From 4c9608fb27b0f1bef846b72291ecb515045d3507 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 10 Aug 2017 15:04:08 +0200 Subject: [PATCH] param: Add 'binddns dir' parameter This allows to us to have restricted access to the directory by the group 'named' which bind is a member of. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlet --- buildtools/wafsamba/samba_patterns.py | 1 + docs-xml/smbdotconf/generate-file-list.sh | 1 + docs-xml/smbdotconf/security/binddnsdir.xml | 18 ++++++++++++++++++ dynconfig/dynconfig.c | 1 + dynconfig/dynconfig.h | 1 + dynconfig/wscript | 7 +++++++ lib/param/loadparm.c | 1 + lib/param/param.h | 1 + source3/param/loadparm.c | 2 ++ 9 files changed, 33 insertions(+) create mode 100644 docs-xml/smbdotconf/security/binddnsdir.xml diff --git a/buildtools/wafsamba/samba_patterns.py b/buildtools/wafsamba/samba_patterns.py index e809f26a095..2b939372fa4 100644 --- a/buildtools/wafsamba/samba_patterns.py +++ b/buildtools/wafsamba/samba_patterns.py @@ -108,6 +108,7 @@ def write_build_options_header(fp): fp.write(" output(screen,\" PIDDIR: %s\\n\", get_dyn_PIDDIR());\n") fp.write(" output(screen,\" SMB_PASSWD_FILE: %s\\n\",get_dyn_SMB_PASSWD_FILE());\n") fp.write(" output(screen,\" PRIVATE_DIR: %s\\n\",get_dyn_PRIVATE_DIR());\n") + fp.write(" output(screen,\" BINDDNS_DIR: %s\\n\",get_dyn_BINDDNS_DIR());\n") fp.write("\n") def write_build_options_footer(fp): diff --git a/docs-xml/smbdotconf/generate-file-list.sh b/docs-xml/smbdotconf/generate-file-list.sh index 4a25f1e6d49..7ab1b7caf76 100755 --- a/docs-xml/smbdotconf/generate-file-list.sh +++ b/docs-xml/smbdotconf/generate-file-list.sh @@ -11,6 +11,7 @@ echo " + diff --git a/docs-xml/smbdotconf/security/binddnsdir.xml b/docs-xml/smbdotconf/security/binddnsdir.xml new file mode 100644 index 00000000000..c296a0ef81d --- /dev/null +++ b/docs-xml/smbdotconf/security/binddnsdir.xml @@ -0,0 +1,18 @@ + +bind dns directory + + + This parameters defines the directory samba will use to store the configuration + files for bind, such as named.conf. + + NOTE: The bind dns directory needs to be on the same mount point as the private + directory! + + + +&pathconfig.BINDDNS_DIR; + diff --git a/dynconfig/dynconfig.c b/dynconfig/dynconfig.c index e75d7db553a..e70a10f8cfe 100644 --- a/dynconfig/dynconfig.c +++ b/dynconfig/dynconfig.c @@ -95,6 +95,7 @@ DEFINE_DYN_CONFIG_PARAM(PIDDIR) DEFINE_DYN_CONFIG_PARAM(NCALRPCDIR) DEFINE_DYN_CONFIG_PARAM(SMB_PASSWD_FILE) DEFINE_DYN_CONFIG_PARAM(PRIVATE_DIR) +DEFINE_DYN_CONFIG_PARAM(BINDDNS_DIR) DEFINE_DYN_CONFIG_PARAM(LOCALEDIR) DEFINE_DYN_CONFIG_PARAM(NMBDSOCKETDIR) DEFINE_DYN_CONFIG_PARAM(DATADIR) diff --git a/dynconfig/dynconfig.h b/dynconfig/dynconfig.h index 4d07c103d74..bdab2e8f242 100644 --- a/dynconfig/dynconfig.h +++ b/dynconfig/dynconfig.h @@ -46,6 +46,7 @@ DEFINE_DYN_CONFIG_PROTO(PIDDIR) DEFINE_DYN_CONFIG_PROTO(NCALRPCDIR) DEFINE_DYN_CONFIG_PROTO(SMB_PASSWD_FILE) DEFINE_DYN_CONFIG_PROTO(PRIVATE_DIR) +DEFINE_DYN_CONFIG_PROTO(BINDDNS_DIR) DEFINE_DYN_CONFIG_PROTO(LOCALEDIR) DEFINE_DYN_CONFIG_PROTO(NMBDSOCKETDIR) DEFINE_DYN_CONFIG_PROTO(DATADIR) diff --git a/dynconfig/wscript b/dynconfig/wscript index ba0c896b90e..fee37eaaf5f 100644 --- a/dynconfig/wscript +++ b/dynconfig/wscript @@ -192,6 +192,12 @@ dynconfig = { 'OPTION': '--with-statedir', 'HELPTEXT': 'Where to put persistent state files', }, + 'BINDDNS_DIR' : { + 'STD-PATH': '${LOCALSTATEDIR}/lib', + 'FHS-PATH': '${LOCALSTATEDIR}/lib/samba/bind-dns', + 'OPTION': '--with-bind-dns-dir', + 'HELPTEXT': 'bind-dns config directory', + }, 'CACHEDIR' : { 'STD-PATH': '${LOCALSTATEDIR}/cache', 'FHS-PATH': '${LOCALSTATEDIR}/cache/samba', @@ -419,6 +425,7 @@ def build(bld): bld.INSTALL_DIR("${LOGFILEBASE}") bld.INSTALL_DIR("${PRIVILEGED_SOCKET_DIR}") bld.INSTALL_DIR("${PRIVATE_DIR}", 0o700) + bld.INSTALL_DIR("${BINDDNS_DIR}", 0o770) bld.INSTALL_DIR("${STATEDIR}") bld.INSTALL_DIR("${CACHEDIR}") diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index a221e879d07..b91f9657f1c 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2655,6 +2655,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) /* the winbind method for domain controllers is for both RODC auth forwarding and for trusted domains */ lpcfg_do_global_parameter(lp_ctx, "private dir", dyn_PRIVATE_DIR); + lpcfg_do_global_parameter(lp_ctx, "binddns dir", dyn_BINDDNS_DIR); lpcfg_do_global_parameter(lp_ctx, "registry:HKEY_LOCAL_MACHINE", "hklm.ldb"); /* This hive should be dynamically generated by Samba using diff --git a/lib/param/param.h b/lib/param/param.h index 589b8906db5..680c053a6cc 100644 --- a/lib/param/param.h +++ b/lib/param/param.h @@ -56,6 +56,7 @@ const char **lpcfg_interfaces(struct loadparm_context *); const char *lpcfg_realm(struct loadparm_context *); const char *lpcfg_netbios_name(struct loadparm_context *); const char *lpcfg_private_dir(struct loadparm_context *); +const char *lpcfg_binddns_dir(struct loadparm_context *); int lpcfg_server_role(struct loadparm_context *); int lpcfg_allow_dns_updates(struct loadparm_context *); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index d5b1c56e21e..42e579efcfd 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -550,6 +550,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) get_dyn_SMB_PASSWD_FILE()); lpcfg_string_set(Globals.ctx, &Globals.private_dir, get_dyn_PRIVATE_DIR()); + lpcfg_string_set(Globals.ctx, &Globals.binddns_dir, + get_dyn_BINDDNS_DIR()); /* use the new 'hash2' method by default, with a prefix of 1 */ lpcfg_string_set(Globals.ctx, &Globals.mangling_method, "hash2");