Hello,
Disallow all zone transfers/queries if transfer/query policy configuration
failed.
Without this patch the old policy stays in effect
if re-configuration with the new policy failed.
https://fedorahosted.org/bind-dyndb-ldap/ticket/116
--
Petr^2 Spacek
From f2f1207d16e2ae91f824c7543722bf262884fecc Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Fri, 19 Apr 2013 12:41:04 +0200
Subject: [PATCH] Disallow all zone transfers/queries if transfer/query policy
configuration failed.
Without this patch the old policy stays in effect
if re-configuration with the new policy failed.
https://fedorahosted.org/bind-dyndb-ldap/ticket/116
Signed-off-by: Petr Spacek pspa...@redhat.com
---
src/acl.c | 7 +++
src/acl.h | 3 +++
src/ldap_helper.c | 52 ++--
3 files changed, 52 insertions(+), 10 deletions(-)
diff --git a/src/acl.c b/src/acl.c
index 0adc82cebc5bc514647084f42bd8a115a88c6bb2..754cd53dc3d31b99d0954836feafbd46747c48c2 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -64,6 +64,7 @@
#include str.h
#include util.h
#include log.h
+#include types.h
static isc_once_t once = ISC_ONCE_INIT;
static cfg_type_t *update_policy;
@@ -84,6 +85,12 @@ static cfg_type_t cfg_type_empty_map = {
static cfg_type_t *empty_map_p = cfg_type_empty_map;
+const enum_txt_assoc_t acl_type_txts[] = {
+ { acl_type_query, query },
+ { acl_type_transfer, transfer },
+ { -1, NULL } /* end marker */
+};
+
static cfg_type_t *
get_type_from_tuplefield(const cfg_type_t *cfg_type, const char *name)
{
diff --git a/src/acl.h b/src/acl.h
index 7e4471bcc3624719f384d3ced54914631d1136c1..3e99490cfe614867117beb96a07e6bf9fdc72fbe 100644
--- a/src/acl.h
+++ b/src/acl.h
@@ -22,14 +22,17 @@
#define _LD_ACL_H_
#include ldap_entry.h
+#include types.h
#include dns/acl.h
typedef enum acl_type {
acl_type_query,
acl_type_transfer
} acl_type_t;
+extern const enum_txt_assoc_t acl_type_txts[];
+
isc_result_t
acl_configure_zone_ssutable(const char *policy_str, dns_zone_t *zone);
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 4d8fb084e6564597dd694a905d749870c8626c94..4bcdf5e3e400eeac3214e8e7fdc9e11a5b471ab6 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -762,6 +762,44 @@ cleanup:
return result;
}
+static isc_result_t
+configure_zone_acl(isc_mem_t *mctx, dns_zone_t *zone,
+ void (acl_setter)(dns_zone_t *zone, dns_acl_t *acl),
+ const char *aclstr, acl_type_t type) {
+ isc_result_t result;
+ isc_result_t result2;
+ dns_acl_t *acl = NULL;
+ const char *type_txt = NULL;
+
+ result = acl_from_ldap(mctx, aclstr, type, acl);
+ if (result != ISC_R_SUCCESS) {
+ result2 = get_enum_description(acl_type_txts, type, type_txt);
+ if (result2 != ISC_R_SUCCESS) {
+ log_bug(invalid acl type %u, type);
+ type_txt = unknown;
+ }
+
+ dns_zone_logc(zone, DNS_LOGCATEGORY_SECURITY, ISC_LOG_ERROR,
+ %s policy is invalid: %s; configuring most
+ restrictive %s policy as possible,
+ type_txt, isc_result_totext(result), type_txt);
+ result2 = acl_from_ldap(mctx, , type, acl);
+ if (result2 != ISC_R_SUCCESS) {
+ dns_zone_logc(zone, DNS_LOGCATEGORY_SECURITY, ISC_LOG_CRITICAL,
+ cannot configure restrictive %s policy: %s,
+ type_txt, isc_result_totext(result2));
+ FATAL_ERROR(__FILE__, __LINE__,
+insecure state detected);
+ }
+ }
+ acl_setter(zone, acl);
+
+ if (acl != NULL)
+ dns_acl_detach(acl);
+
+ return result;
+}
+
/* In BIND9 terminology ssu means Simple Secure Update */
static isc_result_t
configure_zone_ssutable(dns_zone_t *zone, const char *update_str)
@@ -1346,24 +1384,18 @@ ldap_parse_master_zoneentry(ldap_entry_t *entry, ldap_instance_t *inst)
log_debug(2, Setting allow-query for %p: %s, zone, dn);
result = ldap_entry_getvalues(entry, idnsAllowQuery, values);
if (result == ISC_R_SUCCESS) {
- dns_acl_t *queryacl = NULL;
- CHECK(acl_from_ldap(inst-mctx, HEAD(values)-value,
- acl_type_query, queryacl));
- dns_zone_setqueryacl(zone, queryacl);
- dns_acl_detach(queryacl);
+ CHECK(configure_zone_acl(inst-mctx, zone, dns_zone_setqueryacl,
+ HEAD(values)-value, acl_type_query));
} else {
log_debug(2, allow-query not set);
dns_zone_clearqueryacl(zone);
}
log_debug(2, Setting allow-transfer for %p: %s, zone, dn);
result = ldap_entry_getvalues(entry, idnsAllowTransfer, values);
if (result == ISC_R_SUCCESS) {
- dns_acl_t *transferacl = NULL;
- CHECK(acl_from_ldap(inst-mctx, HEAD(values)-value,
- acl_type_transfer, transferacl));
- dns_zone_setxfracl(zone, transferacl);
- dns_acl_detach(transferacl);
+ CHECK(configure_zone_acl(inst-mctx, zone, dns_zone_setxfracl,
+ HEAD(values)-value, acl_type_transfer));
} else {
log_debug(2, allow-transfer not set);
dns_zone_clearxfracl(zone);
--
1.7.11.7
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
