1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

samba_upgradedns: When we setup the internal dns cleanup bind-dns dir

Make sure to remove everything from the bind-dns directory to avoid
possible security issues with the named group having write access to all
AD partions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Andreas Schneider 2017-09-05 11:47:27 +02:00 committed by Jeremy Allison
parent 8cf5c5f0fa
commit 05169a6047

View File

@ -553,6 +553,23 @@ if __name__ == '__main__':
"updates", paths.namedtxt)
elif opts.dns_backend == "SAMBA_INTERNAL":
# Make sure to remove everything from the bind-dns directory to avoid
# possible security issues with the named group having write access
# to all AD partions
cleanup_remove_file(os.path.join(paths.binddns_dir, "dns.keytab"))
cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf"))
cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf.update"))
cleanup_remove_file(os.path.join(paths.binddns_dir, "named.txt"))
cleanup_remove_dir(os.path.dirname(paths.dns))
try:
os.chmod(paths.private_dir, 0o700)
os.chown(paths.private_dir, -1, 0)
except:
logger.warn("Failed to restore owner and permissions for %s",
(paths.private_dir))
# Check if dns-HOSTNAME account exists and delete it if required
try:
dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname