unkinben/puppet-bind
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix mv destination file path for /etc/bind

Browse Source 
- Force Package[bind] to be installed before moving /etc/bind into the
  $chroot_dir

- Fix recursive permissions for /var/bind9/chroot/** directories (so
  that user bind can cross those directories if they belong to root)
This commit is contained in:
Cédric Defortis 2017-10-18 12:08:16 +02:00 committed by Cedric DEFORTIS
parent 16f2f22c4b
commit 1ea5d96d6b
2 changed files with 12 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
manifests/chroot/manual.pp
View File

@ -14,7 +14,7 @@ class bind::chroot::manual(
"${::bind::defaults::chroot_dir}/var/cache", "${::bind::defaults::chroot_dir}/var/cache",
"${::bind::defaults::chroot_dir}/var/run"]: "${::bind::defaults::chroot_dir}/var/run"]:
ensure => directory, ensure => directory,
mode => '0660', mode => '0661',
require => Exec['mkdir-p-$chroot_dir'], require => Exec['mkdir-p-$chroot_dir'],
} }
@ -48,13 +48,13 @@ class bind::chroot::manual(
require => [ Exec['mknod-dev-null'], Exec['mknod-dev-random'], Exec['mknod-dev-urandom'] ], require => [ Exec['mknod-dev-null'], Exec['mknod-dev-random'], Exec['mknod-dev-urandom'] ],
} }
exec { 'mv-etc-bind-into-jailed-etc': exec { 'mv-etc-bind-into-jailed-etc':
command => "mv ${::bind::defaults::confdir} ${::bind::defaults::chroot_dir}", command => "mv ${::bind::defaults::confdir} ${::bind::defaults::chroot_dir}${::bind::defaults::confdir}",
path => ['/bin', '/usr/bin'], path => ['/bin', '/usr/bin'],
unless => "test -d ${::bind::defaults::chroot_dir}${::bind::defaults::confdir}", unless => "test -d ${::bind::defaults::chroot_dir}${::bind::defaults::confdir}",
require => [ File["${::bind::defaults::chroot_dir}/etc"] ] require => [ Package['bind'], File["${::bind::defaults::chroot_dir}/etc"] ],
}
-> file { '/etc/bind':
ensure => link,
target => "${::bind::defaults::chroot_dir}${::bind::defaults::confdir}",
} }
#-> file { '/etc/bind':
# ensure => link,
# target => "${::bind::defaults::chroot_dir}/${::bind::defaults::confdir}",
#}
} }

9
manifests/init.pp
View File

@ -38,6 +38,11 @@ class bind (
name => $::bind::defaults::bind_package, name => $::bind::defaults::bind_package,
} }
if $chroot and $::bind::defaults::chroot_class {
# When using a dedicated chroot class, service declaration is dedicated to this class
class { $::bind::defaults::chroot_class : }
}
if $dnssec { if $dnssec {
file { '/usr/local/bin/dnssec-init': file { '/usr/local/bin/dnssec-init':
ensure => present, ensure => present,
@ -113,10 +118,6 @@ class bind (
content => "};\n"; content => "};\n";
} }
if $chroot and $::bind::defaults::chroot_class {
# When using a dedicated chroot class, service declaration is dedicated to this class
class { $::bind::defaults::chroot_class : }
}
# DO NOT declare a bind service when chrooting bind with bind::chroot::package class, # DO NOT declare a bind service when chrooting bind with bind::chroot::package class,
# because it needs another dedicated chrooted-bind service (i.e. named-chroot on RHEL) # because it needs another dedicated chrooted-bind service (i.e. named-chroot on RHEL)
# AND it also needs $::bind::defaults::bind_service being STOPPED and DISABLED. # AND it also needs $::bind::defaults::bind_service being STOPPED and DISABLED.