From 98c97b89369255f8456c629a783747168ea07b84 Mon Sep 17 00:00:00 2001 Message-Id: <98c97b89369255f8456c629a783747168ea07b84.1592299526.git.hahn@univention.de> From: Philipp Hahn Date: Tue, 16 Jun 2020 11:01:14 +0200 Subject: [PATCH] Bug #51421 bind9: Fix permissions Organization: Univention GmbH, Bremen, Germany Don't play with /etc/bind/rndc.key - should be owned by root:bind with 0640. Create /run/named/ through .tmpfile - also /var/run/ is deprecated and a symbolic link to /run/ --- services/univention-bind/debian/rules | 8 +++++++- .../system => debian}/univention-bind-ldap.service | 0 services/univention-bind/debian/univention-bind.install | 1 - services/univention-bind/debian/univention-bind.postinst | 6 ++++++ services/univention-bind/debian/univention-bind.tmpfile | 1 + services/univention-bind/usr/lib/univention-bind/ldap | 9 --------- services/univention-bind/usr/lib/univention-bind/proxy | 9 --------- services/univention-bind/usr/lib/univention-bind/samba4 | 9 --------- 8 files changed, 14 insertions(+), 29 deletions(-) rename services/univention-bind/{lib/systemd/system => debian}/univention-bind-ldap.service (100%) create mode 100644 services/univention-bind/debian/univention-bind.tmpfile diff --git a/services/univention-bind/debian/rules b/services/univention-bind/debian/rules index 9040456531..fd6f7cbccc 100755 --- a/services/univention-bind/debian/rules +++ b/services/univention-bind/debian/rules @@ -34,5 +34,11 @@ override_dh_auto_install: dh_auto_install univention-install-config-registry +override_dh_systemd_enable: + dh_systemd_enable --name=univention-bind-ldap --no-enable + +override_dh_systemd_start: + dh_systemd_start --no-start --no-restart-on-upgrade + %: - dh $@ + dh $@ --with systemd diff --git a/services/univention-bind/lib/systemd/system/univention-bind-ldap.service b/services/univention-bind/debian/univention-bind-ldap.service similarity index 100% rename from services/univention-bind/lib/systemd/system/univention-bind-ldap.service rename to services/univention-bind/debian/univention-bind-ldap.service diff --git a/services/univention-bind/debian/univention-bind.install b/services/univention-bind/debian/univention-bind.install index 737872833e..885f1eb9f8 100644 --- a/services/univention-bind/debian/univention-bind.install +++ b/services/univention-bind/debian/univention-bind.install @@ -4,4 +4,3 @@ etc/bind/db.root.fake etc/bind 90univention-bind-post.inst usr/lib/univention-install usr/lib/univention-server/server_password_change.d/univention-bind usr/lib/univention-server/server_password_change.d/ usr/lib/univention-bind -lib/systemd/system diff --git a/services/univention-bind/debian/univention-bind.postinst b/services/univention-bind/debian/univention-bind.postinst index b9e0ec92ae..6312914919 100644 --- a/services/univention-bind/debian/univention-bind.postinst +++ b/services/univention-bind/debian/univention-bind.postinst @@ -38,6 +38,12 @@ if [ "$1" = "configure" ] && dpkg --compare-versions "$2" lt 14.0.0-2; then --package univention-bind \ --divert /lib/systemd/system/bind9.service.debian \ --rename --remove /lib/systemd/system/bind9.service + + if [ -f /etc/bind/rndc.key ] + then + chown root:bind /etc/bind/rndc.key + chmod 0640 /etc/bind/rndc.key + fi fi #DEBHELPER# diff --git a/services/univention-bind/debian/univention-bind.tmpfile b/services/univention-bind/debian/univention-bind.tmpfile new file mode 100644 index 0000000000..2d40e57f3c --- /dev/null +++ b/services/univention-bind/debian/univention-bind.tmpfile @@ -0,0 +1 @@ +d /run/named 0775 root bind 10d - diff --git a/services/univention-bind/usr/lib/univention-bind/ldap b/services/univention-bind/usr/lib/univention-bind/ldap index cdc21b1fd8..c0b8fdb263 100755 --- a/services/univention-bind/usr/lib/univention-bind/ldap +++ b/services/univention-bind/usr/lib/univention-bind/ldap @@ -29,19 +29,10 @@ case "$1" in start) - # dirs under /var/run can go away on reboots. - mkdir -p /var/run/named - chmod 775 /var/run/named - chown root:bind /var/run/named >/dev/null 2>&1 || true - PATH=/sbin:/bin:/usr/sbin:/usr/bin debug_level="$(ucr get dns/debug/level)" test -z $debug_level && debug_level=0 - # Give permissions back to bind, - # see /usr/lib/univention-bind/samba4 - chown bind:bind /etc/bind/rndc.key - port="$(ucr get dns/master/port)" OPTS="-c /etc/bind/named.conf -p $port -u bind -f -d $debug_level" diff --git a/services/univention-bind/usr/lib/univention-bind/proxy b/services/univention-bind/usr/lib/univention-bind/proxy index 05c44c9a6b..a38376358b 100755 --- a/services/univention-bind/usr/lib/univention-bind/proxy +++ b/services/univention-bind/usr/lib/univention-bind/proxy @@ -29,19 +29,10 @@ case "$1" in start) - # dirs under /var/run can go away on reboots. - mkdir -p /var/run/named - chmod 775 /var/run/named - chown root:bind /var/run/named >/dev/null 2>&1 || true - PATH=/sbin:/bin:/usr/sbin:/usr/bin debug_level="$(ucr get dns/debug/level)" test -z $debug_level && debug_level=0 - # Give permissions back to bind, - # see /usr/lib/univention-bind/samba4 - chown bind:bind /etc/bind/rndc.key - OPTS="-c /etc/bind/named.conf.proxy -u bind -f -d $debug_level" max_socks="$(ucr get dns/max-socks)" diff --git a/services/univention-bind/usr/lib/univention-bind/samba4 b/services/univention-bind/usr/lib/univention-bind/samba4 index 1d99df9ffb..de2e6b51db 100755 --- a/services/univention-bind/usr/lib/univention-bind/samba4 +++ b/services/univention-bind/usr/lib/univention-bind/samba4 @@ -29,19 +29,10 @@ case "$1" in start) - # dirs under /var/run can go away on reboots. - mkdir -p /var/run/named - chmod 775 /var/run/named - chown root:bind /var/run/named >/dev/null 2>&1 || true - PATH=/sbin:/bin:/usr/sbin:/usr/bin debug_level="$(ucr get dns/debug/level)" test -z $debug_level && debug_level=0 - # bind is running as root when using s4 as backend. - # To open the rndc port, the rndc.key must be owned by root. - chown root:root /etc/bind/rndc.key - if [ "$(uname -m)" = "x86_64" ]; then export LDB_MODULES_PATH=/usr/lib/x86_64-linux-gnu/ldb/ else -- 2.20.1