diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2021-09-16 02:52:54 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2021-09-16 09:04:01 +0200 |
commit | 9a67067c0e13f99bafe0557cc6ff14eff5fdeccd (patch) | |
tree | 7d2487ea4479f700e2761af53aca28b1e92cb66c /source/n/bind/rc.bind | |
parent | 8f7b6e56d5075e27771a02fbbcfe954c91ecb893 (diff) | |
download | current-9a67067c0e13f99bafe0557cc6ff14eff5fdeccd.tar.gz current-9a67067c0e13f99bafe0557cc6ff14eff5fdeccd.tar.xz |
Thu Sep 16 02:52:54 UTC 202120210916025254
a/etc-15.0-x86_64-17.txz: Rebuilt.
Added named:named (53:53) user and group.
a/kernel-firmware-20210915_198ac65-noarch-1.txz: Upgraded.
a/kernel-generic-5.14.4-x86_64-1.txz: Upgraded.
a/kernel-huge-5.14.4-x86_64-1.txz: Upgraded.
a/kernel-modules-5.14.4-x86_64-1.txz: Upgraded.
ap/sudo-1.9.8-x86_64-1.txz: Upgraded.
d/kernel-headers-5.14.4-x86-1.txz: Upgraded.
k/kernel-source-5.14.4-noarch-1.txz: Upgraded.
kde/breeze-icons-5.85.0-noarch-2.txz: Rebuilt.
Patched with upstream commit to allow using this icon theme with Xfce.
l/fluidsynth-2.2.3-x86_64-1.txz: Upgraded.
l/python-charset-normalizer-2.0.5-x86_64-1.txz: Upgraded.
l/qca-2.3.4-x86_64-1.txz: Upgraded.
n/NetworkManager-1.32.10-x86_64-3.txz: Rebuilt.
Switch to dhcp=internal to avoid problems swimming upstream.
For those looking for a fix to continue using dhcpcd, a PRIVSEP build
variable was added to the SlackBuild, and you may produce a fully
NetworkManager compatible dhcpcd package with this command:
PRIVSEP=no ./dhcpcd.SlackBuild
Privilege separation remains the dhcpcd package default as we don't want
to weaken security for those using rc.inet1 along with dhcpcd.
Some additional comments about this were added to 00-dhcp-client.conf
mentioning this and the workaround of killing dhcpcd manually when
resuming with the stock dhcpcd package.
n/bind-9.16.21-x86_64-1.txz: Upgraded.
Fixed call to rndc-confgen in the install script.
Make /etc/rndc.key owned by named:named.
Run named as named:named by default (configurable in /etc/default/named).
rc.bind: chown /run/named and /var/named to configured user:group.
Thanks to Ressy for prompting this cleanup. :)
n/curl-7.79.0-x86_64-1.txz: Upgraded.
This update fixes security issues:
clear the leftovers pointer when sending succeeds.
do not ignore --ssl-reqd.
reject STARTTLS server response pipelining.
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22945
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22946
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22947
(* Security fix *)
n/links-2.24-x86_64-1.txz: Upgraded.
n/wireguard-tools-1.0.20210914-x86_64-1.txz: Upgraded.
x/libinput-1.19.0-x86_64-1.txz: Upgraded.
xap/gimp-2.10.28-x86_64-1.txz: Upgraded.
isolinux/initrd.img: Rebuilt.
kernels/*: Upgraded.
usb-and-pxe-installers/usbboot.img: Rebuilt.
Diffstat (limited to 'source/n/bind/rc.bind')
-rw-r--r-- | source/n/bind/rc.bind | 58 |
1 files changed, 17 insertions, 41 deletions
diff --git a/source/n/bind/rc.bind b/source/n/bind/rc.bind index cab751634..7886a2543 100644 --- a/source/n/bind/rc.bind +++ b/source/n/bind/rc.bind @@ -1,19 +1,8 @@ #!/bin/sh # Start/stop/restart the BIND name server daemon (named). -# Start BIND. In the past it was more secure to run BIND as a non-root -# user (for example, with '-u daemon'), but the modern version of BIND -# knows how to use the kernel's capability mechanism to drop all root -# privileges except the ability to bind() to a privileged port and set -# process resource limits, so running as a non-root user is not needed. -# But if you want to run as a non-root user anyway, the command options -# can be set like this in /etc/default/named: -# NAMED_OPTIONS="-u daemon" -# So you will not have to edit this script. -# -# Please note that if you run BIND as a non-root user, your files in -# /var/named may need to be chowned to this user or else named will -# refuse to start. +# Start BIND. By default this will run with user "named". If you'd like to +# change this or other options, see: /etc/default/named # You might also consider running BIND in a "chroot jail", # a discussion of which may be found in @@ -27,6 +16,17 @@ if [ -f /etc/default/named ] ; then . /etc/default/named ; fi if [ -f /etc/default/rndc ] ; then . /etc/default/rndc ; fi +# In case /etc/default/named was missing: +if [ -z "$BIND_USER" ]; then + BIND_USER="named" +fi +if [ -z "$BIND_GROUP" ]; then + BIND_GROUP="named" +fi +if [ -z "$BIND_OPTIONS" ]; then + BIND_OPTIONS="-u $BIND_USER" +fi + # Sanity check. If /usr/sbin/named is missing then it # doesn't make much sense to try to run this script: if [ ! -x /usr/sbin/named ]; then @@ -34,40 +34,16 @@ if [ ! -x /usr/sbin/named ]; then exit 1 fi -# Function to find the user BIND is running as in $NAMED_OPTIONS: -find_bind_user() { - if echo $NAMED_OPTIONS | grep -wq "\-u" ; then - unset BIND_USER USER_FOUND - echo $NAMED_OPTIONS | tr ' ' '\n' | while read element ; do - if [ "$USER_FOUND" = "true" ]; then - BIND_USER="$element" - echo $BIND_USER - break - elif [ "$element" = "-u" ]; then - USER_FOUND="true" - fi - done - else - echo "root" - fi -} - # Start BIND. As many times as you like. ;-) # Seriously, don't run "rc.bind start" if BIND is already # running or you'll get more than one copy running. bind_start() { # Make sure /var/run/named exists: mkdir -p /var/run/named - # If we are running as a non-root user, we'll need to be sure that - # /var/run/named is chowned properly to that user. Your files in - # /var/named may need to be chowned as well, but that will be up to - # the sysadmin to do. - BIND_USER="$(find_bind_user)" - if [ ! "$BIND_USER" = "root" ]; then - chown -R $BIND_USER /var/run/named - else # prevent error if switching back to running as root: - chown -R root /var/run/named - fi + # Make sure that /var/run/named has correct ownership: + chown -R ${BIND_USER}:${BIND_GROUP} /var/run/named + # Make sure that /var/named has correct ownership: + chown -R ${BIND_USER}:${BIND_GROUP} /var/named # Start named: if [ -x /usr/sbin/named ]; then echo "Starting BIND: /usr/sbin/named $NAMED_OPTIONS" |