From 326781423c096f4ed90cebc87cfe74b24ac794a0 Mon Sep 17 00:00:00 2001 From: deraadt Date: Sun, 25 Oct 2015 07:44:42 +0000 Subject: [PATCH] pledge bind(1), dig(1), and nslookup(1). This modifies the underlying ISC library to use socket(2) with the SOCK_DNS flag. As a result, the port commands are disabled (such practice is rare in the wild these days, and pretty incompatible with the DNS vs regular socket concept in pledge..) ok bluhm phessler reyk, etc --- usr.sbin/bind/bin/dig/dig.1 | 12 ++---------- usr.sbin/bind/bin/dig/dig.c | 11 ++++++++++- usr.sbin/bind/bin/dig/host.c | 8 ++++++++ usr.sbin/bind/bin/dig/nslookup.1 | 8 -------- usr.sbin/bind/bin/dig/nslookup.c | 10 +++++++++- usr.sbin/bind/lib/isc/unix/net.c | 8 ++++---- usr.sbin/bind/lib/isc/unix/socket.c | 4 ++-- 7 files changed, 35 insertions(+), 26 deletions(-) diff --git a/usr.sbin/bind/bin/dig/dig.1 b/usr.sbin/bind/bin/dig/dig.1 index 52e423a2014..06180f0e45a 100644 --- a/usr.sbin/bind/bin/dig/dig.1 +++ b/usr.sbin/bind/bin/dig/dig.1 @@ -33,7 +33,7 @@ dig \- DNS lookup utility .SH "SYNOPSIS" .HP 4 -\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-p\ \fR\fB\fIport#\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...] +\fBdig\fR [@server] [\fB\-b\ \fR\fB\fIaddress\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfilename\fR\fR] [\fB\-k\ \fR\fB\fIfilename\fR\fR] [\fB\-q\ \fR\fB\fIname\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-x\ \fR\fB\fIaddr\fR\fR] [\fB\-y\ \fR\fB\fI[hmac:]\fR\fIname:key\fR\fR] [\fB\-4\fR] [\fB\-6\fR] [name] [type] [class] [queryopt...] .HP 4 \fBdig\fR [\fB\-h\fR] .HP 4 @@ -122,7 +122,7 @@ will perform a lookup for an A record. The \fB\-b\fR option sets the source IP address of the query to -\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". An optional port may be specified by appending "#" +\fIaddress\fR. This must be a valid address on one of the host's network interfaces or "0.0.0.0" or "::". .PP The default query class (IN for internet) is overridden by the \fB\-c\fR @@ -139,14 +139,6 @@ operate in batch mode by reading a list of lookup requests to process from the f \fBdig\fR using the command\-line interface. .PP -If a non\-standard port number is to be queried, the -\fB\-p\fR -option is used. -\fIport#\fR -is the port number that -\fBdig\fR -will send its queries instead of the standard DNS port number 53. This option would be used to test a name server that has been configured to listen for queries on a non\-standard port number. -.PP The \fB\-4\fR option forces diff --git a/usr.sbin/bind/bin/dig/dig.c b/usr.sbin/bind/bin/dig/dig.c index 79402c61816..156d1bcdb76 100644 --- a/usr.sbin/bind/bin/dig/dig.c +++ b/usr.sbin/bind/bin/dig/dig.c @@ -21,6 +21,7 @@ #include #include +#include #include #include @@ -1191,7 +1192,8 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, strlcpy(keyfile, value, sizeof(keyfile)); return (value_from_next); case 'p': - port = (in_port_t) parse_uint(value, "port number", MAXPORT); + fprintf(stderr, ";; Warning, -p option ignored\n"); + /* port = (in_port_t) parse_uint(value, "port number", MAXPORT); */ return (value_from_next); case 'q': if (!config_only) { @@ -1753,6 +1755,9 @@ main(int argc, char **argv) { ISC_LIST_INIT(server_list); ISC_LIST_INIT(search_list); + if (pledge("stdio rpath dns", NULL) == -1) + perror("pledge"); + debug("main()"); preparse_args(argc, argv); progname = argv[0]; @@ -1760,6 +1765,10 @@ main(int argc, char **argv) { check_result(result, "isc_app_start"); setup_libs(); parse_args(ISC_FALSE, ISC_FALSE, argc, argv); + + if (pledge("stdio dns", NULL) == -1) + perror("pledge"); + setup_system(); if (domainopt[0] != '\0') { set_search_domain(domainopt); diff --git a/usr.sbin/bind/bin/dig/host.c b/usr.sbin/bind/bin/dig/host.c index 329689cc691..c272f6cf08c 100644 --- a/usr.sbin/bind/bin/dig/host.c +++ b/usr.sbin/bind/bin/dig/host.c @@ -21,6 +21,7 @@ #include #include +#include #include #ifdef HAVE_LOCALE_H @@ -838,6 +839,9 @@ main(int argc, char **argv) { idnoptions = IDN_ASCCHECK; #endif + if (pledge("stdio rpath dns inet", NULL) == -1) + perror("pledge"); + debug("main()"); progname = argv[0]; pre_parse_args(argc, argv); @@ -845,6 +849,10 @@ main(int argc, char **argv) { check_result(result, "isc_app_start"); setup_libs(); parse_args(ISC_FALSE, argc, argv); + + if (pledge("stdio dns", NULL) == -1) + perror("pledge"); + setup_system(); result = isc_app_onrun(mctx, global_task, onrun_callback, NULL); check_result(result, "isc_app_onrun"); diff --git a/usr.sbin/bind/bin/dig/nslookup.1 b/usr.sbin/bind/bin/dig/nslookup.1 index b2d2147f443..dc611ab7d45 100644 --- a/usr.sbin/bind/bin/dig/nslookup.1 +++ b/usr.sbin/bind/bin/dig/nslookup.1 @@ -189,14 +189,6 @@ If the lookup request contains at least one period but doesn't end with a traili (Default = search) .RE .PP -\fBport=\fR\fIvalue\fR -.RS 4 -Change the default TCP/UDP name server port to -\fIvalue\fR. -.sp -(Default = 53; abbreviation = po) -.RE -.PP \fBquerytype=\fR\fIvalue\fR .RS 4 .RE diff --git a/usr.sbin/bind/bin/dig/nslookup.c b/usr.sbin/bind/bin/dig/nslookup.c index f0d6c3def81..d9a7085948d 100644 --- a/usr.sbin/bind/bin/dig/nslookup.c +++ b/usr.sbin/bind/bin/dig/nslookup.c @@ -20,6 +20,7 @@ #include #include +#include #include @@ -544,7 +545,8 @@ set_port(const char *value) { isc_uint32_t n; isc_result_t result = parse_uint(&n, value, 65535, "port"); if (result == ISC_R_SUCCESS) - port = (isc_uint16_t) n; + port = 0; /* (isc_uint16_t) n;*/ + printf("The port command has been disabled.\n"); } static void @@ -865,9 +867,15 @@ main(int argc, char **argv) { result = isc_app_start(); check_result(result, "isc_app_start"); + if (pledge("stdio rpath dns", NULL) == -1) + perror("pledge"); + setup_libs(); progname = argv[0]; + if (pledge("stdio dns", NULL) == -1) + perror("pledge"); + parse_args(argc, argv); setup_system(); diff --git a/usr.sbin/bind/lib/isc/unix/net.c b/usr.sbin/bind/lib/isc/unix/net.c index f974ab5752b..f5e27938944 100644 --- a/usr.sbin/bind/lib/isc/unix/net.c +++ b/usr.sbin/bind/lib/isc/unix/net.c @@ -62,7 +62,7 @@ try_proto(int domain) { isc_result_t result = ISC_R_SUCCESS; char strbuf[ISC_STRERRORSIZE]; - s = socket(domain, SOCK_STREAM, 0); + s = socket(domain, SOCK_STREAM | SOCK_DNS, 0); if (s == -1) { switch (errno) { #ifdef EAFNOSUPPORT @@ -196,7 +196,7 @@ try_ipv6only(void) { return; #else /* check for TCP sockets */ - s = socket(PF_INET6, SOCK_STREAM, 0); + s = socket(PF_INET6, SOCK_STREAM | SOCK_DNS, 0); if (s == -1) { isc__strerror(errno, strbuf, sizeof(strbuf)); UNEXPECTED_ERROR(__FILE__, __LINE__, @@ -219,7 +219,7 @@ try_ipv6only(void) { close(s); /* check for UDP sockets */ - s = socket(PF_INET6, SOCK_DGRAM, 0); + s = socket(PF_INET6, SOCK_DGRAM | SOCK_DNS, 0); if (s == -1) { isc__strerror(errno, strbuf, sizeof(strbuf)); UNEXPECTED_ERROR(__FILE__, __LINE__, @@ -271,7 +271,7 @@ try_ipv6pktinfo(void) { } /* we only use this for UDP sockets */ - s = socket(PF_INET6, SOCK_DGRAM, IPPROTO_UDP); + s = socket(PF_INET6, SOCK_DGRAM | SOCK_DNS, IPPROTO_UDP); if (s == -1) { isc__strerror(errno, strbuf, sizeof(strbuf)); UNEXPECTED_ERROR(__FILE__, __LINE__, diff --git a/usr.sbin/bind/lib/isc/unix/socket.c b/usr.sbin/bind/lib/isc/unix/socket.c index fc300ba1e92..98bf327c19a 100644 --- a/usr.sbin/bind/lib/isc/unix/socket.c +++ b/usr.sbin/bind/lib/isc/unix/socket.c @@ -1503,10 +1503,10 @@ isc_socket_create(isc_socketmgr_t *manager, int pf, isc_sockettype_t type, again: switch (type) { case isc_sockettype_udp: - sock->fd = socket(pf, SOCK_DGRAM, IPPROTO_UDP); + sock->fd = socket(pf, SOCK_DGRAM | SOCK_DNS, IPPROTO_UDP); break; case isc_sockettype_tcp: - sock->fd = socket(pf, SOCK_STREAM, IPPROTO_TCP); + sock->fd = socket(pf, SOCK_STREAM | SOCK_DNS, IPPROTO_TCP); break; case isc_sockettype_unix: sock->fd = socket(pf, SOCK_STREAM, 0); -- 2.20.1