named: "-u user" needs more privileges
| | |
| | | |
| | | COMPONENT_NAME= bind |
| | | COMPONENT_VERSION= 9.18.19 |
| | | COMPONENT_REVISION= 1 |
| | | COMPONENT_SUMMARY= BIND DNS name server and configuration tools. |
| | | COMPONENT_DESCRIPTION= BIND is open source software that implements the Domain Name System \ |
| | | (DNS) protocols for the Internet. This package contains the DNS \ |
old mode 100644
new mode 100755
| | |
| | | # |
| | | # Copyright (c) 2007, 2012, Oracle and/or its affiliates. All rights reserved. |
| | | # Copyright 2016 Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org> |
| | | # Copyright 2023 Gary Mills |
| | | # |
| | | # smf_method(5) start/stop script required for server DNS |
| | | |
| | |
| | | result=$? |
| | | if [ $result -ne 0 ]; then |
| | | echo "$I : start failed! Check syslog for further information." >&2 |
| | | exit ${result} |
| | | fi |
| | | if [ "${cmduser}" != "" ]; then |
| | | |
| | | # Wait for the setuid to complete |
| | | numsec=0 |
| | | for N in 1 1 2 2 4 4 9 9 |
| | | do |
| | | numsec=`/usr/bin/expr ${numsec} + $N` |
| | | if [ $N = 9 ]; then |
| | | echo "$I: Process ${cmduser} did not appear" |
| | | exit 0 |
| | | fi |
| | | sleep ${numsec} |
| | | svrpid=`/usr/bin/pgrep -f -u ${cmduser} /usr/sbin/named` |
| | | numpids=`echo ${svrpid} | /usr/bin/wc -l` |
| | | if [ "${svrpid}" = "" ]; then |
| | | continue |
| | | fi |
| | | if [ ${numpids} -eq 1 ]; then |
| | | break |
| | | fi |
| | | if [ ${numpids} -gt 1 ]; then |
| | | echo "$I: Nameserver is already running" |
| | | exit 0 |
| | | fi |
| | | done |
| | | |
| | | # Set process privileges to allow binding to a privileged port |
| | | /usr/bin/ppriv -s A+net_privaddr ${svrpid} |
| | | fi |
| | | fi |
| | | ;; |
| | | 'stop') |
| | |
| | | --- bind-9.18.12/doc/man/named.8in 2023-02-03 12:27:09.125770285 +0100 |
| | | +++ bind-9.18.12/doc/man/named.8in.new 2023-02-25 18:46:41.520580373 +0100 |
| | | @@ -255,6 +255,100 @@ |
| | | --- bind-9.18.19/doc/man/named.8in-orig Mon Sep 11 03:53:00 2023 |
| | | +++ bind-9.18.19/doc/man/named.8in Tue Oct 31 09:40:21 2023 |
| | | @@ -227,13 +227,11 @@ |
| | | \fBNOTE:\fP |
| | | .INDENT 0.0 |
| | | .INDENT 3.5 |
| | | -On Linux, \fBnamed\fP uses the kernel\(aqs capability mechanism to drop |
| | | -all root privileges except the ability to \fBbind\fP to a |
| | | -privileged port and set process resource limits. Unfortunately, |
| | | -this means that the \fI\%\-u\fP option only works when \fBnamed\fP is run |
| | | -on kernel 2.2.18 or later, or kernel 2.3.99\-pre3 or later, since |
| | | -previous kernels did not allow privileges to be retained after |
| | | -\fBsetuid\fP\&. |
| | | +On illumos-based distributions, including OpenIndiana, \fBnamed\fP |
| | | +uses the kernel\(aqs capability mechanism to drop |
| | | +all root privileges. |
| | | +The method script adds the privileges to \fBbind\fP to a privileged port. |
| | | +Basic privileges are still retained after \fBsetuid\fP\&. |
| | | .UNINDENT |
| | | .UNINDENT |
| | | .INDENT 0.0 |
| | | @@ -255,6 +253,100 @@ |
| | | Use of this option overrides the \fBlock\-file\fP option in |
| | | \fI\%named.conf\fP\&. If set to \fBnone\fP, the lock file check is disabled. |
| | | .UNINDENT |
| | |
| | | .SH SIGNALS |
| | | .sp |
| | | In routine operation, signals should not be used to control the |
| | | @@ -290,7 +384,8 @@ |
| | | @@ -290,7 +382,8 @@ |
| | | .UNINDENT |
| | | .SH SEE ALSO |
| | | .sp |
| | |
| | | "system/library/security/gss" |
| | | ], |
| | | "fmris": [ |
| | | "network/dns/bind", |
| | | "service/network/dns/bind" |
| | | "service/network/dns/bind", |
| | | "network/dns/bind" |
| | | ], |
| | | "name": "bind" |
| | | } |