Univention Bugzilla – Attachment 10392 Details for
Bug 51421
univention-bind prevents bind start
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix permission issues
0001-Bug-51421-bind9-Fix-permissions.patch (text/plain), 6.10 KB, created by
Philipp Hahn
on 2020-06-16 11:25:48 CEST
(
hide
)
Description:
Fix permission issues
Filename:
MIME Type:
Creator:
Philipp Hahn
Created:
2020-06-16 11:25:48 CEST
Size:
6.10 KB
patch
obsolete
>From 98c97b89369255f8456c629a783747168ea07b84 Mon Sep 17 00:00:00 2001 >Message-Id: <98c97b89369255f8456c629a783747168ea07b84.1592299526.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Tue, 16 Jun 2020 11:01:14 +0200 >Subject: [PATCH] Bug #51421 bind9: Fix permissions >Organization: Univention GmbH, Bremen, Germany > >Don't play with /etc/bind/rndc.key - should be owned by root:bind with >0640. > >Create /run/named/ through .tmpfile - also /var/run/ is deprecated and a >symbolic link to /run/ >--- > services/univention-bind/debian/rules | 8 +++++++- > .../system => debian}/univention-bind-ldap.service | 0 > services/univention-bind/debian/univention-bind.install | 1 - > services/univention-bind/debian/univention-bind.postinst | 6 ++++++ > services/univention-bind/debian/univention-bind.tmpfile | 1 + > services/univention-bind/usr/lib/univention-bind/ldap | 9 --------- > services/univention-bind/usr/lib/univention-bind/proxy | 9 --------- > services/univention-bind/usr/lib/univention-bind/samba4 | 9 --------- > 8 files changed, 14 insertions(+), 29 deletions(-) > rename services/univention-bind/{lib/systemd/system => debian}/univention-bind-ldap.service (100%) > create mode 100644 services/univention-bind/debian/univention-bind.tmpfile > >diff --git a/services/univention-bind/debian/rules b/services/univention-bind/debian/rules >index 9040456531..fd6f7cbccc 100755 >--- a/services/univention-bind/debian/rules >+++ b/services/univention-bind/debian/rules >@@ -34,5 +34,11 @@ override_dh_auto_install: > dh_auto_install > univention-install-config-registry > >+override_dh_systemd_enable: >+ dh_systemd_enable --name=univention-bind-ldap --no-enable >+ >+override_dh_systemd_start: >+ dh_systemd_start --no-start --no-restart-on-upgrade >+ > %: >- dh $@ >+ dh $@ --with systemd >diff --git a/services/univention-bind/lib/systemd/system/univention-bind-ldap.service b/services/univention-bind/debian/univention-bind-ldap.service >similarity index 100% >rename from services/univention-bind/lib/systemd/system/univention-bind-ldap.service >rename to services/univention-bind/debian/univention-bind-ldap.service >diff --git a/services/univention-bind/debian/univention-bind.install b/services/univention-bind/debian/univention-bind.install >index 737872833e..885f1eb9f8 100644 >--- a/services/univention-bind/debian/univention-bind.install >+++ b/services/univention-bind/debian/univention-bind.install >@@ -4,4 +4,3 @@ etc/bind/db.root.fake etc/bind > 90univention-bind-post.inst usr/lib/univention-install > usr/lib/univention-server/server_password_change.d/univention-bind usr/lib/univention-server/server_password_change.d/ > usr/lib/univention-bind >-lib/systemd/system >diff --git a/services/univention-bind/debian/univention-bind.postinst b/services/univention-bind/debian/univention-bind.postinst >index b9e0ec92ae..6312914919 100644 >--- a/services/univention-bind/debian/univention-bind.postinst >+++ b/services/univention-bind/debian/univention-bind.postinst >@@ -38,6 +38,12 @@ if [ "$1" = "configure" ] && dpkg --compare-versions "$2" lt 14.0.0-2; then > --package univention-bind \ > --divert /lib/systemd/system/bind9.service.debian \ > --rename --remove /lib/systemd/system/bind9.service >+ >+ if [ -f /etc/bind/rndc.key ] >+ then >+ chown root:bind /etc/bind/rndc.key >+ chmod 0640 /etc/bind/rndc.key >+ fi > fi > > #DEBHELPER# >diff --git a/services/univention-bind/debian/univention-bind.tmpfile b/services/univention-bind/debian/univention-bind.tmpfile >new file mode 100644 >index 0000000000..2d40e57f3c >--- /dev/null >+++ b/services/univention-bind/debian/univention-bind.tmpfile >@@ -0,0 +1 @@ >+d /run/named 0775 root bind 10d - >diff --git a/services/univention-bind/usr/lib/univention-bind/ldap b/services/univention-bind/usr/lib/univention-bind/ldap >index cdc21b1fd8..c0b8fdb263 100755 >--- a/services/univention-bind/usr/lib/univention-bind/ldap >+++ b/services/univention-bind/usr/lib/univention-bind/ldap >@@ -29,19 +29,10 @@ > > case "$1" in > start) >- # dirs under /var/run can go away on reboots. >- mkdir -p /var/run/named >- chmod 775 /var/run/named >- chown root:bind /var/run/named >/dev/null 2>&1 || true >- > PATH=/sbin:/bin:/usr/sbin:/usr/bin > debug_level="$(ucr get dns/debug/level)" > test -z $debug_level && debug_level=0 > >- # Give permissions back to bind, >- # see /usr/lib/univention-bind/samba4 >- chown bind:bind /etc/bind/rndc.key >- > port="$(ucr get dns/master/port)" > > OPTS="-c /etc/bind/named.conf -p $port -u bind -f -d $debug_level" >diff --git a/services/univention-bind/usr/lib/univention-bind/proxy b/services/univention-bind/usr/lib/univention-bind/proxy >index 05c44c9a6b..a38376358b 100755 >--- a/services/univention-bind/usr/lib/univention-bind/proxy >+++ b/services/univention-bind/usr/lib/univention-bind/proxy >@@ -29,19 +29,10 @@ > > case "$1" in > start) >- # dirs under /var/run can go away on reboots. >- mkdir -p /var/run/named >- chmod 775 /var/run/named >- chown root:bind /var/run/named >/dev/null 2>&1 || true >- > PATH=/sbin:/bin:/usr/sbin:/usr/bin > debug_level="$(ucr get dns/debug/level)" > test -z $debug_level && debug_level=0 > >- # Give permissions back to bind, >- # see /usr/lib/univention-bind/samba4 >- chown bind:bind /etc/bind/rndc.key >- > OPTS="-c /etc/bind/named.conf.proxy -u bind -f -d $debug_level" > > max_socks="$(ucr get dns/max-socks)" >diff --git a/services/univention-bind/usr/lib/univention-bind/samba4 b/services/univention-bind/usr/lib/univention-bind/samba4 >index 1d99df9ffb..de2e6b51db 100755 >--- a/services/univention-bind/usr/lib/univention-bind/samba4 >+++ b/services/univention-bind/usr/lib/univention-bind/samba4 >@@ -29,19 +29,10 @@ > > case "$1" in > start) >- # dirs under /var/run can go away on reboots. >- mkdir -p /var/run/named >- chmod 775 /var/run/named >- chown root:bind /var/run/named >/dev/null 2>&1 || true >- > PATH=/sbin:/bin:/usr/sbin:/usr/bin > debug_level="$(ucr get dns/debug/level)" > test -z $debug_level && debug_level=0 > >- # bind is running as root when using s4 as backend. >- # To open the rndc port, the rndc.key must be owned by root. >- chown root:root /etc/bind/rndc.key >- > if [ "$(uname -m)" = "x86_64" ]; then > export LDB_MODULES_PATH=/usr/lib/x86_64-linux-gnu/ldb/ > else >-- >2.20.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=10392">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 51421
:
10391
| 10392