From bminard@flatfoot.ca  Sat Apr 19 13:23:45 2003
Return-Path: <bminard@flatfoot.ca>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0D9D737B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 19 Apr 2003 13:23:45 -0700 (PDT)
Received: from parsec.look.ca (parsec.look.ca [207.136.80.122])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4CB0243FE0
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 19 Apr 2003 13:23:44 -0700 (PDT)
	(envelope-from bminard@flatfoot.ca)
Received: from on-tor-blr-a58-02-911.look.ca ([216.154.9.149] helo=flatfoot.ca)
	by parsec.look.ca with esmtp (Exim 4.05)
	id 196ys8-000424-00
	for FreeBSD-gnats-submit@freebsd.org; Sat, 19 Apr 2003 20:23:40 +0000
Received: (from bminard@localhost)
	by flatfoot.ca (8.11.6/8.11.6) id h3JKNhD28141;
	Sat, 19 Apr 2003 16:23:43 -0400 (EDT)
	(envelope-from bminard)
Message-Id: <200304192023.h3JKNhD28141@flatfoot.ca>
Date: Sat, 19 Apr 2003 16:23:43 -0400 (EDT)
From: Brian Minard <bminard@flatfoot.ca>
Reply-To: Brian Minard <bminard@flatfoot.ca>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] Makefile for /etc/namedb.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         51167
>Category:       misc
>Synopsis:       [PATCH] Makefile for /etc/namedb.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    dougb
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sat Apr 19 13:30:15 PDT 2003
>Closed-Date:    Sun Nov 28 12:29:40 GMT 2004
>Last-Modified:  Sun Nov 28 12:29:40 GMT 2004
>Originator:     Brian Minard
>Release:        FreeBSD 4.8-STABLE i386
>Organization:
>Environment:
System: FreeBSD yop.flatfoot.ca 4.8-STABLE FreeBSD 4.8-STABLE #2: Fri Apr 18 21:54:43 EDT 2003 root@yop.flatfoot.ca:/usr/obj/usr/src/sys/YOP i386


	
>Description:
	A makefile for /etc/namedb, similar in nature to the Makefile in
/etc/mail.  This makefile can, if configured to do so, manage named in a
sandbox.
>How-To-Repeat:
	
>Fix:
--- Makefile	Sat Apr 19 14:20:27 2003
+++ Makefile	Sat Apr 19 14:27:06 2003
@@ -0,0 +1,125 @@
+#
+# This Makefile provides an easy way to update the configuration used by
+# the named(8) daemon.  The named daemon is stopped and restarted using
+# ndc(8).  It is started using the values specified in /etc/rc.conf and
+# /etc/default/rc.conf.
+#
+# If you want to run named in a sandbox, define NAMED_SANDBOX in
+# /etc/make.conf.  To place the sandbox in an alternative location, define
+# NAMEDB_SANDBOX_DIR in /etc/make.conf.  When you start named in a sandbox
+# using this makefile, the alternative user, group, and location are used.
+#
+# The user-driven targets are:
+#
+# all     - Executes install
+# install - Create the necessary files and install them into the sandbox,
+#           if required
+# sandbox - Install the necessary files into the sandbox
+# start   - Start the named daemon with the flags defined in
+#           /etc/defaults/rc.conf or /etc/rc.conf
+# stop    - Stop the named daemon
+# restart - Restart the named daemon
+#
+# A `make install` is necessary after modifying any of the dependent
+# files.  In this case, one would normally also call `make restart' to
+# allow the running named to pick up the changes as well.
+#
+
+#
+# Some useful programs we need.
+#
+MKDIR?=		/bin/mkdir -p
+NAMED?=		/usr/sbin/named
+NDC?=			/usr/sbin/ndc
+
+#
+# This is the directory where the named configuration files are
+# located.
+#
+NAMEDB_DIR?=	/etc/namedb
+NDC_CHANNEL?=	/var/run/ndc
+
+# Set a reasonable default
+.MAIN:	all
+
+#
+# ------------------------------------------------------------------------
+#
+# The Makefile picks up the list of files from NAMED_SRC and copies
+# the files into NAMEDB_SANDBOX_DIR.
+#
+NAMED_SRC+=	${NAMEDB_DIR}/named.conf ${NAMEDB_DIR}/localhost.rev \
+  		${NAMEDB_DIR}/named.root
+
+# User defined targets
+# Place your local reverse lookup and local DNS database in this
+# makefile.
+.if exists(Makefile.local)
+.include "Makefile.local"
+.endif
+
+#
+# This is the directory where the named configuration files are
+# located.  Set NAMEDB_SANDBOX_DIR in /etc/make.conf, if you prefer
+# a different location.
+#
+.ifdef NAMED_SANDBOX
+NAMEDB_SANDBOX_DIR?=	${NAMEDB_DIR}/s
+NAMED_SRC+=		/etc/localtime
+NAMED_SANDBOX_FLAGS?=	-u bind -g bind -t ${NAMEDB_SANDBOX_DIR}
+.for _f in ${NAMED_SRC}
+.if exists(${_f})
+NAMED_SANDBOX_SRC+=	${NAMEDB_SANDBOX_DIR}${_f}
+.endif
+.endfor
+.endif
+
+#
+# ------------------------------------------------------------------------
+#
+
+all:		install
+
+clean:
+
+depend:
+
+install:	localhost.rev sandbox
+
+localhost.rev:	PROTO.localhost.rev make-localhost
+	sh make-localhost
+
+sandbox: 
+.ifdef NAMED_SANDBOX
+.if ! exists(${NAMEDB_SANDBOX_DIR})
+	${MKDIR} ${NAMEDB_SANDBOX_DIR}${NAMEDB_DIR} && \
+		${MKDIR} ${NAMEDB_SANDBOX_DIR}/var/run
+.endif
+.for _f in ${NAMED_SRC}
+	${INSTALL} -C -m ${SHAREMODE} ${_f} ${NAMEDB_SANDBOX_DIR}${_f}
+.endfor
+.endif
+
+start:
+	(. /etc/defaults/rc.conf; source_rc_confs; \
+	case "$${named_enable}" in \
+	[Yy][Ee][Ss]) \
+		if [ ${NAMED_SANDBOX} ]; then \
+			$${named_program} $${named_flags} ${NAMED_SANDBOX_FLAGS}; \
+		else \
+			$${named_program} $${named_flags}; \
+		fi; \
+		;; \
+	*) \
+		;; \
+	esac \
+	)
+
+stop:
+	${NDC} -c ${NAMEDB_SANDBOX_DIR}${NDC_CHANNEL} stop
+
+restart:
+	${NDC} -c ${NAMEDB_SANDBOX_DIR}${NDC_CHANNEL} restart
+
+# For the definition of $SHAREMODE
+.include <bsd.own.mk>
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->dougb 
Responsible-Changed-By: dougb 
Responsible-Changed-When: Sun Apr 20 03:47:05 PDT 2003 
Responsible-Changed-Why:  

I'm working on named sandbox stuff 

http://www.freebsd.org/cgi/query-pr.cgi?pr=51167 

From: Brian Minard <bminard@flatfoot.ca>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: misc/51167: [PATCH] Makefile for /etc/namedb.
Date: Sun, 11 May 2003 14:44:32 -0400

 When starting named in a sandbox, the makefile should prefer the
 value of named_flags, if set in /etc/rc.conf, over anything else.
 The patch implements this behavior.
 
 --- Makefile	Sat Apr 19 14:27:06 2003
 +++ Makefile	Sun May 11 18:11:03 2003
 @@ -104,8 +104,8 @@ start:
  	(. /etc/defaults/rc.conf; source_rc_confs; \
  	case "$${named_enable}" in \
  	[Yy][Ee][Ss]) \
 -		if [ ${NAMED_SANDBOX} ]; then \
 -			$${named_program} $${named_flags} ${NAMED_SANDBOX_FLAGS}; \
 +		if [ ${NAMED_SANDBOX} -a -z "$${named_flags}" ]; then \
 +			$${named_program} ${NAMED_SANDBOX_FLAGS}; \
  		else \
  			$${named_program} $${named_flags}; \
  		fi; \
 

From: Brian Minard <bminard@flatfoot.ca>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: misc/51167: [PATCH] Makefile for /etc/namedb.
Date: Fri, 16 May 2003 19:24:15 -0400

 Security(1) has the following to say about named sandboxes:
 
    The default rc.conf includes the arguments necessary to run
    named in a sandbox in a commented-out form.
 
 This is not entirely true.  The default rc.conf contains only a 
 commented-out named_flags for user and group.  To run named in a
 sandbox, named_flags should probably include "-t /path/to/sandbox".
 
 This patch corrects /etc/default/rc.conf.  It uses the sandbox directory
 as created by /etc/namedb/Makefile proposed by this PR.
 
 --- /etc/defaults/rc.conf	Sun Apr 20 12:46:23 2003
 +++ /etc/defaults/rc.conf	Fri May 16 14:30:32 2003
 @@ -123,7 +123,7 @@
  #
  named_enable="NO"		# Run named, the DNS server (or NO).
  named_program="/usr/sbin/named"	# path to named, if you want a different one.
 -#named_flags="-u bind -g bind"	# Flags for named
 +#named_flags="-u bind -g bind -t /etc/namedb/s"	# Flags for named
  
  #
  # kerberos. Do not run the admin daemons on slave servers
State-Changed-From-To: open->feedback 
State-Changed-By: dougb 
State-Changed-When: Sun Oct 17 23:18:59 GMT 2004 
State-Changed-Why:  

I recently set up chroot by default in 6-current and 
5-stable, is that sufficient for your needs, or would 
you like to continue thinking about installing this in 
4-stable as well? 

Thanks, 

Doug 


http://www.freebsd.org/cgi/query-pr.cgi?pr=51167 
State-Changed-From-To: feedback->closed 
State-Changed-By: dougb 
State-Changed-When: Sun Nov 28 12:29:05 GMT 2004 
State-Changed-Why:  

User reports in private mail that it's ok to close this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=51167 
>Unformatted:
