Fri Jun 28 17:01:31 2019 UTC ()
bind*: Remove privileges from SMF method script.

This inadvertently opened up the named process to more privileges than
necessary and could be considered a security risk.  This may affect chroot
support, adding back in support for that will need to be done carefully.

Bump PKGREVISIONs.


(jperkin)
diff -r1.10 -r1.11 pkgsrc/net/bind911/Makefile
diff -r1.3 -r1.4 pkgsrc/net/bind911/files/smf/named.sh
diff -r1.12 -r1.13 pkgsrc/net/bind912/Makefile
diff -r1.3 -r1.4 pkgsrc/net/bind912/files/smf/named.sh
diff -r1.6 -r1.7 pkgsrc/net/bind914/Makefile
diff -r1.2 -r1.3 pkgsrc/net/bind914/files/smf/named.sh
cvs diff -r1.10 -r1.11 pkgsrc/net/bind911/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/net/bind911/Attic/Makefile 2019/06/20 02:13:58 1.10
+++ pkgsrc/net/bind911/Attic/Makefile 2019/06/28 17:01:30 1.11
@@ -1,17 +1,18 @@ @@ -1,17 +1,18 @@
1# $NetBSD: Makefile,v 1.10 2019/06/20 02:13:58 taca Exp $ 1# $NetBSD: Makefile,v 1.11 2019/06/28 17:01:30 jperkin Exp $
2 2
3DISTNAME= bind-${BIND_VERSION} 3DISTNAME= bind-${BIND_VERSION}
4PKGNAME= ${DISTNAME:S/-P/pl/} 4PKGNAME= ${DISTNAME:S/-P/pl/}
 5PKGREVISION= 1
5CATEGORIES= net 6CATEGORIES= net
6MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ 7MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/
7 8
8MAINTAINER= pkgsrc-users@NetBSD.org 9MAINTAINER= pkgsrc-users@NetBSD.org
9HOMEPAGE= http://www.isc.org/software/bind/ 10HOMEPAGE= http://www.isc.org/software/bind/
10COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.11 11COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.11
11LICENSE= mpl-2.0 12LICENSE= mpl-2.0
12 13
13CONFLICTS+= host-[0-9]* 14CONFLICTS+= host-[0-9]*
14 15
15MAKE_JOBS_SAFE= no 16MAKE_JOBS_SAFE= no
16 17
17BIND_VERSION= 9.11.8 18BIND_VERSION= 9.11.8
cvs diff -r1.3 -r1.4 pkgsrc/net/bind911/files/smf/Attic/named.sh (expand / switch to unified diff)

--- pkgsrc/net/bind911/files/smf/Attic/named.sh 2019/06/19 10:58:48 1.3
+++ pkgsrc/net/bind911/files/smf/Attic/named.sh 2019/06/28 17:01:30 1.4
@@ -229,27 +229,27 @@ case "$method" in @@ -229,27 +229,27 @@ case "$method" in
229 echo ${msg} >&2 229 echo ${msg} >&2
230 /usr/bin/logger -p daemon.error ${msg} 230 /usr/bin/logger -p daemon.error ${msg}
231 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then 231 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then
232 umount_chroot ${chroot_dir} ${configuration_files} ${libraries} 232 umount_chroot ${chroot_dir} ${configuration_files} ${libraries}
233 fi 233 fi
234 # dns-server should be placed in maintenance state. 234 # dns-server should be placed in maintenance state.
235 exit ${SMF_EXIT_ERR_CONFIG} 235 exit ${SMF_EXIT_ERR_CONFIG}
236 fi 236 fi
237 fi 237 fi
238 238
239 if [ ${result} = ${SMF_EXIT_OK} ]; then 239 if [ ${result} = ${SMF_EXIT_OK} ]; then
240 echo "$I: Executing: ${server} ${cmdopts}" 240 echo "$I: Executing: ${server} ${cmdopts}"
241 # Execute named(1M) with relevant command line options. 241 # Execute named(1M) with relevant command line options.
242 ppriv -s A-all -s A+basic,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot,proc_setid -e ${server} ${cmdopts} 242 ${server} ${cmdopts}
243 result=$? 243 result=$?
244 fi 244 fi
245 ;; 245 ;;
246'stop') 246'stop')
247 get_config 247 get_config
248 248
249 smf_kill_contract ${contract} TERM 1 249 smf_kill_contract ${contract} TERM 1
250 [ $? -ne 0 ] && exit 1 250 [ $? -ne 0 ] && exit 1
251 251
252 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then 252 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then
253 umount_chroot ${chroot_dir} ${configuration_files} ${libraries} 253 umount_chroot ${chroot_dir} ${configuration_files} ${libraries}
254 fi 254 fi
255 255
cvs diff -r1.12 -r1.13 pkgsrc/net/bind912/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/net/bind912/Attic/Makefile 2019/06/20 02:15:20 1.12
+++ pkgsrc/net/bind912/Attic/Makefile 2019/06/28 17:01:30 1.13
@@ -1,17 +1,18 @@ @@ -1,17 +1,18 @@
1# $NetBSD: Makefile,v 1.12 2019/06/20 02:15:20 taca Exp $ 1# $NetBSD: Makefile,v 1.13 2019/06/28 17:01:30 jperkin Exp $
2 2
3DISTNAME= bind-${BIND_VERSION} 3DISTNAME= bind-${BIND_VERSION}
4PKGNAME= ${DISTNAME:S/-P/pl/} 4PKGNAME= ${DISTNAME:S/-P/pl/}
 5PKGREVISION= 1
5CATEGORIES= net 6CATEGORIES= net
6MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ 7MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/
7 8
8MAINTAINER= pkgsrc-users@NetBSD.org 9MAINTAINER= pkgsrc-users@NetBSD.org
9HOMEPAGE= http://www.isc.org/software/bind/ 10HOMEPAGE= http://www.isc.org/software/bind/
10COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.12 11COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.12
11LICENSE= mpl-2.0 12LICENSE= mpl-2.0
12 13
13CONFLICTS+= host-[0-9]* 14CONFLICTS+= host-[0-9]*
14 15
15MAKE_JOBS_SAFE= no 16MAKE_JOBS_SAFE= no
16USE_CWRAPPERS= no 17USE_CWRAPPERS= no
17 18
cvs diff -r1.3 -r1.4 pkgsrc/net/bind912/files/smf/Attic/named.sh (expand / switch to unified diff)

--- pkgsrc/net/bind912/files/smf/Attic/named.sh 2019/06/19 10:58:49 1.3
+++ pkgsrc/net/bind912/files/smf/Attic/named.sh 2019/06/28 17:01:30 1.4
@@ -229,27 +229,27 @@ case "$method" in @@ -229,27 +229,27 @@ case "$method" in
229 echo ${msg} >&2 229 echo ${msg} >&2
230 /usr/bin/logger -p daemon.error ${msg} 230 /usr/bin/logger -p daemon.error ${msg}
231 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then 231 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then
232 umount_chroot ${chroot_dir} ${configuration_files} ${libraries} 232 umount_chroot ${chroot_dir} ${configuration_files} ${libraries}
233 fi 233 fi
234 # dns-server should be placed in maintenance state. 234 # dns-server should be placed in maintenance state.
235 exit ${SMF_EXIT_ERR_CONFIG} 235 exit ${SMF_EXIT_ERR_CONFIG}
236 fi 236 fi
237 fi 237 fi
238 238
239 if [ ${result} = ${SMF_EXIT_OK} ]; then 239 if [ ${result} = ${SMF_EXIT_OK} ]; then
240 echo "$I: Executing: ${server} ${cmdopts}" 240 echo "$I: Executing: ${server} ${cmdopts}"
241 # Execute named(1M) with relevant command line options. 241 # Execute named(1M) with relevant command line options.
242 ppriv -s A-all -s A+basic,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot,proc_setid -e ${server} ${cmdopts} 242 ${server} ${cmdopts}
243 result=$? 243 result=$?
244 fi 244 fi
245 ;; 245 ;;
246'stop') 246'stop')
247 get_config 247 get_config
248 248
249 smf_kill_contract ${contract} TERM 1 249 smf_kill_contract ${contract} TERM 1
250 [ $? -ne 0 ] && exit 1 250 [ $? -ne 0 ] && exit 1
251 251
252 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then 252 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then
253 umount_chroot ${chroot_dir} ${configuration_files} ${libraries} 253 umount_chroot ${chroot_dir} ${configuration_files} ${libraries}
254 fi 254 fi
255 255
cvs diff -r1.6 -r1.7 pkgsrc/net/bind914/Attic/Makefile (expand / switch to unified diff)

--- pkgsrc/net/bind914/Attic/Makefile 2019/06/20 02:16:53 1.6
+++ pkgsrc/net/bind914/Attic/Makefile 2019/06/28 17:01:30 1.7
@@ -1,17 +1,18 @@ @@ -1,17 +1,18 @@
1# $NetBSD: Makefile,v 1.6 2019/06/20 02:16:53 taca Exp $ 1# $NetBSD: Makefile,v 1.7 2019/06/28 17:01:30 jperkin Exp $
2 2
3DISTNAME= bind-${BIND_VERSION} 3DISTNAME= bind-${BIND_VERSION}
4PKGNAME= ${DISTNAME:S/-P/pl/} 4PKGNAME= ${DISTNAME:S/-P/pl/}
 5PKGREVISION= 1
5CATEGORIES= net 6CATEGORIES= net
6MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/ 7MASTER_SITES= ftp://ftp.isc.org/isc/bind9/${BIND_VERSION}/
7 8
8MAINTAINER= pkgsrc-users@NetBSD.org 9MAINTAINER= pkgsrc-users@NetBSD.org
9HOMEPAGE= http://www.isc.org/software/bind/ 10HOMEPAGE= http://www.isc.org/software/bind/
10COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.14 11COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.14
11LICENSE= mpl-2.0 12LICENSE= mpl-2.0
12 13
13CONFLICTS+= host-[0-9]* 14CONFLICTS+= host-[0-9]*
14 15
15MAKE_JOBS_SAFE= no 16MAKE_JOBS_SAFE= no
16 17
17BIND_VERSION= 9.14.3 18BIND_VERSION= 9.14.3
cvs diff -r1.2 -r1.3 pkgsrc/net/bind914/files/smf/Attic/named.sh (expand / switch to unified diff)

--- pkgsrc/net/bind914/files/smf/Attic/named.sh 2019/06/19 10:58:49 1.2
+++ pkgsrc/net/bind914/files/smf/Attic/named.sh 2019/06/28 17:01:30 1.3
@@ -229,27 +229,27 @@ case "$method" in @@ -229,27 +229,27 @@ case "$method" in
229 echo ${msg} >&2 229 echo ${msg} >&2
230 /usr/bin/logger -p daemon.error ${msg} 230 /usr/bin/logger -p daemon.error ${msg}
231 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then 231 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then
232 umount_chroot ${chroot_dir} ${configuration_files} ${libraries} 232 umount_chroot ${chroot_dir} ${configuration_files} ${libraries}
233 fi 233 fi
234 # dns-server should be placed in maintenance state. 234 # dns-server should be placed in maintenance state.
235 exit ${SMF_EXIT_ERR_CONFIG} 235 exit ${SMF_EXIT_ERR_CONFIG}
236 fi 236 fi
237 fi 237 fi
238 238
239 if [ ${result} = ${SMF_EXIT_OK} ]; then 239 if [ ${result} = ${SMF_EXIT_OK} ]; then
240 echo "$I: Executing: ${server} ${cmdopts}" 240 echo "$I: Executing: ${server} ${cmdopts}"
241 # Execute named(1M) with relevant command line options. 241 # Execute named(1M) with relevant command line options.
242 ppriv -s A-all -s A+basic,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot,proc_setid -e ${server} ${cmdopts} 242 ${server} ${cmdopts}
243 result=$? 243 result=$?
244 fi 244 fi
245 ;; 245 ;;
246'stop') 246'stop')
247 get_config 247 get_config
248 248
249 smf_kill_contract ${contract} TERM 1 249 smf_kill_contract ${contract} TERM 1
250 [ $? -ne 0 ] && exit 1 250 [ $? -ne 0 ] && exit 1
251 251
252 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then 252 if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then
253 umount_chroot ${chroot_dir} ${configuration_files} ${libraries} 253 umount_chroot ${chroot_dir} ${configuration_files} ${libraries}
254 fi 254 fi
255 255