Bug 256849 - dns/bind916: Support chrooting when used as samba4(13) DLZ backend
Summary: dns/bind916: Support chrooting when used as samba4(13) DLZ backend
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Mathieu Arnold
URL:
Keywords: feature, needs-qa
Depends on:
Blocks:
 
Reported: 2021-06-26 19:37 UTC by Harald Schmalzbauer
Modified: 2022-07-15 14:43 UTC (History)
0 users

See Also:
bugzilla: maintainer-feedback? (mat)


Attachments
Extend rc.d/named to handle chrooting samba4 DLZ dependencies (7.25 KB, patch)
2021-06-26 19:37 UTC, Harald Schmalzbauer
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Harald Schmalzbauer 2021-06-26 19:37:29 UTC
Created attachment 226063 [details]
Extend rc.d/named to handle chrooting samba4 DLZ dependencies

I noticed that running bind9 chrooted when loading samba's DLZ module wasn't supported.
Although there's not too much of a security benefit considering the rest of the jail binaries, for my environment, enclaving the DNS part seemd to be an easy and beneficial step, since the FreeBSD bind9 port already makes chrooting an easy to configure task.
Since I was unexpectedly happy with the outcome of my POC this week (using Win10+RSAT to manage user accounts and DNS with jailed samba413 for a single DomainController) I prepared this diff (tested on a FreeBSD 13 jail, only providing kerberos/ldap/dns/rpc (by samba413), not serving any data besides sysvol (GPO)).

It turned out that the dlz.so which samba provides needs a hallover lot of other libraries and even pwd.db and other config files, so the diff is not as small as I expected it to be at firsthand.

Please find it attched.
It extendends the chroot_autoupdate() function to copy all dependencies needed to sucessfully run bind916 chrooted while still maintainable by RSAT via samba413.

As long as you don't define named_chroot_dlzcopy (="/usr/local/lib/samba4/modules/bind9/dlz_bind9_16.so" e.g.) in rc.conf, there's no functional change.
If defined, and also set named_chroot, about 15MB libraries will be copied to the chroot directory.

I haven't tested the non-jail (nullfs mount) part, but it's covered and I don't expect problems.

For the records, here's the relevant part of my jail config to allow this patch to do it's job:
winadc {
...
    # This must exactly match your 'named_chrootdir=' definition in $path/etc/rc.conf!!
    $named_chrootdir = /enclave/named;
    mount += "devfs $path${named_chrootdir}/dev devfs rw 0 0";
    mount += "$path/var/db/samba4/bind-dns $path${named_chrootdir}/var/db/samba4/bind-dns nullfs rw 0 0";
    mount += "$path/var/db/samba4/private/sam.ldb.d $path${named_chrootdir}/var/db/samba4/private/sam.ldb.d nullfs rw 0 0";
    exec.created = "sh -c 'devfs_rulesets=\"/etc/defaults/devfs.rules /etc/devfs.rules\"&& . /etc/rc.subr; devfs_init_rulesets && umount $path${named_chrootdir}/dev 2>/dev/null && devfs_domount $path${named_chrootdir}/dev devfsrules_hide_all && devfs -m $path${named_chrootdir}/dev rule apply path null unhide && devfs -m $path${named_chrootdir}/dev rule apply path random unhide && devfs -m $path${named_chrootdir}/dev rule apply path crypto unhide || exit 1'";
...
}

The exec.created part is in use for DLZ/samba unrelated chrooted named(8) jail setups too.
Comment 1 Mathieu Arnold freebsd_committer freebsd_triage 2022-07-15 14:43:18 UTC
The named startup script is already really too long, and your patch makes it grow by something like 50%.  Also, it tries to handle files that are not owned by dns/bind916, which is not good.
I think it should be handled by null mounts outside of ports.