Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package bind for openSUSE:Factory checked in at 2021-01-30 13:55:34 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/bind (Old) and /work/SRC/openSUSE:Factory/.bind.new.28504 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "bind" Sat Jan 30 13:55:34 2021 rev:161 rq:866745 version:9.16.11 Changes: -------- --- /work/SRC/openSUSE:Factory/bind/bind.changes 2021-01-08 17:34:13.377125978 +0100 +++ /work/SRC/openSUSE:Factory/.bind.new.28504/bind.changes 2021-01-30 13:55:36.941943402 +0100 @@ -1,0 +2,20 @@ +Thu Jan 21 08:00:03 UTC 2021 - Josef M??llers <[email protected]> + +- Upgrade to version 9.16.11 + * Bug fixing (please check CHANGES file in the source RPM) + * Functional change: + policy none;", named now + permits a safe transition to insecure mode and publishes + the CDS and CDNSKEY DELETE records, as described in RFC 8078. + + Remove useless Makefiles and Makefile skeleton files in + /usr/share/doc/packages/bind/contrib/ + [bind.spec, bsc#1179040] + + *** MAJOR CHANGE *** + Changed protection of/against "named" from chroot jail to + systemd protection. This obsoletes subpackage named-chrootenv. + Kudos to Matthias Gerstner <[email protected]> + [bind.spec, bind-chrootenv.conf, vendor-files.tar.bz2, bsc#1180294] + +------------------------------------------------------------------- Old: ---- bind-9.16.10.tar.xz bind-9.16.10.tar.xz.sha512.asc bind-chrootenv.conf New: ---- bind-9.16.11.tar.xz bind-9.16.11.tar.xz.sha512.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ bind.spec ++++++ --- /var/tmp/diff_new_pack.ZxdYqF/_old 2021-01-30 13:55:37.777945055 +0100 +++ /var/tmp/diff_new_pack.ZxdYqF/_new 2021-01-30 13:55:37.777945055 +0100 @@ -1,7 +1,7 @@ # # spec file for package bind # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,17 +20,17 @@ # Note that the sonums are LIBINTERFACE - LIBAGE %define bind9_sonum 1600 %define libbind9 libbind9-%{bind9_sonum} -%define dns_sonum 1610 +%define dns_sonum 1611 %define libdns libdns%{dns_sonum} %define irs_sonum 1601 %define libirs libirs%{irs_sonum} -%define isc_sonum 1608 +%define isc_sonum 1609 %define libisc libisc%{isc_sonum} %define isccc_sonum 1600 %define libisccc libisccc%{isccc_sonum} -%define isccfg_sonum 1602 +%define isccfg_sonum 1603 %define libisccfg libisccfg%{isccfg_sonum} -%define ns_sonum 1606 +%define ns_sonum 1607 %define libns libns%{ns_sonum} %define VENDOR SUSE @@ -61,7 +61,7 @@ %define _fillupdir %{_localstatedir}/adm/fillup-templates %endif Name: bind -Version: 9.16.10 +Version: 9.16.11 Release: 0 Summary: Domain Name System (DNS) Server (named) License: MPL-2.0 @@ -78,7 +78,6 @@ Source60: dlz-schema.txt # configuation files for systemd-tmpfiles Source70: bind.conf -Source71: bind-chrootenv.conf Source72: named.conf Patch51: pie_compile.diff Patch52: named-bootconf.diff @@ -99,7 +98,6 @@ BuildRequires: pkgconfig(libidn2) BuildRequires: pkgconfig(libuv) BuildRequires: pkgconfig(libxml-2.0) -Requires: %{name}-chrootenv Requires: %{name}-utils Requires(post): %fillup_prereq Requires(post): bind-utils @@ -215,17 +213,6 @@ %description -n %{libisccfg} This BIND library contains the configuration file parser. -%package chrootenv -Summary: Chroot environment for BIND named -# We need the named user and group, have only one authoritative place -Group: Productivity/Networking/DNS/Servers -Requires(pre): %{name} - -%description chrootenv -This package contains all directories and files which are common to the -chroot environment of BIND named. Most is part of the -structure below %{_localstatedir}/lib/named. - %package devel Summary: Development Libraries and Header Files of BIND Group: Development/Libraries/C and C++ @@ -304,7 +291,7 @@ -i "${file}" } pushd vendor-files -for file in docu/README tools/createNamedConfInclude config/{README,named.conf} init/named system/named.init sysconfig/{named-common,named-named,syslog-named}; do +for file in docu/README* tools/createNamedConfInclude config/{README,named.conf} init/named system/named.init sysconfig/named-named; do replaceStrings ${file} done popd @@ -363,7 +350,7 @@ %{buildroot}/%{_datadir}/bind \ %{buildroot}/%{_datadir}/susehelp/meta/Administration/System \ %{buildroot}/%{_defaultdocdir}/bind \ - %{buildroot}%{_localstatedir}/lib/named/{etc/named.d,dev,dyn,log,master,slave,var/{lib,run/named}} \ + %{buildroot}%{_localstatedir}/lib/named/{etc/named.d,dev,dyn,master,slave,var/{lib,run/named}} \ %{buildroot}%{_mandir}/{man1,man3,man5,man8} \ %{buildroot}%{_fillupdir} \ %{buildroot}/%{_rundir} \ @@ -383,9 +370,6 @@ mv vendor-files/config/named.conf %{buildroot}/%{_sysconfdir} mv vendor-files/config/bind.reg %{buildroot}/%{_sysconfdir}/slp.reg.d mv vendor-files/config/rndc-access.conf %{buildroot}/%{_sysconfdir}/named.d -for file in named.conf.include; do - touch %{buildroot}/%{_sysconfdir}/${file} -done %if %{with_systemd} for file in named; do @@ -394,7 +378,6 @@ ln -s /sbin/service %{buildroot}%{_sbindir}/rc${file} done install -D -m 0644 %{SOURCE70} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind.conf - install -D -m 0644 %{SOURCE71} %{buildroot}%{_prefix}/lib/tmpfiles.d/bind-chrootenv.conf install -D -m 0644 ${RPM_SOURCE_DIR}/named.root %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/root.hint install -m 0644 vendor-files/config/{127.0.0,localhost}.zone %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named install -m 0644 bind.keys %{buildroot}%{_datadir}/factory%{_localstatedir}/lib/named/named.root.key @@ -413,12 +396,7 @@ cp -p "%{SOURCE60}" "%{buildroot}/%{_sysconfdir}/openldap/schema/dlz.schema" install -m 0754 vendor-files/tools/ldapdump %{buildroot}/%{_datadir}/bind find %{buildroot}/%{_libdir} -type f -name '*.so*' -print0 | xargs -0 chmod 0755 -touch %{buildroot}%{_localstatedir}/lib/named%{_sysconfdir}/{localtime,named.conf.include,named.d/rndc.access.conf} -touch %{buildroot}%{_localstatedir}/lib/named/dev/log -ln -s ../.. %{buildroot}%{_localstatedir}/lib/named%{_localstatedir}/lib/named -ln -s ../log %{buildroot}%{_localstatedir}/lib/named%{_localstatedir} -ln -s ..%{_localstatedir}/lib/named%{_localstatedir}/run/named %{buildroot}/run -for file in named-common named-named syslog-named; do +for file in named-named; do install -m 0644 vendor-files/sysconfig/${file} %{buildroot}%{_fillupdir}/sysconfig.${file} done %if %{with_sfw2} @@ -428,7 +406,11 @@ rm doc/misc/Makefile* find doc/arm -type f ! -name '*.html' -print0 | xargs -0 rm -f # Create doc as we want it in bind and not bind-doc -cp -a vendor-files/docu/README %{buildroot}/%{_defaultdocdir}/bind/README.%{VENDOR} +for file in vendor-files/docu/README*; do + basename=$( basename ${file}) + cp -a ${file} %{buildroot}/%{_defaultdocdir}/bind/${basename}.%{VENDOR} +done + mkdir -p vendor-files/config/ISC-examples cp -a bin/tests/*.conf* vendor-files/config/ISC-examples for d in arm; do @@ -441,6 +423,8 @@ echo "%doc %{_defaultdocdir}/bind/${basename}" >>filelist-bind-doc done # --------------------------------------------------------------------------- +# remove useless Makefiles and Makefile skeletons +find %{buildroot}/%{_defaultdocdir}/bind \( -name Makefile -o -name Makefile.in \) -exec rm {} + install -m 0644 bind.keys %{buildroot}%{_localstatedir}/lib/named/named.root.key %if %{with_systemd} mkdir -p %{buildroot}%{_sysusersdir} @@ -480,6 +464,11 @@ %{_bindir}/systemctl daemon-reload || : fi %endif +# Create the rndc.key and named.conf.include* files so they exist when named is started +[ -e /etc/rndc.key ] || /usr/sbin/rndc-confgen -a -b 512 +[ -e /etc/named.conf.include ] || touch /etc/named.conf.include +[ -e /etc/named.conf.include.BINDconfig ] || touch /etc/named.conf.include.BINDconfig +chown named: /etc/rndc.key /etc/named.conf.include* %postun %if %{with_systemd} @@ -503,19 +492,12 @@ %postun -n %{libisccc} -p /sbin/ldconfig %post -n %{libisccfg} -p /sbin/ldconfig %postun -n %{libisccfg} -p /sbin/ldconfig -%post chrootenv -%{fillup_only -nsa named common} -%{fillup_only -nsa syslog named} -%if %{with_systemd} -%tmpfiles_create bind-chrootenv.conf -%endif %files %license LICENSE %attr(0644,root,named) %config(noreplace) /%{_sysconfdir}/named.conf %dir %{_sysconfdir}/slp.reg.d %attr(0644,root,root) %config /%{_sysconfdir}/slp.reg.d/bind.reg -%attr(0644,root,named) %ghost /%{_sysconfdir}/named.conf.include %if %{with_systemd} %config %{_unitdir}/named.service %{_sbindir}/named.init @@ -581,30 +563,6 @@ %files -n %{libisccfg} %{_libdir}/libisccfg.so.%{isccfg_sonum}* -%files chrootenv -%if %{with_systemd} -%{_prefix}/lib/tmpfiles.d/bind-chrootenv.conf -%endif -%dir %{_var}/lib/named%{_sysconfdir} -%dir %{_var}/lib/named%{_sysconfdir}/named.d -%dir %{_var}/lib/named/dev -%dir %{_var}/lib/named%{_localstatedir} -%dir %{_var}/lib/named%{_localstatedir}/lib -%dir %{_var}/lib/named%{_localstatedir}/run -%attr(-,named,named) %dir %{_var}/lib/named/log -%ghost %{_var}/lib/named%{_sysconfdir}/named.d/rndc.access.conf -%ghost %{_var}/lib/named/dev/log -%attr(0666, root, root) %dev(c, 1, 3) %{_var}/lib/named/dev/null -%attr(0666, root, root) %dev(c, 1, 8) %{_var}/lib/named/dev/random -%attr(0664, root, root) %dev(c, 1, 9) %{_var}/lib/named/dev/urandom -%{_var}/lib/named%{_localstatedir}/lib/named -%{_var}/lib/named%{_localstatedir}/log -%{_fillupdir}/sysconfig.named-common -%{_fillupdir}/sysconfig.syslog-named -%ghost %{_var}/lib/named%{_sysconfdir}/localtime -%attr(0644,root,named) %ghost %{_var}/lib/named%{_sysconfdir}/named.conf.include -%attr(-,named,named) %dir %{_var}/lib/named%{_localstatedir}/run/named - %files devel %dir %{_includedir}/isc %{_includedir}/isc/errno2result.h @@ -655,7 +613,7 @@ %{_sbindir}/rndc-confgen %{_sbindir}/tsig-keygen %dir %doc %{_defaultdocdir}/bind -%{_defaultdocdir}/bind/README.%{VENDOR} +%{_defaultdocdir}/bind/README*.%{VENDOR} %{_defaultdocdir}/bind/.clang-format.headers %{_mandir}/man1/arpaname.1%{ext_man} %{_mandir}/man1/delv.1%{ext_man} ++++++ baselibs.conf ++++++ --- /var/tmp/diff_new_pack.ZxdYqF/_old 2021-01-30 13:55:37.813945126 +0100 +++ /var/tmp/diff_new_pack.ZxdYqF/_new 2021-01-30 13:55:37.813945126 +0100 @@ -1,17 +1,17 @@ libbind9-1600 -libdns1610 +libdns1611 libirs1601 -libisc1608 +libisc1609 obsoletes "bind-libs-<targettype> = <version>" provides "bind-libs-<targettype> = <version>" libisccc1600 -libisccfg1602 -libns1606 +libisccfg1603 +libns1607 bind-devel requires -bind-<targettype> requires "libbind9-1600-<targettype> = <version>" - requires "libdns1610-<targettype> = <version>" + requires "libdns1611-<targettype> = <version>" requires "libirs1601-<targettype> = <version>" - requires "libisc1608-<targettype> = <version>" + requires "libisc1609-<targettype> = <version>" requires "libisccc1600-<targettype> = <version>" - requires "libisccfg1602-<targettype> = <version>" + requires "libisccfg1603-<targettype> = <version>" ++++++ bind-9.16.10.tar.xz -> bind-9.16.11.tar.xz ++++++ ++++ 27939 lines of diff (skipped) ++++++ vendor-files.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/apparmor/usr.sbin.named new/vendor-files/apparmor/usr.sbin.named --- old/vendor-files/apparmor/usr.sbin.named 2012-01-02 23:07:41.000000000 +0100 +++ new/vendor-files/apparmor/usr.sbin.named 2021-01-21 14:20:21.990662721 +0100 @@ -22,7 +22,6 @@ capability net_bind_service, capability setgid, capability setuid, - capability sys_chroot, capability sys_resource, /** r, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/config/named.conf new/vendor-files/config/named.conf --- old/vendor-files/config/named.conf 2020-10-23 13:43:08.242872586 +0200 +++ new/vendor-files/config/named.conf 2021-01-21 14:28:11.462642463 +0100 @@ -40,8 +40,7 @@ #dnssec-validation auto; managed-keys-directory "/var__NSD__/named/dyn/"; - # Write dump and statistics file to the log subdirectory. The - # pathenames are relative to the chroot jail. + # Write dump and statistics file to the log subdirectory. dump-file "/var/log/named_dump.db"; statistics-file "/var/log/named.stats"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/docu/README new/vendor-files/docu/README --- old/vendor-files/docu/README 2006-03-13 16:56:36.000000000 +0100 +++ new/vendor-files/docu/README 2021-01-21 14:21:51.170658873 +0100 @@ -5,10 +5,8 @@ ------------------------------------- The BIND documentation is in the sub package bind-doc. All shared libraries -are in the bind-libs package. As 'named' and lwresd are by default configured -to run in a chroot jail bind-chrootenv is required by both packages bind and -bind-lwresd. All DNS utilities are in the bind-utils package. Static -libraries and header files are in bind-devel. +are in the bind-libs package. All DNS utilities are in the bind-utils package. +Static libraries and header files are in bind-devel. createNamedConfInclude ---------------------- @@ -47,10 +45,6 @@ missing, the script createNamedConfInclude is called to create a new /etc/named.conf.include file without the missing configuration snippet. -The init script also ensures to copy all configuration files to the chroot -jail, /var__NSD__/named/, while called with start, reload, restart, and -try-restart. - rndc access ----------- @@ -67,10 +61,8 @@ File permissions ---------------- -The BIND daemon process 'named' runs by default in a chroot jail, -/var__NSD__/named/ and as user 'named'. You could disable the chroot behaviour by -setting NAMED_RUN_CHROOTED with the YaST sysconfig or any editor in -/etc/sysconfig/named to "no". +File access permissions/restrictions are defined by appropriated directives +in the "named.service" and "lwresd.service" systemd unit files. The BIND package uses by default /var__NSD__/named/ to store its zone files. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/docu/README-bind.chrootenv new/vendor-files/docu/README-bind.chrootenv --- old/vendor-files/docu/README-bind.chrootenv 1970-01-01 01:00:00.000000000 +0100 +++ new/vendor-files/docu/README-bind.chrootenv 2021-01-25 15:24:09.051584908 +0100 @@ -0,0 +1,11 @@ +With the release of bind 9.16.11, the bind-chrootenv subpackage is obsolete. +Rather, protection is implemented through systemd's protection mechanism: +* the servers are run with "ProtectSystem=strict", thus prohibiting the + service to write to arbitrary file system locations. +* Writing is only permitted to + - /var/lib/named + - /var/run + - /etc/named.conf.include + - /etc/named.conf.include.BINDconfig +For further restrictions/protection mechanisms refer to the +named.service and lwresd.service unit files. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/init/lwresd new/vendor-files/init/lwresd --- old/vendor-files/init/lwresd 2016-06-16 11:56:59.441289662 +0200 +++ new/vendor-files/init/lwresd 2021-01-21 14:24:38.658651645 +0100 @@ -59,14 +59,7 @@ cp -a /var/adm/fillup-templates/sysconfig.named-common ${SYSCONFIG_FILE} . ${SYSCONFIG_FILE} -if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then - CHROOT_PREFIX="/var__NSD__/named" - NAMED_ARGS="${NAMED_ARGS} -t ${CHROOT_PREFIX}" -else - CHROOT_PREFIX="" -fi - -LWRESD_PID="${CHROOT_PREFIX}/var/run/named/lwresd.pid" +LWRESD_PID="var/run/named/lwresd.pid" function warnMessage() { @@ -76,70 +69,23 @@ echo -e "$1 " } -# Create destination directory in the chroot. -function makeDestDir +# Check if all needed configuration files exist. +function checkConfigFiles { - if [ ! -d "${CHROOT_PREFIX}/${configfile%/*}" ]; then - umask 0022 - mkdir -p "${CHROOT_PREFIX}/${configfile%/*}" - fi -} - -# Check if all needed configuration files exist and copy these files relativly -# to the chroot directory if 'named' runs chrooted. -function checkAndCopyConfigFiles -{ - test "${checkAndCopyConfigFilesCalled}" = "yes" && return + test "${checkConfigFilesCalled}" = "yes" && return # Handle known configuration files. - if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then - # Create link if needed, /var/run might be on tmpfs - test -d /var/run/named && \ - rm -rf /var/run/named - test ! -L /var/run/named && \ - ln -s ${CHROOT_PREFIX}/var/run/named /var/run/named - - # mount /proc for multicore CPUs (bnc#470828) - if [ ! -e "${CHROOT_PREFIX}/proc/meminfo" ]; then - mkdir -p "${CHROOT_PREFIX}/proc" - mount -tproc -oro,nosuid,nodev,noexec proc ${CHROOT_PREFIX}/proc 2>/dev/null - fi; - - for configfile in /etc/{localtime,lwresd.conf,resolv.conf,rndc.key}; do - if [ ! -e ${configfile} ]; then - case ${configfile} in - # Don't complain if we don't have a lwresd.conf - /etc/lwresd.conf) - rm -f "${CHROOT_PREFIX}/${configfile}" # clean chroot env. - continue ;; - # Don't complain if we don't have a key. - /etc/rndc.key) continue ;; - *) - warnMessage "File ${configfile} not found. Skipping." - continue - ;; - esac - fi - makeDestDir - rm -f ${CHROOT_PREFIX}/${configfile} - cp -a -L ${configfile} ${CHROOT_PREFIX}/${configfile%/*} - done - mkdir -p ${CHROOT_PREFIX}/___lib__ - cp -r /___lib__/engines ${CHROOT_PREFIX}/___lib__/ - else - # NAMED_RUN_CHROOTED != yes - test -L /var/run/named && rm /var/run/named - if [ ! -d /var/run/named ]; then - mkdir -p /var/run/named - chown named: /var/run/named - fi + test -L /var/run/named && rm /var/run/named + if [ ! -d /var/run/named ]; then + mkdir -p /var/run/named + chown named: /var/run/named fi - export checkAndCopyConfigFilesCalled="yes" + export checkConfigFilesCalled="yes" } case "$1" in start) echo -n "Starting Lightweight resolver daemon " - checkAndCopyConfigFiles + checkConfigFiles startproc ${LWRESD_BIN} ${NAMED_ARGS} -u named rc_status -v ;; @@ -193,7 +139,7 @@ ;; force-reload|reload) echo -n "Reload service Lightweight resolver daemon " - checkAndCopyConfigFiles + checkConfigFiles killproc -p ${LWRESD_PID} -HUP ${LWRESD_BIN} rc_status -v ;; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/init/named new/vendor-files/init/named --- old/vendor-files/init/named 2020-09-18 15:23:03.198833016 +0200 +++ new/vendor-files/init/named 2021-01-21 14:23:40.274654165 +0100 @@ -87,17 +87,9 @@ done fi -if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then - CHROOT_PREFIX="/var__NSD__/named" - NAMED_ARGS="${NAMED_ARGS} -t ${CHROOT_PREFIX}" - NAMED_CHECKCONF_ARGS="-t ${CHROOT_PREFIX}" -else - CHROOT_PREFIX="" -fi - NAMED_CHECKCONF_BIN="/usr/sbin/named-checkconf" NAMED_CONF_META_INCLUDE_FILE_SCRIPT="/usr/share/bind/createNamedConfInclude" -NAMED_PID="${CHROOT_PREFIX}/var/run/named/named.pid" +NAMED_PID="/var/run/named/named.pid" RNDC_BIN="/usr/sbin/rndc" if [ ! -x ${NAMED_BIN} -a "$1" != "stop" ] ; then @@ -140,20 +132,10 @@ return ${rc} } -# Create destination directory in the chroot. -function makeDestDir -{ - if [ ! -d "${CHROOT_PREFIX}/${configfile%/*}" ]; then - umask 0022 - mkdir -p "${CHROOT_PREFIX}/${configfile%/*}" - fi -} - -# Check if all needed configuration files exist and copy these files relativly -# to the chroot directory if 'named' runs chrooted. -function checkAndCopyConfigFiles +# Check if all needed configuration files exist +function checkConfigFiles { - test "${checkAndCopyConfigFilesCalled}" = "yes" && return + test "${checkConfigFilesCalled}" = "yes" && return # check for /etc/rndc.key if [ ! -f /etc/rndc.key ]; then warnMessage "File /etc/rndc.key not found. Creating it." @@ -163,38 +145,12 @@ fi # Handle known configuration files. - if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then - # Create link if needed, /var/run might be on tmpfs - test -d /var/run/named && \ - rm -rf /var/run/named - test ! -L /var/run/named && \ - ln -s ${CHROOT_PREFIX}/var/run/named /var/run/named - - NAMED_D="/etc/named.d" - # delete old named.d - test -z "${CHROOT_PREFIX}${NAMED_D}" || rm -rf ${CHROOT_PREFIX}${NAMED_D} - # copy new - cp -a -L ${NAMED_D} ${CHROOT_PREFIX}${NAMED_D%/*} - for configfile in ${NAMED_CONF_INCLUDE_FILES} "${NAMED_CONF}" "${NAMED_CONF_META_INCLUDE_FILE}" /etc/{localtime,rndc.key,ssl/openssl.cnf}; do - if [ ! -e ${configfile} ]; then - warnMessage "File ${configfile} not found. Skipping." - continue - fi - makeDestDir - rm -f ${CHROOT_PREFIX}/${configfile} - cp -a -L ${configfile} ${CHROOT_PREFIX}/${configfile%/*} - done - mkdir -p ${CHROOT_PREFIX}/__openssl__ - cp -r __openssl__/* ${CHROOT_PREFIX}/__openssl__ - else - # NAMED_RUN_CHROOTED != yes - test -L /var/run/named && rm /var/run/named - if [ ! -d /var/run/named ]; then - mkdir -p /var/run/named - chown named: /var/run/named - fi + test -L /var/run/named && rm /var/run/named + if [ ! -d /var/run/named ]; then + mkdir -p /var/run/named + chown named: /var/run/named fi - export checkAndCopyConfigFilesCalled="yes" + export checkConfigFilesCalled="yes" } # Check the syntax of our 'named' configuration. @@ -202,7 +158,7 @@ { test "${namedConfChecked}" = "yes" && return if ! ${NAMED_CHECKCONF_BIN} ${NAMED_CHECKCONF_ARGS} >/dev/null; then - checkAndCopyConfigFiles + checkConfigFiles if ! ${NAMED_CHECKCONF_BIN} ${NAMED_CHECKCONF_ARGS}; then rc_status -s rc_failed 6 @@ -228,7 +184,7 @@ 1) echo -n "- Warning: ${NAMED_PID} exists! " ;; esac initializeNamed - checkAndCopyConfigFiles + checkConfigFiles namedCheckConf start_daemon -p ${NAMED_PID} ${NAMED_BIN} ${NAMED_ARGS} -u named rc_status -v @@ -313,7 +269,7 @@ if [ ${rc} -ne 0 ]; then echo "- Warning: named not running! " else - checkAndCopyConfigFiles + checkConfigFiles namedCheckConf initializeNamed ${RNDC_BIN} status &>/dev/null diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/sysconfig/named-common new/vendor-files/sysconfig/named-common --- old/vendor-files/sysconfig/named-common 2004-09-27 20:19:58.000000000 +0200 +++ new/vendor-files/sysconfig/named-common 2021-01-21 14:27:46.334643547 +0100 @@ -1,21 +1,9 @@ ## Path: Network/DNS/Name Server ## Description: Names server settings -## Type: yesno -## Default: yes -## ServiceRestart: lwresd,named -# -# Shall the DNS server 'named' or the LightWeight RESolver Daemon, lwresd run -# in the chroot jail /var__NSD__/named/? -# -# Each time you start one of the daemons with the init script, /etc/named.conf, -# /etc/named.conf.include, /etc/rndc.key, and all files listed in -# NAMED_CONF_INCLUDE_FILES will be copied relative to /var__NSD__/named/. -# -# The pid file will be in /var__NSD__/named/var/run/named/ and named named.pid -# or lwresd.pid. -# -NAMED_RUN_CHROOTED="yes" +# "named" and "lwresd" are now protected/restricted by appropriate directives +# in the "named.service" and "lwresd.service" systemd unit files. +# As a consequence, the NAMED_RUN_CHROOTED variable is obsolete and has been removed. ## Type: string ## Default: "" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/sysconfig/named-named new/vendor-files/sysconfig/named-named --- old/vendor-files/sysconfig/named-named 2020-08-06 14:34:50.884515125 +0200 +++ new/vendor-files/sysconfig/named-named 2021-01-21 14:25:53.326648423 +0100 @@ -1,21 +1,6 @@ -## Type: string -## Default: "" -## ServiceReload: named -# -# All mentioned config files will be copied relativ to /var__NSD__/named/, when -# 'named' is started in the chroot jail. -# -# /etc/named.conf and /etc/rndc.key are always copied. Also all files from -# include statements in named.conf. -# -# Filenames can be relative to /etc/named.d/. -# -# Please take care of the order if one file needs a setting of another. -# -# Example: "/etc/named-dhcpd.key ldap.dump rndc-access.conf" -# -# /etc/bind.keys is already included to suppress named warning about missing file. -NAMED_CONF_INCLUDE_FILES="/etc/bind.keys" +# NOTE: "named" and "lwresd" are now protected/resticted by directives +# in the "named.service" and "lwresd.service" systemd unit files. +# Therefore the NAMED_CONF_INCLUDE_FILES variable has been made obsolete ## Type: string ## Default: "createNamedConfInclude" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/sysconfig/syslog-named new/vendor-files/sysconfig/syslog-named --- old/vendor-files/sysconfig/syslog-named 2004-09-06 23:12:41.000000000 +0200 +++ new/vendor-files/sysconfig/syslog-named 1970-01-01 01:00:00.000000000 +0100 @@ -1,13 +0,0 @@ -## Type: string -## Default: "/var__NSD__/named/dev/log" -## ServiceRestart: syslog -## Config: syslog-ng -# -# The filename mentioned here will be added with the "-a ..." option as -# additional socket via SYSLOGD_PARAMS when syslogd is started. -# -# This additional socket is needed in case that syslogd is restarted. Otherwise -# a chrooted 'named' or 'lwresd' won't be able to continue logging. -# -SYSLOGD_ADDITIONAL_SOCKET_NAMED="/var__NSD__/named/dev/log" - diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/lwresd.init new/vendor-files/system/lwresd.init --- old/vendor-files/system/lwresd.init 2020-09-18 15:23:07.678833158 +0200 +++ new/vendor-files/system/lwresd.init 2021-01-21 14:29:12.602639825 +0100 @@ -21,14 +21,7 @@ cp -a /var/adm/fillup-templates/sysconfig.named-common ${SYSCONFIG_FILE} . ${SYSCONFIG_FILE} -if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then - CHROOT_PREFIX="/var__NSD__/named" - NAMED_ARGS="${NAMED_ARGS} -t ${CHROOT_PREFIX}" -else - CHROOT_PREFIX="" -fi - -LWRESD_PID="${CHROOT_PREFIX}/var/run/named/lwresd.pid" +LWRESD_PID="/var/run/named/lwresd.pid" function warnMessage() { @@ -38,20 +31,10 @@ echo -e "$1 " } -# Create destination directory in the chroot. -function makeDestDir +# Check if all needed configuration files exist. +function checkConfigFiles { - if [ ! -d "${CHROOT_PREFIX}/${configfile%/*}" ]; then - umask 0022 - mkdir -p "${CHROOT_PREFIX}/${configfile%/*}" - fi -} - -# Check if all needed configuration files exist and copy these files relativly -# to the chroot directory if 'named' runs chrooted. -function checkAndCopyConfigFiles -{ - test "${checkAndCopyConfigFilesCalled}" = "yes" && return + test "${checkConfigFilesCalled}" = "yes" && return # check for /etc/rndc.key if [ ! -f /etc/rndc.key ]; then warnMessage "File /etc/rndc.key not found. Creating it." @@ -61,55 +44,18 @@ fi # Handle known configuration files. - if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then - # Create link if needed, /var/run might be on tmpfs - test -d /var/run/named && \ - rm -rf /var/run/named - test ! -L /var/run/named && \ - ln -s ${CHROOT_PREFIX}/var/run/named /var/run/named - - # mount /proc for multicore CPUs (bnc#470828) - if [ ! -e "${CHROOT_PREFIX}/proc/meminfo" ]; then - mkdir -p "${CHROOT_PREFIX}/proc" - mount -tproc -oro,nosuid,nodev,noexec proc ${CHROOT_PREFIX}/proc 2>/dev/null - fi; - - for configfile in /etc/{localtime,lwresd.conf,resolv.conf,rndc.key}; do - if [ ! -e ${configfile} ]; then - case ${configfile} in - # Don't complain if we don't have a lwresd.conf - /etc/lwresd.conf) - rm -f "${CHROOT_PREFIX}/${configfile}" # clean chroot env. - continue ;; - # Don't complain if we don't have a key. - /etc/rndc.key) continue ;; - *) - warnMessage "File ${configfile} not found. Skipping." - continue - ;; - esac - fi - makeDestDir - rm -f ${CHROOT_PREFIX}/${configfile} - cp -a -L ${configfile} ${CHROOT_PREFIX}/${configfile%/*} - done - mkdir -p ${CHROOT_PREFIX}/__openssl__ - cp -r __openssl__/* ${CHROOT_PREFIX}/__openssl__ - else - # NAMED_RUN_CHROOTED != yes - test -L /var/run/named && rm /var/run/named - if [ ! -d /var/run/named ]; then - mkdir -p /var/run/named - chown named: /var/run/named - fi + test -L /var/run/named && rm /var/run/named + if [ ! -d /var/run/named ]; then + mkdir -p /var/run/named + chown named: /var/run/named fi - export checkAndCopyConfigFilesCalled="yes" + export checkConfigFilesCalled="yes" } case "$1" in start) echo -n "Starting Lightweight resolver daemon " - checkAndCopyConfigFiles + checkConfigFiles exec ${LWRESD_BIN} ${NAMED_ARGS} -u named ;; *) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/lwresd.service new/vendor-files/system/lwresd.service --- old/vendor-files/system/lwresd.service 2018-12-10 10:23:42.436909759 +0100 +++ new/vendor-files/system/lwresd.service 2021-01-25 14:57:34.503653713 +0100 @@ -1,12 +1,25 @@ [Unit] Description=Lightweight Resolver Daemon After=network.target -Before=nss-lookup.target +After=time-set.target Wants=nss-lookup.target +Wants=time-set.target [Service] Type=forking ExecStart=/usr/sbin/lwresd.init start +ProtectSystem=strict +ReadWritePaths=/var/lib/named /var/run /etc/named.conf.include /etc/named.conf.include.BINDconfig +PrivateDevices=yes +PrivateTmp=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectKernelLogs=yes +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes [Install] WantedBy=multi-user.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/named.init new/vendor-files/system/named.init --- old/vendor-files/system/named.init 2020-09-18 15:23:14.838833386 +0200 +++ new/vendor-files/system/named.init 2021-01-21 14:30:03.954637609 +0100 @@ -51,17 +51,9 @@ done fi -if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then - CHROOT_PREFIX="/var__NSD__/named" - NAMED_ARGS="${NAMED_ARGS} -t ${CHROOT_PREFIX}" - NAMED_CHECKCONF_ARGS="-t ${CHROOT_PREFIX}" -else - CHROOT_PREFIX="" -fi - NAMED_CHECKCONF_BIN="/usr/sbin/named-checkconf" NAMED_CONF_META_INCLUDE_FILE_SCRIPT="/usr/share/bind/createNamedConfInclude" -NAMED_PID="${CHROOT_PREFIX}/var/run/named/named.pid" +NAMED_PID="var/run/named/named.pid" RNDC_BIN="/usr/sbin/rndc" if [ ! -x ${NAMED_BIN} -a "$1" != "stop" ] ; then @@ -103,20 +95,10 @@ return ${rc} } -# Create destination directory in the chroot. -function makeDestDir +# Check if all needed configuration files exist. +function checkConfigFiles { - if [ ! -d "${CHROOT_PREFIX}/${configfile%/*}" ]; then - umask 0022 - mkdir -p "${CHROOT_PREFIX}/${configfile%/*}" - fi -} - -# Check if all needed configuration files exist and copy these files relativly -# to the chroot directory if 'named' runs chrooted. -function checkAndCopyConfigFiles -{ - test "${checkAndCopyConfigFilesCalled}" = "yes" && return + test "${checkConfigFilesCalled}" = "yes" && return # check for /etc/rndc.key if [ ! -f /etc/rndc.key ]; then warnMessage "File /etc/rndc.key not found. Creating it." @@ -126,38 +108,12 @@ fi # Handle known configuration files. - if [ "${NAMED_RUN_CHROOTED}" = "yes" ]; then - # Create link if needed, /var/run might be on tmpfs - test -d /var/run/named && \ - rm -rf /var/run/named - test ! -L /var/run/named && \ - ln -s ${CHROOT_PREFIX}/var/run/named /var/run/named - - NAMED_D="/etc/named.d" - # delete old named.d - test -z "${CHROOT_PREFIX}${NAMED_D}" || rm -rf ${CHROOT_PREFIX}${NAMED_D} - # copy new - cp -a -L ${NAMED_D} ${CHROOT_PREFIX}${NAMED_D%/*} - for configfile in ${NAMED_CONF_INCLUDE_FILES} "${NAMED_CONF}" "${NAMED_CONF_META_INCLUDE_FILE}" /etc/{localtime,rndc.key,ssl/openssl.cnf}; do - if [ ! -e ${configfile} ]; then - warnMessage "File ${configfile} not found. Skipping." - continue - fi - makeDestDir - rm -f ${CHROOT_PREFIX}/${configfile} - cp -a -L ${configfile} ${CHROOT_PREFIX}/${configfile%/*} - done - mkdir -p ${CHROOT_PREFIX}/__openssl__ - cp -r __openssl__/* ${CHROOT_PREFIX}/__openssl__ - else - # NAMED_RUN_CHROOTED != yes - test -L /var/run/named && rm /var/run/named - if [ ! -d /var/run/named ]; then - mkdir -p /var/run/named - chown named: /var/run/named - fi + test -L /var/run/named && rm /var/run/named + if [ ! -d /var/run/named ]; then + mkdir -p /var/run/named + chown named: /var/run/named fi - export checkAndCopyConfigFilesCalled="yes" + export checkConfigFilesCalled="yes" } # Check the syntax of our 'named' configuration. @@ -165,7 +121,7 @@ { test "${namedConfChecked}" = "yes" && return if ! ${NAMED_CHECKCONF_BIN} ${NAMED_CHECKCONF_ARGS} >/dev/null; then - checkAndCopyConfigFiles + checkConfigFiles if ! ${NAMED_CHECKCONF_BIN} ${NAMED_CHECKCONF_ARGS}; then exit 6 fi @@ -184,7 +140,7 @@ fi initializeNamed - checkAndCopyConfigFiles + checkConfigFiles namedCheckConf start_daemon -p ${NAMED_PID} ${NAMED_BIN} ${NAMED_ARGS} -u named ;; @@ -207,7 +163,7 @@ ;; reload) echo -n "Reloading name server BIND " - checkAndCopyConfigFiles + checkConfigFiles namedCheckConf initializeNamed ${RNDC_BIN} status &>/dev/null diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor-files/system/named.service new/vendor-files/system/named.service --- old/vendor-files/system/named.service 2020-11-11 11:57:09.079024113 +0100 +++ new/vendor-files/system/named.service 2021-01-25 14:57:39.263653508 +0100 @@ -10,6 +10,18 @@ ExecStart=/usr/sbin/named.init start ExecReload=/usr/sbin/named.init reload ExecStop=/usr/sbin/named.init stop +ProtectSystem=strict +ReadWritePaths=/var/lib/named /var/run /etc/named.conf.include /etc/named.conf.include.BINDconfig +PrivateDevices=yes +PrivateTmp=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectKernelLogs=yes +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes [Install] WantedBy=multi-user.target
