From f68c140d43666100be56db1aebb46be720dac2ab Mon Sep 17 00:00:00 2001 Message-Id: From: Philipp Hahn Date: Thu, 15 Jan 2015 14:26:58 +0100 Subject: [PATCH] Bug #37553: Add ACL list to prevent Open DNS Resolver Organization: Univention GmbH, Bremen, Germany Add listener to track networks. --- .../ucs-4.0-0/services/univention-bind/bind-acl.py | 94 ++++++++++++++++++++++ .../conffiles/etc/bind/named.conf.proxy | 15 ++-- .../conffiles/etc/bind/named.conf.samba4 | 16 ++-- .../services/univention-bind/debian/changelog | 6 ++ .../univention-bind/debian/univention-bind.dirs | 5 -- .../univention-bind/debian/univention-bind.install | 1 + .../debian/univention-bind.postinst | 11 +-- 7 files changed, 126 insertions(+), 22 deletions(-) create mode 100755 branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py new file mode 100755 index 0000000..7f0799d --- /dev/null +++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/bind-acl.py @@ -0,0 +1,94 @@ +#!/usr/bin/python2.7 +# -*- coding: utf-8 -*- +""" +Univention BIND listener script +""" +# Copyright 2015 Univention GmbH +# +# http://www.univention.de/ +# +# All rights reserved. +# +# The source code of this program is made available +# under the terms of the GNU Affero General Public License version 3 +# (GNU AGPL V3) as published by the Free Software Foundation. +# +# Binary versions of this program provided by Univention to you as +# well as other copyrighted, protected or trademarked materials like +# Logos, graphics, fonts, specific documentations and configurations, +# cryptographic keys etc. are subject to a license agreement between +# you and Univention and not subject to the GNU AGPL V3. +# +# In the case you use this program under the terms of the GNU AGPL V3, +# the program is provided in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public +# License with the Debian GNU/Linux or Univention distribution in file +# /usr/share/common-licenses/AGPL-3; if not, see +# . + +__package__ = '' # workaround for PEP 366 +import ldap +import listener +import ipaddr +import subprocess + +name = 'bind-acl' +description = 'Update BIND ACLs' +filter = '(objectClass=univentionNetworkClass)' +attributes = ['univentionNetmask', 'univentionNetwork'] + +ACL_CONF_FILE = "/var/lib/bind/network-acls.conf" +RNDC_BIN = "/usr/sbin/rndc" + +conf = { + 'ldapserver': None, + 'ldapport': 7389, + 'basedn': None, + 'binddn': None, + 'bindpw': None, +} + + +def setdata(key, value): + conf[key] = value + + +def handler(dn, new, old): + ldap_uri = "ldap://%(ldapserver)s:%(ldapport)d" % conf + ldap_con = ldap.initialize(ldap_uri) + ldap_con.bind_s(conf['binddn'], conf['bindpw']) + networks = set() + for dn, values in ldap_con.search_s(conf['basedn'], ldap.SCOPE_SUBTREE, filter, attributes): + network = ipaddr.IPNetwork('%s/%s' % ( + values['univentionNetwork'][0], + values['univentionNetmask'][0], + )) + networks.add(network.masked()) + + listener.setuid(0) + try: + with open(ACL_CONF_FILE, 'w') as acl: + print >> acl, '# THIS FILE IS GENERATED BY bind-acl.py' + print >> acl, 'acl ucs_networks {' + print >> acl, '\tlocalhost;' + for network in networks: + print >> acl, '\t%s;' % (network,) + print >> acl, '};' + subprocess.call(('rndc', '-p', '953', 'reconfig')) + finally: + listener.unsetuid() + + +if __name__ == '__main__': + from univention.config_registry import ConfigRegistry + ucr = ConfigRegistry() + ucr.load() + setdata('ldapserver', ucr['ldap/server/name']) + setdata('basedn', ucr['ldap/base']) + setdata('binddn', ucr['ldap/hostdn']) + setdata('bindpw', open('/etc/machine.secret', 'r').read()) + handler('', None, None) diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.proxy b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.proxy index 45e443a..d3063f1 100644 --- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.proxy +++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.proxy @@ -1,15 +1,19 @@ @%@UCRWARNING=# @%@ -controls{ +controls { inet 127.0.0.1 allow { @%@dns/master/address@%@; }; -}; +}; + +include "/var/lib/bind/network-acls.conf"; + options { - directory "/var/cache/bind"; + directory "/var/cache/bind"; @!@ -dns_allow_query = configRegistry.get('dns/allow/query') -dns_allow_query_cache = configRegistry.get('dns/allow/query/cache') +NETWORK_ACL = 'ucs_networks' +dns_allow_query = configRegistry.get('dns/allow/query', NETWORK_ACL) +dns_allow_query_cache = configRegistry.get('dns/allow/query/cache', NETWORK_ACL) dns_allow_transfer = configRegistry.get('dns/allow/transfer') if dns_allow_query: @@ -25,6 +29,7 @@ if configRegistry.is_true('dns/ipv6', True ): val = 'any' print '\tlisten-on-v6 { %s; };' % val @!@}; + logging { category lame-servers { null; }; category default{ default_syslog; }; diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.samba4 b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.samba4 index 1aa5641..90a1bb5 100644 --- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.samba4 +++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/conffiles/etc/bind/named.conf.samba4 @@ -1,14 +1,18 @@ @%@UCRWARNING=# @%@ -controls{ +controls { inet 127.0.0.1 allow { @%@dns/master/address@%@; }; -}; +}; + +include "/var/lib/bind/network-acls.conf"; + options { - tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; + tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; @!@ -dns_allow_query = configRegistry.get('dns/allow/query') -dns_allow_query_cache = configRegistry.get('dns/allow/query/cache') +NETWORK_ACL = 'ucs_networks' +dns_allow_query = configRegistry.get('dns/allow/query', NETWORK_ACL) +dns_allow_query_cache = configRegistry.get('dns/allow/query/cache', NETWORK_ACL) dns_allow_transfer = configRegistry.get('dns/allow/transfer') if dns_allow_query: @@ -32,7 +36,6 @@ logging { }; }; - @!@ if configRegistry.get('dns/forwarder1') or configRegistry.get('dns/forwarder2') or configRegistry.get('dns/forwarder3'): print '\n# Found a forwarder in ucr variables, using forwarder in zone ".".' @@ -100,4 +103,3 @@ print '''dlz "samba4.zone" { @!@ include "/etc/bind/local.conf.samba4"; - diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/changelog b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/changelog index f850417..cf16baa 100644 --- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/changelog +++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/changelog @@ -1,3 +1,9 @@ +univention-bind (9.0.5-1) unstable; urgency=low + + * Bug #37553: Add ACL list to prevent Open DNS Resolver + + -- Philipp Hahn Thu, 15 Jan 2015 14:22:30 +0100 + univention-bind (9.0.4-1) unstable; urgency=low * If no dns/forwarder is set, use the nameserver variables as forwarder diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.dirs b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.dirs index 854e100..20178c7 100644 --- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.dirs +++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.dirs @@ -1,9 +1,4 @@ -usr/lib/univention-directory-listener/system -usr/lib/univention-install/ -etc/bind etc/runit/univention-bind etc/runit/univention-bind-proxy etc/runit/univention-bind-samba4 -etc/init.d -usr/share/univention-bind/ var/cache/univention-bind-proxy diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.install b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.install index dc15c58..b3ac07b 100644 --- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.install +++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.install @@ -1,4 +1,5 @@ bind.py usr/lib/univention-directory-listener/system +bind-acl.py usr/lib/univention-directory-listener/system/ 05univention-bind.inst usr/lib/univention-install etc/bind/db.root.fake etc/bind 90univention-bind-post.inst usr/lib/univention-install diff --git a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.postinst b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.postinst index 7382a14..d935650 100644 --- a/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.postinst +++ b/branches/ucs-4.0/ucs-4.0-0/services/univention-bind/debian/univention-bind.postinst @@ -32,17 +32,17 @@ . /usr/share/univention-lib/all.sh +touch /var/lib/bind/network-acls.conf + #DEBHELPER# # configure firewall ucr set security/packetfilter/package/univention-bind/udp/53/all=ACCEPT \ security/packetfilter/package/univention-bind/tcp/53/all=ACCEPT \ - security/packetfilter/package/univention-bind/udp/7777/all=ACCEPT \ - security/packetfilter/package/univention-bind/tcp/7777/all=ACCEPT \ security/packetfilter/package/univention-bind/udp/53/all/en="DNS proxy" \ security/packetfilter/package/univention-bind/tcp/53/all/en="DNS proxy" \ - security/packetfilter/package/univention-bind/udp/7777/all/en="DNS server" \ - security/packetfilter/package/univention-bind/tcp/7777/all/en="DNS server" + security/packetfilter/package/univention-bind/udp/7777/all/en="Backend DNS server" \ + security/packetfilter/package/univention-bind/tcp/7777/all/en="Backend DNS server" [ -x "/etc/init.d/univention-firewall" ] && invoke-rc.d univention-firewall restart chmod g+w /etc/bind @@ -51,7 +51,8 @@ chmod g+w /etc/bind/* univention-config-registry set 'bind/autostart?yes' \ 'dns/ipv6?yes' \ 'nameserver/external?false' \ - 'dns/allow/query?any' \ + 'dns/allow/query?ucs_networks' \ + 'dns/allow/query/cache?ucs_networks' \ 'dns/allow/transfer?any' \ 'dns/dlz/debug/level?0' \ 'dns/debug/level?0' -- 1.9.1