named.conf and rndc.conf are moved or if rndc.conf is used
> rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"}
>@@ -76,7 +82,7 @@
> #
> chroot_autoupdate()
> {
>-	local file
>+	local file depfiles dstdirs isjailed
> 
> 	# If it's the first time around, fiddle with things and move the
> 	# current configuration to the chroot.
>@@ -126,6 +132,7 @@
> 		devfs_domount ${named_chrootdir}/dev devfsrules_hide_all
> 		devfs -m ${named_chrootdir}/dev rule apply path null unhide
> 		devfs -m ${named_chrootdir}/dev rule apply path random unhide
>+		isjailed=''
> 	else
> 		if [ -c ${named_chrootdir}/dev/null -a \
> 		    -c ${named_chrootdir}/dev/random ]; then
>@@ -138,6 +145,7 @@
> 				"run named without chrooting it, set " \
> 				"named_chrootdir=\"\" in /etc/rc.conf."
> 		fi
>+		isjailed=true
> 	fi
> 
> 	# The OpenSSL engines and BIND9 plugins should be present in the
>@@ -153,6 +161,132 @@
> 			cp -p /etc/${file} "${named_chrootdir}/etc/${file}"
> 		fi
> 	done
>+
>+	# Determine samba dlz.so dependencies and copy over to chroot, but
>+	# only if $named_chroot_dlzcopy exists (subsequently skipping
>+	# due to zero-length variables too).
>+	IFS=$'\n'
>+	[ -r "${named_chroot_dlzcopy:-/nonexistent/skip-depfiles}" ] &&
>+	  depfiles=`ldd "${named_chroot_dlzcopy}" | cut -w -f 4 | \
>+	    grep -vF "${named_chroot_dlzcopy}"; \
>+	        echo -n "${named_chroot_dlzcopy}"` || depfiles=''; destdirs=''
>+
>+	# Additionally, there's a lot more modules which named(8) needs after
>+	# loading $named_chroot_dlzcopy.
>+	# Statically copy the complete directories for now, if samba-dlz is
>+	# wanted (independent if chrooted in jail or not).
>+	if echo "${depfiles}" | grep -qF samba; then
>+		for copydir in `echo \
>+		    "${named_chrootdir}/usr/local/lib/samba4/modules/gensec"; \
>+		    echo "${named_chrootdir}/usr/local/lib/samba4/private"` \
>+		        "${named_chrootdir}/usr/local/lib/samba4/modules/ldb"
>+		do
>+			# Only readable absolute directory paths are valid
>+			[ "${copydir#/}" != "${copydir}" ] &&
>+			  [ -r "${copydir#"${named_chrootdir}"}" ] ||
>+			    continue
>+			# Further validate and limit to minimal depth of 2
>+			[ -n "${copydir%/*}" ] &&
>+			   echo "${copydir%/*}" |
>+			     grep -Eq "^${named_chrootdir}/+[^/]+/+[^/]+" ||
>+			       continue
>+			# Make sure target parent directory exists
>+			if ! [ -d "${copydir%/*}" ]; then
>+				[ -e "${copydir%/*}" ] && rm -Rf "${copydir%/*}"
>+				mkdir -p "${copydir%/*}"
>+			fi
>+			cp -Rfp "${copydir#"${named_chrootdir}"}" \
>+			  "${copydir%/*}"
>+		done
>+	fi
>+
>+
>+	# NOTE: This POC implementation requires /var/db/samba4/bind-dns to be
>+	# nullfs(4) mounted into $named_chrootdir (unclear if samba consults
>+	# the database files itself, which requires them to be identical in both
>+	# namespaces).
>+	# For jails, you must hanlde by host's jail setup!
>+	if [ -z "${isjailed}" ] && echo "${depfiles}" | grep -qF samba; then
>+		for nullmpdir in `echo "${named_chrootdir}${_samba_named_dir}"`\
>+		    "${named_chrootdir}${_samba_private_dir}"/sam.ldb.d
>+		do
>+			umount "${nullmpdir}" 2>/dev/null
>+			# Make sure mountpoint exists
>+			if ! [ -d "${nullmpdir}" ]; then
>+				[ -e "${nullmpdir}" ] && rm -Rf "${nullmpdir}"
>+				mkdir -p "${nullmpdir}"
>+			fi
>+			mount_nullfs "${_samba_named_dir}" \
>+			  "${nullmpdir}"
>+		done
>+	elif echo "${depfiles}" | grep -qF samba; then
>+		if [ -f "${named_chrootdir}${_samba_named_dir}"/dns/sam.ldb -a \
>+	   -r "${named_chrootdir}${_samba_private_dir}"/sam.ldb.d/metadata.tdb ]
>+		then
>+			info "named chroot: using pre-mounted ${_samba_named_dir}"
>+		else
>+			err 1 "named chroot:" \
>+				"${_samba_named_dir}/ cannot be mounted from " \
>+				"within a jail. Thus a chrooted named cannot " \
>+				"load the samba DLZ db-files outside it's "\
>+				"named_chrootdir. Either run named without " \
>+				"chrooting, (set named_chrootdir=\"\" in " \
>+				"/etc/rc.conf) or mount ${_samba_named_dir}/ " \
>+				"from the host."
>+				"In addition ${_samba_private_dir}/sam.ldb.d/ "\
>+				"needs to be handled likewise."
>+		fi
>+	fi
>+
>+	for file in ${depfiles}; do
>+		# Only readable absolute file paths are valid
>+		[ "${file#/}" != "${file}" -a -r "${file}" ] || continue
>+		# Destination directories must exist first:
>+		# Compose list of directories needed, based on the destination
>+		# path for fixed string grepping, avoiding substring matches.
>+		if ! echo "${dstdirs}" | grep -qF "${named_chrootdir}${file%/*}"
>+		then
>+			dstdirs=$([ -n "${dstdirs}" ] && echo \
>+			    "${dstdirs}"; echo "${named_chrootdir}${file%/*}")
>+		fi
>+        done
>+
>+	# Create required destination directories
>+	for dir in ${dstdirs}; do
>+		[ -e "${dir}" ] && [ -d "${dir}" ] || mkdir -p "${dir}"
>+	done
>+	# Do copy on demand
>+	for file in ${depfiles}; do
>+		# Only readable absolute file paths are valid
>+		if [ "${file#/}" != "${file}" -a -r "${file}" ] &&
>+		    ! cmp -s "${file}" "${named_chrootdir}${file}"
>+		then
>+			# Failing chflags is acceptable, don't emitt errmessage
>+			cp -Rfp "${file}" "${named_chrootdir}${file}" 2>/dev/null
>+		fi
>+	done
>+	unset IFS
>+
>+	if echo "${depfiles}" | grep -qF samba; then
>+        	# null_mount_or_copy is openssl biased and likes .so files only.
>+		# Simply always copy the kerberos keytab used for dns updates!
>+		if ! [ -d "${named_chrootdir}${_samba_private_dir}" ]; then
>+			[ -e "${named_chrootdir}${_samba_private_dir}" ] &&
>+			  rm -Rf "${named_chrootdir}${_samba_private_dir}"
>+			mkdir -p "${named_chrootdir}${_samba_private_dir}"
>+		fi
>+		cp -fp "${_samba_private_dir}"/dns.keytab \
>+		  "${named_chrootdir}${_samba_private_dir}"/
>+		# Likewise copy the krb5.conf, pwd.db and smb4.conf
>+		cp -fp /etc/krb5.conf "${named_chrootdir}"/etc/
>+		cp -fp /etc/pwd.db "${named_chrootdir}"/etc/
>+		cp -fp /usr/local/etc/smb4.conf "${named_chrootdir}"/usr/local/etc/
>+		# Finally, the modules from samba4 top library directory need to
>+		# be copied (saving only 2MB compared to copying complete samba4
>+		# directory recursively, but needed to find out this way...)
>+		cp -Rpf /usr/local/lib/samba4/lib* \
>+		    "${named_chrootdir}"/usr/local/lib/samba4/
>+	fi
> }
> 
> # Make symlinks to the correct pid file

Actions: View | Diff

Attachments on bug 256849: 226063