FreeBSD Bugzilla – Attachment 226063 Details for
Bug 256849
dns/bind916: Support chrooting when used as samba4(13) DLZ backend
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Extend rc.d/named to handle chrooting samba4 DLZ dependencies
files_named.in.diff (text/plain), 7.25 KB, created by
Harald Schmalzbauer
on 2021-06-26 19:37:29 UTC
(
hide
)
Description:
Extend rc.d/named to handle chrooting samba4 DLZ dependencies
Filename:
MIME Type:
Creator:
Harald Schmalzbauer
Created:
2021-06-26 19:37:29 UTC
Size:
7.25 KB
patch
obsolete
>--- dns/bind916/files/named.in 2021-06-14 14:22:38.000000000 +0200 >+++ dns/bind916/files/named.in 2021-06-26 19:33:17.970546000 +0200 >@@ -16,6 +16,9 @@ > # Historically, was /var/named > # named_chroot_autoupdate (bool): Automatically install/update chrooted > # components of named. >+# named_chroot_dlzcopy (str): If defined, copy dlz module dependencies, >+# e.g. for samba (along with the .so itself): >+# /usr/local/lib/samba4/modules/bind9/dlz_bind9_16.so > # named_symlink_enable (bool): Symlink the chrooted pid file > # named_wait (bool): Wait for working name service before exiting > # named_wait_host (str): Hostname to check if named_wait is enabled >@@ -53,6 +56,7 @@ > named_auto_forward=${named_auto_forward:-"NO"} > named_auto_forward_only=${named_auto_forward_only:-"NO"} > %%NATIVE_PKCS11%%named_pkcs11_engine=${named_pkcs11_engine:-""} >+named_chroot_dlzcopy=${named_chroot_dlzcopy:-""} > > # Not configuration variables but having them here keeps rclint happy > required_dirs="${named_chrootdir}" >@@ -60,6 +64,8 @@ > _named_confdir="${named_chrootdir}${_named_confdirroot}" > _named_program_root="${named_program%/sbin/named}" > _openssl_engines="%%ENGINES%%" >+_samba_named_dir="/var/db/samba4/bind-dns" >+_samba_private_dir="${_samba_named_dir%/*}/private" > > # Needed if named.conf and rndc.conf are moved or if rndc.conf is used > rndc_conf=${rndc_conf:-"$_named_confdir/rndc.conf"} >@@ -76,7 +82,7 @@ > # > chroot_autoupdate() > { >- local file >+ local file depfiles dstdirs isjailed > > # If it's the first time around, fiddle with things and move the > # current configuration to the chroot. >@@ -126,6 +132,7 @@ > devfs_domount ${named_chrootdir}/dev devfsrules_hide_all > devfs -m ${named_chrootdir}/dev rule apply path null unhide > devfs -m ${named_chrootdir}/dev rule apply path random unhide >+ isjailed='' > else > if [ -c ${named_chrootdir}/dev/null -a \ > -c ${named_chrootdir}/dev/random ]; then >@@ -138,6 +145,7 @@ > "run named without chrooting it, set " \ > "named_chrootdir=\"\" in /etc/rc.conf." > fi >+ isjailed=true > fi > > # The OpenSSL engines and BIND9 plugins should be present in the >@@ -153,6 +161,132 @@ > cp -p /etc/${file} "${named_chrootdir}/etc/${file}" > fi > done >+ >+ # Determine samba dlz.so dependencies and copy over to chroot, but >+ # only if $named_chroot_dlzcopy exists (subsequently skipping >+ # due to zero-length variables too). >+ IFS=$'\n' >+ [ -r "${named_chroot_dlzcopy:-/nonexistent/skip-depfiles}" ] && >+ depfiles=`ldd "${named_chroot_dlzcopy}" | cut -w -f 4 | \ >+ grep -vF "${named_chroot_dlzcopy}"; \ >+ echo -n "${named_chroot_dlzcopy}"` || depfiles=''; destdirs='' >+ >+ # Additionally, there's a lot more modules which named(8) needs after >+ # loading $named_chroot_dlzcopy. >+ # Statically copy the complete directories for now, if samba-dlz is >+ # wanted (independent if chrooted in jail or not). >+ if echo "${depfiles}" | grep -qF samba; then >+ for copydir in `echo \ >+ "${named_chrootdir}/usr/local/lib/samba4/modules/gensec"; \ >+ echo "${named_chrootdir}/usr/local/lib/samba4/private"` \ >+ "${named_chrootdir}/usr/local/lib/samba4/modules/ldb" >+ do >+ # Only readable absolute directory paths are valid >+ [ "${copydir#/}" != "${copydir}" ] && >+ [ -r "${copydir#"${named_chrootdir}"}" ] || >+ continue >+ # Further validate and limit to minimal depth of 2 >+ [ -n "${copydir%/*}" ] && >+ echo "${copydir%/*}" | >+ grep -Eq "^${named_chrootdir}/+[^/]+/+[^/]+" || >+ continue >+ # Make sure target parent directory exists >+ if ! [ -d "${copydir%/*}" ]; then >+ [ -e "${copydir%/*}" ] && rm -Rf "${copydir%/*}" >+ mkdir -p "${copydir%/*}" >+ fi >+ cp -Rfp "${copydir#"${named_chrootdir}"}" \ >+ "${copydir%/*}" >+ done >+ fi >+ >+ >+ # NOTE: This POC implementation requires /var/db/samba4/bind-dns to be >+ # nullfs(4) mounted into $named_chrootdir (unclear if samba consults >+ # the database files itself, which requires them to be identical in both >+ # namespaces). >+ # For jails, you must hanlde by host's jail setup! >+ if [ -z "${isjailed}" ] && echo "${depfiles}" | grep -qF samba; then >+ for nullmpdir in `echo "${named_chrootdir}${_samba_named_dir}"`\ >+ "${named_chrootdir}${_samba_private_dir}"/sam.ldb.d >+ do >+ umount "${nullmpdir}" 2>/dev/null >+ # Make sure mountpoint exists >+ if ! [ -d "${nullmpdir}" ]; then >+ [ -e "${nullmpdir}" ] && rm -Rf "${nullmpdir}" >+ mkdir -p "${nullmpdir}" >+ fi >+ mount_nullfs "${_samba_named_dir}" \ >+ "${nullmpdir}" >+ done >+ elif echo "${depfiles}" | grep -qF samba; then >+ if [ -f "${named_chrootdir}${_samba_named_dir}"/dns/sam.ldb -a \ >+ -r "${named_chrootdir}${_samba_private_dir}"/sam.ldb.d/metadata.tdb ] >+ then >+ info "named chroot: using pre-mounted ${_samba_named_dir}" >+ else >+ err 1 "named chroot:" \ >+ "${_samba_named_dir}/ cannot be mounted from " \ >+ "within a jail. Thus a chrooted named cannot " \ >+ "load the samba DLZ db-files outside it's "\ >+ "named_chrootdir. Either run named without " \ >+ "chrooting, (set named_chrootdir=\"\" in " \ >+ "/etc/rc.conf) or mount ${_samba_named_dir}/ " \ >+ "from the host." >+ "In addition ${_samba_private_dir}/sam.ldb.d/ "\ >+ "needs to be handled likewise." >+ fi >+ fi >+ >+ for file in ${depfiles}; do >+ # Only readable absolute file paths are valid >+ [ "${file#/}" != "${file}" -a -r "${file}" ] || continue >+ # Destination directories must exist first: >+ # Compose list of directories needed, based on the destination >+ # path for fixed string grepping, avoiding substring matches. >+ if ! echo "${dstdirs}" | grep -qF "${named_chrootdir}${file%/*}" >+ then >+ dstdirs=$([ -n "${dstdirs}" ] && echo \ >+ "${dstdirs}"; echo "${named_chrootdir}${file%/*}") >+ fi >+ done >+ >+ # Create required destination directories >+ for dir in ${dstdirs}; do >+ [ -e "${dir}" ] && [ -d "${dir}" ] || mkdir -p "${dir}" >+ done >+ # Do copy on demand >+ for file in ${depfiles}; do >+ # Only readable absolute file paths are valid >+ if [ "${file#/}" != "${file}" -a -r "${file}" ] && >+ ! cmp -s "${file}" "${named_chrootdir}${file}" >+ then >+ # Failing chflags is acceptable, don't emitt errmessage >+ cp -Rfp "${file}" "${named_chrootdir}${file}" 2>/dev/null >+ fi >+ done >+ unset IFS >+ >+ if echo "${depfiles}" | grep -qF samba; then >+ # null_mount_or_copy is openssl biased and likes .so files only. >+ # Simply always copy the kerberos keytab used for dns updates! >+ if ! [ -d "${named_chrootdir}${_samba_private_dir}" ]; then >+ [ -e "${named_chrootdir}${_samba_private_dir}" ] && >+ rm -Rf "${named_chrootdir}${_samba_private_dir}" >+ mkdir -p "${named_chrootdir}${_samba_private_dir}" >+ fi >+ cp -fp "${_samba_private_dir}"/dns.keytab \ >+ "${named_chrootdir}${_samba_private_dir}"/ >+ # Likewise copy the krb5.conf, pwd.db and smb4.conf >+ cp -fp /etc/krb5.conf "${named_chrootdir}"/etc/ >+ cp -fp /etc/pwd.db "${named_chrootdir}"/etc/ >+ cp -fp /usr/local/etc/smb4.conf "${named_chrootdir}"/usr/local/etc/ >+ # Finally, the modules from samba4 top library directory need to >+ # be copied (saving only 2MB compared to copying complete samba4 >+ # directory recursively, but needed to find out this way...) >+ cp -Rpf /usr/local/lib/samba4/lib* \ >+ "${named_chrootdir}"/usr/local/lib/samba4/ >+ fi > } > > # Make symlinks to the correct pid file
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 256849
: 226063