From d750a370d6b0d8d4419ebf849bd353b08f41870e Mon Sep 17 00:00:00 2001 From: deraadt Date: Fri, 22 Aug 2014 19:19:25 +0000 Subject: [PATCH] disable use of bind in base; in the base use nsd/unbound instead. a proper & complete bind port will show up. discussed with many for years --- etc/Makefile | 19 +------- etc/bind/db.localhost | 15 ------ etc/bind/db.loopback | 14 ------ etc/bind/db.loopback6.arpa | 14 ------ etc/bind/named-dual.conf | 79 ------------------------------- etc/bind/named-simple.conf | 71 ---------------------------- etc/bind/root.hint | 90 ----------------------------------- etc/changelist | 8 +--- etc/group | 1 - etc/mail/aliases | 3 +- etc/master.passwd | 1 - etc/mtree/4.4BSD.dist | 16 +------ etc/rc | 17 +------ etc/rc.conf | 3 +- etc/rc.d/named | 11 ----- etc/systrace/usr_sbin_named | 94 ------------------------------------- 16 files changed, 8 insertions(+), 448 deletions(-) delete mode 100644 etc/bind/db.localhost delete mode 100644 etc/bind/db.loopback delete mode 100644 etc/bind/db.loopback6.arpa delete mode 100644 etc/bind/named-dual.conf delete mode 100644 etc/bind/named-simple.conf delete mode 100644 etc/bind/root.hint delete mode 100644 etc/rc.d/named delete mode 100644 etc/systrace/usr_sbin_named diff --git a/etc/Makefile b/etc/Makefile index 83e10a22fb6..bd606f722eb 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.388 2014/07/23 11:49:06 reyk Exp $ +# $OpenBSD: Makefile,v 1.389 2014/08/22 19:19:25 deraadt Exp $ TZDIR= /usr/share/zoneinfo LOCALTIME= Canada/Mountain @@ -54,7 +54,7 @@ EXAMPLES_600=bgpd.conf dvmrpd.conf hostapd.conf iked.conf ipsec.conf \ RCDAEMONS= amd apmd bgpd bootparamd cron dhcpd dhcrelay dvmrpd \ ftpd ftpproxy hostapd hotplugd httpd identd ifstated iked \ inetd isakmpd ldapd npppd ldattach ldpd lpd mopd mrouted \ - named nginx nsd ntpd ospfd ospf6d portmap pflogd rarpd rbootd \ + nginx nsd ntpd ospfd ospf6d portmap pflogd rarpd rbootd \ relayd ripd route6d rtadvd rtsold sasyncd sendmail \ sensorsd slowcgi smtpd snmpd spamd sshd syslogd watchdogd \ wsmoused xdm ypbind ypldap yppasswdd ypserv nfsd mountd lockd \ @@ -158,21 +158,6 @@ distribution-etc-root-var: distrib-dirs cd systrace; \ ${INSTALL} -c -o root -g wheel -m 600 usr_sbin_lpd \ ${DESTDIR}/etc/systrace; \ - ${INSTALL} -c -o root -g wheel -m 600 usr_sbin_named \ - ${DESTDIR}/etc/systrace - cd bind; \ - ${INSTALL} -c -o root -g named -m 640 named-simple.conf \ - ${DESTDIR}/var/named/etc/named.conf; \ - ${INSTALL} -c -o root -g named -m 640 named-*.conf \ - ${DESTDIR}/var/named/etc; \ - ${INSTALL} -c -o root -g wheel -m 644 root.hint \ - ${DESTDIR}/var/named/etc; \ - ${INSTALL} -c -o root -g wheel -m 644 db.localhost \ - ${DESTDIR}/var/named/standard/localhost; \ - ${INSTALL} -c -o root -g wheel -m 644 db.loopback \ - ${DESTDIR}/var/named/standard/loopback; \ - ${INSTALL} -c -o root -g wheel -m 644 db.loopback6.arpa \ - ${DESTDIR}/var/named/standard/loopback6.arpa ln -fs ${TZDIR}/${LOCALTIME} ${DESTDIR}/etc/localtime ln -fs /usr/sbin/rmt ${DESTDIR}/etc/rmt ${INSTALL} -c -o root -g wheel -m 644 minfree \ diff --git a/etc/bind/db.localhost b/etc/bind/db.localhost deleted file mode 100644 index 98a4481576d..00000000000 --- a/etc/bind/db.localhost +++ /dev/null @@ -1,15 +0,0 @@ -; $OpenBSD: db.localhost,v 1.4 2008/01/03 21:20:25 jakob Exp $ - -$ORIGIN localhost. -$TTL 6h - -@ IN SOA localhost. root.localhost. ( - 1 ; serial - 1h ; refresh - 30m ; retry - 7d ; expiration - 1h ) ; minimum - - NS localhost. - A 127.0.0.1 - AAAA ::1 diff --git a/etc/bind/db.loopback b/etc/bind/db.loopback deleted file mode 100644 index 2764acb289b..00000000000 --- a/etc/bind/db.loopback +++ /dev/null @@ -1,14 +0,0 @@ -; $OpenBSD: db.loopback,v 1.4 2008/01/03 21:20:25 jakob Exp $ - -$ORIGIN 127.in-addr.arpa. -$TTL 6h - -@ IN SOA localhost. root.localhost. ( - 1 ; serial - 1h ; refresh - 30m ; retry - 7d ; expiration - 1h ) ; minimum - - NS localhost. -1.0.0 PTR localhost. diff --git a/etc/bind/db.loopback6.arpa b/etc/bind/db.loopback6.arpa deleted file mode 100644 index 68d995c055f..00000000000 --- a/etc/bind/db.loopback6.arpa +++ /dev/null @@ -1,14 +0,0 @@ -; $OpenBSD: db.loopback6.arpa,v 1.5 2009/11/02 21:12:56 jakob Exp $ - -$ORIGIN 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa. -$TTL 6h - -@ IN SOA localhost. root.localhost. ( - 1 ; serial - 1h ; refresh - 30m ; retry - 7d ; expiration - 1h ) ; minimum - - NS localhost. - PTR localhost. diff --git a/etc/bind/named-dual.conf b/etc/bind/named-dual.conf deleted file mode 100644 index 5f81d909726..00000000000 --- a/etc/bind/named-dual.conf +++ /dev/null @@ -1,79 +0,0 @@ -// $OpenBSD: named-dual.conf,v 1.11 2009/11/02 21:12:56 jakob Exp $ -// -// Example file for a named configuration with dual views, -// one processing recursive queries only and one processing -// authoritative-only queries. - - -// Update this list to include only the networks for which you want -// to execute recursive queries. The default setting allows all hosts -// on any IPv4 networks for which the system has an interface, and -// the IPv6 localhost address. -// -acl clients { - localnets; - ::1; -}; - -options { - version ""; // remove this to allow version queries - - listen-on { any; }; - listen-on-v6 { any; }; - - empty-zones-enable yes; -}; - -logging { - category lame-servers { null; }; -}; - -view "recursive" { - match-clients { clients; }; - match-recursive-only yes; - allow-recursion { clients; }; - - zone "." { - type hint; - file "etc/root.hint"; - }; - - zone "localhost" { - type master; - file "standard/localhost"; - allow-transfer { localhost; }; - }; - - zone "127.in-addr.arpa" { - type master; - file "standard/loopback"; - allow-transfer { localhost; }; - }; - - zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" { - type master; - file "standard/loopback6.arpa"; - allow-transfer { localhost; }; - }; -}; - -view "authoritative" { - recursion no; - additional-from-auth no; - additional-from-cache no; - - // Master zones - // - //zone "myzone.net" { - // type master; - // file "master/myzone.net"; - //}; - - // Slave zones - // - //zone "otherzone.net" { - // type slave; - // file "slave/otherzone.net"; - // masters { 192.168.1.10; [...;] }; - //}; -}; diff --git a/etc/bind/named-simple.conf b/etc/bind/named-simple.conf deleted file mode 100644 index e166944cf7e..00000000000 --- a/etc/bind/named-simple.conf +++ /dev/null @@ -1,71 +0,0 @@ -// $OpenBSD: named-simple.conf,v 1.10 2009/11/02 21:12:56 jakob Exp $ -// -// Example file for a simple named configuration, processing both -// recursive and authoritative queries using one cache. - - -// Update this list to include only the networks for which you want -// to execute recursive queries. The default setting allows all hosts -// on any IPv4 networks for which the system has an interface, and -// the IPv6 localhost address. -// -acl clients { - localnets; - ::1; -}; - -options { - version ""; // remove this to allow version queries - - listen-on { any; }; - listen-on-v6 { any; }; - - empty-zones-enable yes; - - allow-recursion { clients; }; -}; - -logging { - category lame-servers { null; }; -}; - -// Standard zones -// -zone "." { - type hint; - file "etc/root.hint"; -}; - -zone "localhost" { - type master; - file "standard/localhost"; - allow-transfer { localhost; }; -}; - -zone "127.in-addr.arpa" { - type master; - file "standard/loopback"; - allow-transfer { localhost; }; -}; - -zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" { - type master; - file "standard/loopback6.arpa"; - allow-transfer { localhost; }; -}; - - -// Master zones -// -//zone "myzone.net" { -// type master; -// file "master/myzone.net"; -//}; - -// Slave zones -// -//zone "otherzone.net" { -// type slave; -// file "slave/otherzone.net"; -// masters { 192.0.2.1; [...;] }; -//}; diff --git a/etc/bind/root.hint b/etc/bind/root.hint deleted file mode 100644 index 715a30253ef..00000000000 --- a/etc/bind/root.hint +++ /dev/null @@ -1,90 +0,0 @@ -; $OpenBSD: root.hint,v 1.10 2013/01/03 18:37:19 gonzalo Exp $ -; -; This file holds the information on root name servers needed to -; initialize cache of Internet domain name servers -; (e.g. reference this file in the "cache . " -; configuration file of BIND domain name servers). -; -; This file is made available by InterNIC -; under anonymous FTP as -; file /domain/named.cache -; on server FTP.INTERNIC.NET -; -OR- RS.INTERNIC.NET -; -; last update: Jan 3, 2013 -; related version of root zone: 2013010300 -; -; formerly NS.INTERNIC.NET -; -. 3600000 IN NS A.ROOT-SERVERS.NET. -A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 -A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 -; -; FORMERLY NS1.ISI.EDU -; -. 3600000 NS B.ROOT-SERVERS.NET. -B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 -; -; FORMERLY C.PSI.NET -; -. 3600000 NS C.ROOT-SERVERS.NET. -C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 -; -; FORMERLY TERP.UMD.EDU -; -. 3600000 NS D.ROOT-SERVERS.NET. -D.ROOT-SERVERS.NET. 3600000 A 199.7.91.13 -D.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2D::D -; -; FORMERLY NS.NASA.GOV -; -. 3600000 NS E.ROOT-SERVERS.NET. -E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 -; -; FORMERLY NS.ISC.ORG -; -. 3600000 NS F.ROOT-SERVERS.NET. -F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 -F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F -; -; FORMERLY NS.NIC.DDN.MIL -; -. 3600000 NS G.ROOT-SERVERS.NET. -G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 -; -; FORMERLY AOS.ARL.ARMY.MIL -; -. 3600000 NS H.ROOT-SERVERS.NET. -H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 -H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 -; -; FORMERLY NIC.NORDU.NET -; -. 3600000 NS I.ROOT-SERVERS.NET. -I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 -I.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FE::53 -; -; OPERATED BY VERISIGN, INC. -; -. 3600000 NS J.ROOT-SERVERS.NET. -J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 -J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 -; -; OPERATED BY RIPE NCC -; -. 3600000 NS K.ROOT-SERVERS.NET. -K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 -K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 -; -; OPERATED BY ICANN -; -. 3600000 NS L.ROOT-SERVERS.NET. -L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 -L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 -; -; OPERATED BY WIDE -; -. 3600000 NS M.ROOT-SERVERS.NET. -M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 -M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 -; End of File diff --git a/etc/changelist b/etc/changelist index 7702ac7ffc2..186f6780173 100644 --- a/etc/changelist +++ b/etc/changelist @@ -1,4 +1,4 @@ -# $OpenBSD: changelist,v 1.98 2014/07/22 21:01:58 ajacoutot Exp $ +# $OpenBSD: changelist,v 1.99 2014/08/22 19:19:25 deraadt Exp $ # # List of files which the security script backs up and checks # for modifications. @@ -163,12 +163,6 @@ /var/cron/cron.allow /var/cron/cron.deny /var/cron/tabs/root -/var/named/etc/named.conf -+/var/named/etc/rndc.key -/var/named/etc/root.hint -/var/named/standard/localhost -/var/named/standard/loopback -/var/named/standard/loopback6.arpa /var/nsd/etc/nsd.conf /var/unbound/etc/root.key /var/unbound/etc/unbound.conf diff --git a/etc/group b/etc/group index c4ceae23a30..54c5f9c5f20 100644 --- a/etc/group +++ b/etc/group @@ -32,7 +32,6 @@ crontab:*:66: www:*:67: _isakmpd:*:68: network:*:69: -named:*:70: proxy:*:71: authpf:*:72: _syslogd:*:73: diff --git a/etc/mail/aliases b/etc/mail/aliases index 84f0bbebaab..dedaf4a6b81 100644 --- a/etc/mail/aliases +++ b/etc/mail/aliases @@ -1,5 +1,5 @@ # -# $OpenBSD: aliases,v 1.45 2014/06/06 16:46:43 gilles Exp $ +# $OpenBSD: aliases,v 1.46 2014/08/22 19:19:25 deraadt Exp $ # # Aliases in this file will NOT be expanded in the header from # Mail, but WILL be visible over networks or from /usr/libexec/mail.local. @@ -60,7 +60,6 @@ _unbound: /dev/null _x11: /dev/null _ypldap: /dev/null bin: /dev/null -named: /dev/null nobody: /dev/null proxy: /dev/null smmsp: /dev/null diff --git a/etc/master.passwd b/etc/master.passwd index ef7479eff28..7423d9424c8 100644 --- a/etc/master.passwd +++ b/etc/master.passwd @@ -15,7 +15,6 @@ _spamd:*:62:62::0:0:Spam Daemon:/var/empty:/sbin/nologin uucp:*:66:1::0:0:UNIX-to-UNIX Copy:/var/spool/uucppublic:/sbin/nologin www:*:67:67::0:0:HTTP Server:/var/www:/sbin/nologin _isakmpd:*:68:68::0:0:isakmpd privsep:/var/empty:/sbin/nologin -named:*:70:70::0:0:BIND Name Service Daemon:/var/named:/sbin/nologin proxy:*:71:71::0:0:Proxy Services:/nonexistent:/sbin/nologin _syslogd:*:73:73::0:0:Syslog Daemon:/var/empty:/sbin/nologin _pflogd:*:74:74::0:0:pflogd privsep:/var/empty:/sbin/nologin diff --git a/etc/mtree/4.4BSD.dist b/etc/mtree/4.4BSD.dist index 6ab061e94e9..1d8943ad0b3 100644 --- a/etc/mtree/4.4BSD.dist +++ b/etc/mtree/4.4BSD.dist @@ -1,4 +1,4 @@ -# $OpenBSD: 4.4BSD.dist,v 1.261 2014/07/18 18:20:42 deraadt Exp $ +# $OpenBSD: 4.4BSD.dist,v 1.262 2014/08/22 19:19:25 deraadt Exp $ /set type=dir uname=root gname=wheel mode=0755 @@ -769,20 +769,6 @@ var mail .. - # ./var/named - named - etc uname=root gname=named mode=0750 - .. - master - .. - slave uname=root gname=named mode=0775 - .. - standard - .. - tmp uname=root gname=named mode=0775 - .. - .. - # ./var/nsd nsd db uname=root gname=_nsd mode=0775 diff --git a/etc/rc b/etc/rc index 5856719efde..2f23913c4a8 100644 --- a/etc/rc +++ b/etc/rc @@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.439 2014/08/17 14:43:34 ajacoutot Exp $ +# $OpenBSD: rc,v 1.440 2014/08/22 19:19:25 deraadt Exp $ # System startup script run by init on autoboot # or after single-user. @@ -144,19 +144,6 @@ start_daemon() make_keys() { - if [ X"${named_flags}" != X"NO" ]; then - if ! cmp -s /etc/rndc.key /var/named/etc/rndc.key ; then - echo -n "rndc-confgen: generating shared secret... " - if rndc-confgen -a -t /var/named >/dev/null 2>&1; then - chmod 0640 /var/named/etc/rndc.key \ - >/dev/null 2>&1 - echo done. - else - echo failed. - fi - fi - fi - if [ ! -f /etc/isakmpd/private/local.key ]; then echo -n "openssl: generating isakmpd/iked RSA key... " if openssl genrsa -out /etc/isakmpd/private/local.key 2048 \ @@ -400,7 +387,7 @@ dmesg >/var/run/dmesg.boot make_keys echo -n 'starting early daemons:' -start_daemon syslogd ldattach pflogd named nsd unbound ntpd +start_daemon syslogd ldattach pflogd nsd unbound ntpd start_daemon iscsid isakmpd iked sasyncd ldapd npppd echo '.' diff --git a/etc/rc.conf b/etc/rc.conf index 8f844b66045..294196decff 100644 --- a/etc/rc.conf +++ b/etc/rc.conf @@ -1,4 +1,4 @@ -# $OpenBSD: rc.conf,v 1.195 2014/07/22 17:37:16 reyk Exp $ +# $OpenBSD: rc.conf,v 1.196 2014/08/22 19:19:25 deraadt Exp $ # DO NOT EDIT THIS FILE!! # @@ -23,7 +23,6 @@ rarpd_flags=NO # for normal use: "-a" bootparamd_flags=NO # for normal use: "" rbootd_flags=NO # for normal use: "" sshd_flags= # for normal use: "" -named_flags=NO # for normal use: "" nsd_flags=NO # for normal use: "-c /var/nsd/etc/nsd.conf" unbound_flags=NO # for normal use: "-c /var/unbound/etc/unbound.conf" ldattach_flags=NO # for normal use: "[options] linedisc cua-device" diff --git a/etc/rc.d/named b/etc/rc.d/named deleted file mode 100644 index c7b3cbf2e1d..00000000000 --- a/etc/rc.d/named +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh -# -# $OpenBSD: named,v 1.1 2011/07/06 18:55:36 robert Exp $ - -daemon="/usr/sbin/named" - -. /etc/rc.d/rc.subr - -pexp="named: \[priv\]" - -rc_cmd $1 diff --git a/etc/systrace/usr_sbin_named b/etc/systrace/usr_sbin_named deleted file mode 100644 index d7b4277c4d0..00000000000 --- a/etc/systrace/usr_sbin_named +++ /dev/null @@ -1,94 +0,0 @@ -# $OpenBSD: usr_sbin_named,v 1.8 2014/07/20 04:29:07 deraadt Exp $ -# -# Policy for named that uses named user and chroots to /var/named -# This policy works for the default configuration of named. -# -Policy: /usr/sbin/named, Emulation: native - native-__sysctl: permit - native-accept: permit - native-bind: sockaddr match "inet-*:0" then permit - native-bind: sockaddr match "inet-*:53" then permit - native-bind: sockaddr match "inet-*:953" then permit - native-break: permit - native-chdir: filename eq "/" then permit - native-chroot: filename eq "/var/named" then permit - native-close: permit - native-closefrom: permit - native-connect: sockaddr match "inet-*" then permit - native-dup2: permit - native-exit: permit - native-fcntl: permit - native-fork: permit - native-fsread: filename sub "" then deny[enoent] - native-fsread: filename eq "/etc/malloc.conf" then permit - native-fsread: filename eq "/dev/arandom" then permit - native-fsread: filename eq "/etc/group" then permit - native-fsread: filename eq "/etc/named.conf" then permit - native-fsread: filename eq "/etc/named.keys" then permit - native-fsread: filename eq "/etc/pwd.db" then permit - native-fsread: filename eq "/etc/rndc.key" then permit - native-fsread: filename eq "/etc/root.hint" then permit - native-fsread: filename eq "/etc/spwd.db" then deny[eperm] - native-fsread: filename match "/master" then permit - native-fsread: filename match "/slave" then permit - native-fsread: filename match "/standard" then permit - native-fsread: filename match "/usr/lib" then permit - native-fsread: filename eq "/usr/libexec/ld.so" then permit - native-fsread: filename match "/usr/share/nls" then permit - native-fsread: filename match "/usr/share/zoneinfo" then permit - native-fsread: filename eq "/var/run/ld.so.hints" then permit - native-fsread: filename eq "/var/run/named.pid" then permit - native-fstat: permit - native-fswrite: filename sub "" then deny[enoent] - native-fswrite: filename eq "/dev/null" then permit - native-fswrite: filename match "/master/*" then permit - native-fswrite: filename match "/slave/*" then permit - native-fswrite: filename eq "/var/run/named.pid" then permit - native-fswrite: filename match "/var/tmp/*" then permit - native-fsync: permit - native-getentropy: permit - native-getpid: permit - native-getppid: permit - native-getrlimit: permit - native-getsockname: permit - native-getsockopt: permit - native-gettimeofday: permit - native-getuid: permit - native-geteuid: permit - native-issetugid: permit - native-kill: permit - native-listen: permit - native-lseek: permit - native-minherit: permit - native-mmap: permit - native-mprotect: permit - native-mquery: permit - native-munmap: permit - native-nanosleep: permit - native-pipe: permit - native-pread: permit - native-read: permit - native-recvmsg: permit - native-rename: filename match "/slave/*" and filename[1] match "/slave/*" then permit - native-select: permit - native-sendmsg: permit - native-sendsyslog: permit - native-sendto: true then permit - native-setegid: gid eq "70" then permit - native-seteuid: uid eq "70" and uname eq "named" then permit - native-setgid: gid eq "70" then permit - native-setgroups: permit - native-setresgid: permit - native-setresuid: permit - native-setrlimit: permit - native-setsid: permit - native-setsockopt: permit - native-setuid: uid eq "70" and uname eq "named" then permit - native-sigaction: permit - native-sigprocmask: permit - native-sigreturn: permit - native-socket: permit - native-socketpair: permit - native-utimes: permit - native-wait4: permit - native-write: permit -- 2.20.1