bind*: Remove privileges from SMF method script. This inadvertently opened up the named process to more privileges than necessary and could be considered a security risk. This may affect chroot support, adding back in support for that will need to be done carefully. Bump PKGREVISIONs.diff -r1.10 -r1.11 pkgsrc/net/bind911/Makefile
(jperkin)
@@ -1,17 +1,18 @@ | @@ -1,17 +1,18 @@ | |||
1 | # $NetBSD: Makefile,v 1.10 2019/06/20 02:13:58 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.11 2019/06/28 17:01:30 jperkin Exp $ | |
2 | 2 | |||
3 | DISTNAME= bind-${BIND_VERSION} | 3 | DISTNAME= bind-${BIND_VERSION} | |
4 | PKGNAME= ${DISTNAME:S/-P/pl/} | 4 | PKGNAME= ${DISTNAME:S/-P/pl/} | |
5 | PKGREVISION= 1 | |||
5 | CATEGORIES= net | 6 | CATEGORIES= net | |
6 | MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ | 7 | MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ | |
7 | 8 | |||
8 | MAINTAINER= pkgsrc-users@NetBSD.org | 9 | MAINTAINER= pkgsrc-users@NetBSD.org | |
9 | HOMEPAGE= http://www.isc.org/software/bind/ | 10 | HOMEPAGE= http://www.isc.org/software/bind/ | |
10 | COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.11 | 11 | COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.11 | |
11 | LICENSE= mpl-2.0 | 12 | LICENSE= mpl-2.0 | |
12 | 13 | |||
13 | CONFLICTS+= host-[0-9]* | 14 | CONFLICTS+= host-[0-9]* | |
14 | 15 | |||
15 | MAKE_JOBS_SAFE= no | 16 | MAKE_JOBS_SAFE= no | |
16 | 17 | |||
17 | BIND_VERSION= 9.11.8 | 18 | BIND_VERSION= 9.11.8 |
@@ -229,27 +229,27 @@ case "$method" in | @@ -229,27 +229,27 @@ case "$method" in | |||
229 | echo ${msg} >&2 | 229 | echo ${msg} >&2 | |
230 | /usr/bin/logger -p daemon.error ${msg} | 230 | /usr/bin/logger -p daemon.error ${msg} | |
231 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | 231 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | |
232 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | 232 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | |
233 | fi | 233 | fi | |
234 | # dns-server should be placed in maintenance state. | 234 | # dns-server should be placed in maintenance state. | |
235 | exit ${SMF_EXIT_ERR_CONFIG} | 235 | exit ${SMF_EXIT_ERR_CONFIG} | |
236 | fi | 236 | fi | |
237 | fi | 237 | fi | |
238 | 238 | |||
239 | if [ ${result} = ${SMF_EXIT_OK} ]; then | 239 | if [ ${result} = ${SMF_EXIT_OK} ]; then | |
240 | echo "$I: Executing: ${server} ${cmdopts}" | 240 | echo "$I: Executing: ${server} ${cmdopts}" | |
241 | # Execute named(1M) with relevant command line options. | 241 | # Execute named(1M) with relevant command line options. | |
242 | ppriv -s A-all -s A+basic,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot,proc_setid -e ${server} ${cmdopts} | 242 | ${server} ${cmdopts} | |
243 | result=$? | 243 | result=$? | |
244 | fi | 244 | fi | |
245 | ;; | 245 | ;; | |
246 | 'stop') | 246 | 'stop') | |
247 | get_config | 247 | get_config | |
248 | 248 | |||
249 | smf_kill_contract ${contract} TERM 1 | 249 | smf_kill_contract ${contract} TERM 1 | |
250 | [ $? -ne 0 ] && exit 1 | 250 | [ $? -ne 0 ] && exit 1 | |
251 | 251 | |||
252 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | 252 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | |
253 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | 253 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | |
254 | fi | 254 | fi | |
255 | 255 |
@@ -1,17 +1,18 @@ | @@ -1,17 +1,18 @@ | |||
1 | # $NetBSD: Makefile,v 1.12 2019/06/20 02:15:20 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.13 2019/06/28 17:01:30 jperkin Exp $ | |
2 | 2 | |||
3 | DISTNAME= bind-${BIND_VERSION} | 3 | DISTNAME= bind-${BIND_VERSION} | |
4 | PKGNAME= ${DISTNAME:S/-P/pl/} | 4 | PKGNAME= ${DISTNAME:S/-P/pl/} | |
5 | PKGREVISION= 1 | |||
5 | CATEGORIES= net | 6 | CATEGORIES= net | |
6 | MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ | 7 | MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ | |
7 | 8 | |||
8 | MAINTAINER= pkgsrc-users@NetBSD.org | 9 | MAINTAINER= pkgsrc-users@NetBSD.org | |
9 | HOMEPAGE= http://www.isc.org/software/bind/ | 10 | HOMEPAGE= http://www.isc.org/software/bind/ | |
10 | COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.12 | 11 | COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.12 | |
11 | LICENSE= mpl-2.0 | 12 | LICENSE= mpl-2.0 | |
12 | 13 | |||
13 | CONFLICTS+= host-[0-9]* | 14 | CONFLICTS+= host-[0-9]* | |
14 | 15 | |||
15 | MAKE_JOBS_SAFE= no | 16 | MAKE_JOBS_SAFE= no | |
16 | USE_CWRAPPERS= no | 17 | USE_CWRAPPERS= no | |
17 | 18 |
@@ -229,27 +229,27 @@ case "$method" in | @@ -229,27 +229,27 @@ case "$method" in | |||
229 | echo ${msg} >&2 | 229 | echo ${msg} >&2 | |
230 | /usr/bin/logger -p daemon.error ${msg} | 230 | /usr/bin/logger -p daemon.error ${msg} | |
231 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | 231 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | |
232 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | 232 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | |
233 | fi | 233 | fi | |
234 | # dns-server should be placed in maintenance state. | 234 | # dns-server should be placed in maintenance state. | |
235 | exit ${SMF_EXIT_ERR_CONFIG} | 235 | exit ${SMF_EXIT_ERR_CONFIG} | |
236 | fi | 236 | fi | |
237 | fi | 237 | fi | |
238 | 238 | |||
239 | if [ ${result} = ${SMF_EXIT_OK} ]; then | 239 | if [ ${result} = ${SMF_EXIT_OK} ]; then | |
240 | echo "$I: Executing: ${server} ${cmdopts}" | 240 | echo "$I: Executing: ${server} ${cmdopts}" | |
241 | # Execute named(1M) with relevant command line options. | 241 | # Execute named(1M) with relevant command line options. | |
242 | ppriv -s A-all -s A+basic,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot,proc_setid -e ${server} ${cmdopts} | 242 | ${server} ${cmdopts} | |
243 | result=$? | 243 | result=$? | |
244 | fi | 244 | fi | |
245 | ;; | 245 | ;; | |
246 | 'stop') | 246 | 'stop') | |
247 | get_config | 247 | get_config | |
248 | 248 | |||
249 | smf_kill_contract ${contract} TERM 1 | 249 | smf_kill_contract ${contract} TERM 1 | |
250 | [ $? -ne 0 ] && exit 1 | 250 | [ $? -ne 0 ] && exit 1 | |
251 | 251 | |||
252 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | 252 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | |
253 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | 253 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | |
254 | fi | 254 | fi | |
255 | 255 |
@@ -1,17 +1,18 @@ | @@ -1,17 +1,18 @@ | |||
1 | # $NetBSD: Makefile,v 1.6 2019/06/20 02:16:53 taca Exp $ | 1 | # $NetBSD: Makefile,v 1.7 2019/06/28 17:01:30 jperkin Exp $ | |
2 | 2 | |||
3 | DISTNAME= bind-${BIND_VERSION} | 3 | DISTNAME= bind-${BIND_VERSION} | |
4 | PKGNAME= ${DISTNAME:S/-P/pl/} | 4 | PKGNAME= ${DISTNAME:S/-P/pl/} | |
5 | PKGREVISION= 1 | |||
5 | CATEGORIES= net | 6 | CATEGORIES= net | |
6 | MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ | 7 | MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ | |
7 | 8 | |||
8 | MAINTAINER= pkgsrc-users@NetBSD.org | 9 | MAINTAINER= pkgsrc-users@NetBSD.org | |
9 | HOMEPAGE= http://www.isc.org/software/bind/ | 10 | HOMEPAGE= http://www.isc.org/software/bind/ | |
10 | COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.14 | 11 | COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.14 | |
11 | LICENSE= mpl-2.0 | 12 | LICENSE= mpl-2.0 | |
12 | 13 | |||
13 | CONFLICTS+= host-[0-9]* | 14 | CONFLICTS+= host-[0-9]* | |
14 | 15 | |||
15 | MAKE_JOBS_SAFE= no | 16 | MAKE_JOBS_SAFE= no | |
16 | 17 | |||
17 | BIND_VERSION= 9.14.3 | 18 | BIND_VERSION= 9.14.3 |
@@ -229,27 +229,27 @@ case "$method" in | @@ -229,27 +229,27 @@ case "$method" in | |||
229 | echo ${msg} >&2 | 229 | echo ${msg} >&2 | |
230 | /usr/bin/logger -p daemon.error ${msg} | 230 | /usr/bin/logger -p daemon.error ${msg} | |
231 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | 231 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | |
232 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | 232 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | |
233 | fi | 233 | fi | |
234 | # dns-server should be placed in maintenance state. | 234 | # dns-server should be placed in maintenance state. | |
235 | exit ${SMF_EXIT_ERR_CONFIG} | 235 | exit ${SMF_EXIT_ERR_CONFIG} | |
236 | fi | 236 | fi | |
237 | fi | 237 | fi | |
238 | 238 | |||
239 | if [ ${result} = ${SMF_EXIT_OK} ]; then | 239 | if [ ${result} = ${SMF_EXIT_OK} ]; then | |
240 | echo "$I: Executing: ${server} ${cmdopts}" | 240 | echo "$I: Executing: ${server} ${cmdopts}" | |
241 | # Execute named(1M) with relevant command line options. | 241 | # Execute named(1M) with relevant command line options. | |
242 | ppriv -s A-all -s A+basic,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot,proc_setid -e ${server} ${cmdopts} | 242 | ${server} ${cmdopts} | |
243 | result=$? | 243 | result=$? | |
244 | fi | 244 | fi | |
245 | ;; | 245 | ;; | |
246 | 'stop') | 246 | 'stop') | |
247 | get_config | 247 | get_config | |
248 | 248 | |||
249 | smf_kill_contract ${contract} TERM 1 | 249 | smf_kill_contract ${contract} TERM 1 | |
250 | [ $? -ne 0 ] && exit 1 | 250 | [ $? -ne 0 ] && exit 1 | |
251 | 251 | |||
252 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | 252 | if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then | |
253 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | 253 | umount_chroot ${chroot_dir} ${configuration_files} ${libraries} | |
254 | fi | 254 | fi | |
255 | 255 |