Fix mv destination file path for /etc/bind

- Force Package[bind] to be installed before moving /etc/bind into the $chroot_dir - Fix recursive permissions for /var/bind9/chroot/** directories (so that user bind can cross those directories if they belong to root)
2017-10-18 12:08:16 +02:00 · 2017-10-18 12:08:16 +02:00 · 1ea5d96d6b
commit 1ea5d96d6b
parent 16f2f22c4b
2 changed files with 12 additions and 11 deletions
--- a/manifests/chroot/manual.pp
+++ b/manifests/chroot/manual.pp
@ -14,7 +14,7 @@ class bind::chroot::manual(
            "${::bind::defaults::chroot_dir}/var/cache",
            "${::bind::defaults::chroot_dir}/var/run"]:
      ensure  => directory,
-      mode    => '0660',
+      mode    => '0661',
      require => Exec['mkdir-p-$chroot_dir'],
    }

@ -48,13 +48,13 @@ class bind::chroot::manual(
      require => [ Exec['mknod-dev-null'], Exec['mknod-dev-random'], Exec['mknod-dev-urandom'] ],
    }
    exec { 'mv-etc-bind-into-jailed-etc':
-        command => "mv ${::bind::defaults::confdir} ${::bind::defaults::chroot_dir}",
+        command => "mv ${::bind::defaults::confdir} ${::bind::defaults::chroot_dir}${::bind::defaults::confdir}",
        path    => ['/bin', '/usr/bin'],
        unless  => "test -d ${::bind::defaults::chroot_dir}${::bind::defaults::confdir}",
-        require => [ File["${::bind::defaults::chroot_dir}/etc"] ]
+        require => [ Package['bind'], File["${::bind::defaults::chroot_dir}/etc"] ],
+    }
+    -> file { '/etc/bind':
+        ensure  => link,
+        target  => "${::bind::defaults::chroot_dir}${::bind::defaults::confdir}",
    }
-    #-> file { '/etc/bind':
-    #    ensure  => link,
-    #    target  => "${::bind::defaults::chroot_dir}/${::bind::defaults::confdir}",
-    #}
 }
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -38,6 +38,11 @@ class bind (
        name   => $::bind::defaults::bind_package,
    }

+    if $chroot and $::bind::defaults::chroot_class {
+        # When using a dedicated chroot class, service declaration is dedicated to this class
+        class { $::bind::defaults::chroot_class : }
+    }
+
    if $dnssec {
        file { '/usr/local/bin/dnssec-init':
            ensure => present,
@ -113,10 +118,6 @@ class bind (
        content => "};\n";
    }

-    if $chroot and $::bind::defaults::chroot_class {
-        # When using a dedicated chroot class, service declaration is dedicated to this class
-        class { $::bind::defaults::chroot_class : }
-    } 
    # DO NOT declare a bind service when chrooting bind with bind::chroot::package class,
    # because it needs another dedicated chrooted-bind service (i.e. named-chroot on RHEL)
    # AND it also needs $::bind::defaults::bind_service being STOPPED and DISABLED.