summaryrefslogtreecommitdiff
path: root/source/n/bind/rc.bind
diff options
context:
space:
mode:
authorPatrick J Volkerding <volkerdi@slackware.com>2021-09-16 02:52:54 +0000
committerEric Hameleers <alien@slackware.com>2021-09-16 09:04:01 +0200
commit9a67067c0e13f99bafe0557cc6ff14eff5fdeccd (patch)
tree7d2487ea4479f700e2761af53aca28b1e92cb66c /source/n/bind/rc.bind
parent8f7b6e56d5075e27771a02fbbcfe954c91ecb893 (diff)
downloadcurrent-20210916025254.tar.gz
Thu Sep 16 02:52:54 UTC 202120210916025254
a/etc-15.0-x86_64-17.txz: Rebuilt. Added named:named (53:53) user and group. a/kernel-firmware-20210915_198ac65-noarch-1.txz: Upgraded. a/kernel-generic-5.14.4-x86_64-1.txz: Upgraded. a/kernel-huge-5.14.4-x86_64-1.txz: Upgraded. a/kernel-modules-5.14.4-x86_64-1.txz: Upgraded. ap/sudo-1.9.8-x86_64-1.txz: Upgraded. d/kernel-headers-5.14.4-x86-1.txz: Upgraded. k/kernel-source-5.14.4-noarch-1.txz: Upgraded. kde/breeze-icons-5.85.0-noarch-2.txz: Rebuilt. Patched with upstream commit to allow using this icon theme with Xfce. l/fluidsynth-2.2.3-x86_64-1.txz: Upgraded. l/python-charset-normalizer-2.0.5-x86_64-1.txz: Upgraded. l/qca-2.3.4-x86_64-1.txz: Upgraded. n/NetworkManager-1.32.10-x86_64-3.txz: Rebuilt. Switch to dhcp=internal to avoid problems swimming upstream. For those looking for a fix to continue using dhcpcd, a PRIVSEP build variable was added to the SlackBuild, and you may produce a fully NetworkManager compatible dhcpcd package with this command: PRIVSEP=no ./dhcpcd.SlackBuild Privilege separation remains the dhcpcd package default as we don't want to weaken security for those using rc.inet1 along with dhcpcd. Some additional comments about this were added to 00-dhcp-client.conf mentioning this and the workaround of killing dhcpcd manually when resuming with the stock dhcpcd package. n/bind-9.16.21-x86_64-1.txz: Upgraded. Fixed call to rndc-confgen in the install script. Make /etc/rndc.key owned by named:named. Run named as named:named by default (configurable in /etc/default/named). rc.bind: chown /run/named and /var/named to configured user:group. Thanks to Ressy for prompting this cleanup. :) n/curl-7.79.0-x86_64-1.txz: Upgraded. This update fixes security issues: clear the leftovers pointer when sending succeeds. do not ignore --ssl-reqd. reject STARTTLS server response pipelining. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947 (* Security fix *) n/links-2.24-x86_64-1.txz: Upgraded. n/wireguard-tools-1.0.20210914-x86_64-1.txz: Upgraded. x/libinput-1.19.0-x86_64-1.txz: Upgraded. xap/gimp-2.10.28-x86_64-1.txz: Upgraded. isolinux/initrd.img: Rebuilt. kernels/*: Upgraded. usb-and-pxe-installers/usbboot.img: Rebuilt.
Diffstat (limited to 'source/n/bind/rc.bind')
-rw-r--r--source/n/bind/rc.bind58
1 files changed, 17 insertions, 41 deletions
diff --git a/source/n/bind/rc.bind b/source/n/bind/rc.bind
index cab75163..7886a254 100644
--- a/source/n/bind/rc.bind
+++ b/source/n/bind/rc.bind
@@ -1,19 +1,8 @@
#!/bin/sh
# Start/stop/restart the BIND name server daemon (named).
-# Start BIND. In the past it was more secure to run BIND as a non-root
-# user (for example, with '-u daemon'), but the modern version of BIND
-# knows how to use the kernel's capability mechanism to drop all root
-# privileges except the ability to bind() to a privileged port and set
-# process resource limits, so running as a non-root user is not needed.
-# But if you want to run as a non-root user anyway, the command options
-# can be set like this in /etc/default/named:
-# NAMED_OPTIONS="-u daemon"
-# So you will not have to edit this script.
-#
-# Please note that if you run BIND as a non-root user, your files in
-# /var/named may need to be chowned to this user or else named will
-# refuse to start.
+# Start BIND. By default this will run with user "named". If you'd like to
+# change this or other options, see: /etc/default/named
# You might also consider running BIND in a "chroot jail",
# a discussion of which may be found in
@@ -27,6 +16,17 @@
if [ -f /etc/default/named ] ; then . /etc/default/named ; fi
if [ -f /etc/default/rndc ] ; then . /etc/default/rndc ; fi
+# In case /etc/default/named was missing:
+if [ -z "$BIND_USER" ]; then
+ BIND_USER="named"
+fi
+if [ -z "$BIND_GROUP" ]; then
+ BIND_GROUP="named"
+fi
+if [ -z "$BIND_OPTIONS" ]; then
+ BIND_OPTIONS="-u $BIND_USER"
+fi
+
# Sanity check. If /usr/sbin/named is missing then it
# doesn't make much sense to try to run this script:
if [ ! -x /usr/sbin/named ]; then
@@ -34,40 +34,16 @@ if [ ! -x /usr/sbin/named ]; then
exit 1
fi
-# Function to find the user BIND is running as in $NAMED_OPTIONS:
-find_bind_user() {
- if echo $NAMED_OPTIONS | grep -wq "\-u" ; then
- unset BIND_USER USER_FOUND
- echo $NAMED_OPTIONS | tr ' ' '\n' | while read element ; do
- if [ "$USER_FOUND" = "true" ]; then
- BIND_USER="$element"
- echo $BIND_USER
- break
- elif [ "$element" = "-u" ]; then
- USER_FOUND="true"
- fi
- done
- else
- echo "root"
- fi
-}
-
# Start BIND. As many times as you like. ;-)
# Seriously, don't run "rc.bind start" if BIND is already
# running or you'll get more than one copy running.
bind_start() {
# Make sure /var/run/named exists:
mkdir -p /var/run/named
- # If we are running as a non-root user, we'll need to be sure that
- # /var/run/named is chowned properly to that user. Your files in
- # /var/named may need to be chowned as well, but that will be up to
- # the sysadmin to do.
- BIND_USER="$(find_bind_user)"
- if [ ! "$BIND_USER" = "root" ]; then
- chown -R $BIND_USER /var/run/named
- else # prevent error if switching back to running as root:
- chown -R root /var/run/named
- fi
+ # Make sure that /var/run/named has correct ownership:
+ chown -R ${BIND_USER}:${BIND_GROUP} /var/run/named
+ # Make sure that /var/named has correct ownership:
+ chown -R ${BIND_USER}:${BIND_GROUP} /var/named
# Start named:
if [ -x /usr/sbin/named ]; then
echo "Starting BIND: /usr/sbin/named $NAMED_OPTIONS"