diff --git a/.cvsignore b/.cvsignore index f66fc23..4ee1ba9 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,4 +1,4 @@ bind-chroot.tar.bz2 config-3.tar.bz2 libbind-man.tar.gz -bind-9.5.0b3.tar.gz +bind-9.5.0rc1.tar.gz diff --git a/bind-9.5-libcap.patch b/bind-9.5-libcap.patch deleted file mode 100644 index a4cf386..0000000 --- a/bind-9.5-libcap.patch +++ /dev/null @@ -1,250 +0,0 @@ -diff -up bind-9.5.0b3/bin/named/unix/os.c.libcap bind-9.5.0b3/bin/named/unix/os.c ---- bind-9.5.0b3/bin/named/unix/os.c.libcap 2008-01-30 05:55:51.000000000 +0100 -+++ bind-9.5.0b3/bin/named/unix/os.c 2008-05-05 13:30:47.000000000 +0200 -@@ -69,7 +69,7 @@ static int devnullfd = -1; - /* - * Linux defines: - * (T) HAVE_LINUXTHREADS -- * (C) HAVE_LINUX_CAPABILITY_H -+ * (C) HAVE_SYS_CAPABILITY_H (or HAVE_LINUX_CAPABILITY_H) - * (P) HAVE_SYS_PRCTL_H - * The possible cases are: - * none: setuid() normally -@@ -116,16 +116,9 @@ static int dfd[2] = { -1, -1 }; - static isc_boolean_t non_root = ISC_FALSE; - static isc_boolean_t non_root_caps = ISC_FALSE; - --#if defined(HAVE_CAPSET) --#undef _POSIX_SOURCE - #ifdef HAVE_SYS_CAPABILITY_H - #include - #else --#include --int capset(cap_user_header_t hdrp, const cap_user_data_t datap); --#endif --#include --#else - /*% - * We define _LINUX_FS_H to prevent it from being included. We don't need - * anything from it, and the files it includes cause warnings with 2.2 -@@ -133,9 +126,15 @@ int capset(cap_user_header_t hdrp, const - * and ) on 2.3 kernels. - */ - #define _LINUX_FS_H -- --#include /* Required for syscall(). */ --#include /* Required for _LINUX_CAPABILITY_VERSION. */ -+#include -+#include -+#ifndef SYS_capset -+#ifndef __NR_capset -+#include /* Slackware 4.0 needs this. */ -+#endif /* __NR_capset */ -+#define SYS_capset __NR_capset -+#endif /* SYS_capset */ -+#endif /* HAVE_SYS_CAPABILITY_H */ - - #ifdef HAVE_SYS_PRCTL_H - #include /* Required for prctl(). */ -@@ -152,23 +151,24 @@ int capset(cap_user_header_t hdrp, const - - #endif /* HAVE_SYS_PRCTL_H */ - --#ifndef SYS_capset --#ifndef __NR_capset --#include /* Slackware 4.0 needs this. */ --#endif --#define SYS_capset __NR_capset --#endif --#endif -+#ifdef HAVE_LIBCAP -+#define SETCAPS_FUNC "cap_set_proc " -+#else -+typedef unsigned int cap_t; -+#define SETCAPS_FUNC "syscall(capset) " -+#endif /* HAVE_LIBCAP */ - - static void --linux_setcaps(unsigned int caps) { -+linux_setcaps(cap_t caps) { -+#ifndef HAVE_LIBCAP - struct __user_cap_header_struct caphead; - struct __user_cap_data_struct cap; -+#endif - char strbuf[ISC_STRERRORSIZE]; - - if ((getuid() != 0 && !non_root_caps) || non_root) - return; -- -+#ifndef HAVE_LIBCAP - memset(&caphead, 0, sizeof(caphead)); - caphead.version = _LINUX_CAPABILITY_VERSION; - caphead.pid = 0; -@@ -176,46 +176,74 @@ linux_setcaps(unsigned int caps) { - cap.effective = caps; - cap.permitted = caps; - cap.inheritable = 0; --#ifdef HAVE_CAPSET -- if (capset(&caphead, &cap) < 0 ) { -- isc__strerror(errno, strbuf, sizeof(strbuf)); -- ns_main_earlyfatal("capset failed: %s:" -- " please ensure that the capset kernel" -- " module is loaded. see insmod(8)", -- strbuf); -- } -+#endif -+#ifdef HAVE_LIBCAP -+ if (cap_set_proc(caps) < 0) { - #else - if (syscall(SYS_capset, &caphead, &cap) < 0) { -+#endif - isc__strerror(errno, strbuf, sizeof(strbuf)); -- ns_main_earlyfatal("syscall(capset) failed: %s:" -+ ns_main_earlyfatal(SETCAPS_FUNC "failed: %s:" - " please ensure that the capset kernel" - " module is loaded. see insmod(8)", - strbuf); - } --#endif - } - -+#ifdef HAVE_LIBCAP -+#define SET_CAP(flag) \ -+ do { \ -+ capval = (flag); \ -+ err = cap_set_flag(caps, CAP_EFFECTIVE, 1, &capval, CAP_SET); \ -+ if (err == -1) { \ -+ isc__strerror(errno, strbuf, sizeof(strbuf)); \ -+ ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \ -+ } \ -+ \ -+ err = cap_set_flag(caps, CAP_PERMITTED, 1, &capval, CAP_SET); \ -+ if (err == -1) { \ -+ isc__strerror(errno, strbuf, sizeof(strbuf)); \ -+ ns_main_earlyfatal("cap_set_proc failed: %s", strbuf); \ -+ } \ -+ } while (0) -+#define INIT_CAP \ -+ do { \ -+ caps = cap_init(); \ -+ if (caps == NULL) { \ -+ isc__strerror(errno, strbuf, sizeof(strbuf)); \ -+ ns_main_earlyfatal("cap_init failed: %s", strbuf); \ -+ } \ -+ } while (0) -+#else -+#define SET_CAP(flag) { caps |= (1 << (flag)); } -+#define INIT_CAP { caps = 0; } -+#endif /* HAVE_LIBCAP */ -+ - static void - linux_initialprivs(void) { -- unsigned int caps; -+ cap_t caps; -+#ifdef HAVE_LIBCAP -+ cap_value_t capval; -+ char strbuf[ISC_STRERRORSIZE]; -+ int err; -+#endif - - /*% - * We don't need most privileges, so we drop them right away. - * Later on linux_minprivs() will be called, which will drop our - * capabilities to the minimum needed to run the server. - */ -- -- caps = 0; -+ INIT_CAP; - - /* - * We need to be able to bind() to privileged ports, notably port 53! - */ -- caps |= (1 << CAP_NET_BIND_SERVICE); -+ SET_CAP(CAP_NET_BIND_SERVICE); - - /* - * We need chroot() initially too. - */ -- caps |= (1 << CAP_SYS_CHROOT); -+ SET_CAP(CAP_SYS_CHROOT); - - #if defined(HAVE_SYS_PRCTL_H) || !defined(HAVE_LINUXTHREADS) - /* -@@ -224,19 +252,19 @@ linux_initialprivs(void) { - * tried) or we're not using threads. If either of these is - * true, we want the setuid capability. - */ -- caps |= (1 << CAP_SETUID); -+ SET_CAP(CAP_SETUID); - #endif - - /* - * Since we call initgroups, we need this. - */ -- caps |= (1 << CAP_SETGID); -+ SET_CAP(CAP_SETGID); - - /* - * Without this, we run into problems reading a configuration file - * owned by a non-root user and non-world-readable on startup. - */ -- caps |= (1 << CAP_DAC_READ_SEARCH); -+ SET_CAP(CAP_DAC_READ_SEARCH); - - /* - * XXX We might want to add CAP_SYS_RESOURCE, though it's not -@@ -245,15 +273,21 @@ linux_initialprivs(void) { - * of files, the stack size, data size, and core dump size to - * support named.conf options, this is now being added to test. - */ -- caps |= (1 << CAP_SYS_RESOURCE); -+ SET_CAP(CAP_SYS_RESOURCE); - - linux_setcaps(caps); - } - - static void - linux_minprivs(void) { -- unsigned int caps; -+ cap_t caps; -+#ifdef HAVE_LIBCAP -+ cap_value_t capval; -+ char strbuf[ISC_STRERRORSIZE]; -+ int err; -+#endif - -+ INIT_CAP; - /*% - * Drop all privileges except the ability to bind() to privileged - * ports. -@@ -262,8 +296,7 @@ linux_minprivs(void) { - * chroot() could be used to escape from the chrooted area. - */ - -- caps = 0; -- caps |= (1 << CAP_NET_BIND_SERVICE); -+ SET_CAP(CAP_NET_BIND_SERVICE); - - /* - * XXX We might want to add CAP_SYS_RESOURCE, though it's not -@@ -272,7 +305,7 @@ linux_minprivs(void) { - * of files, the stack size, data size, and core dump size to - * support named.conf options, this is now being added to test. - */ -- caps |= (1 << CAP_SYS_RESOURCE); -+ SET_CAP(CAP_SYS_RESOURCE); - - linux_setcaps(caps); - } -diff -up bind-9.5.0b3/configure.in.libcap bind-9.5.0b3/configure.in ---- bind-9.5.0b3/configure.in.libcap 2008-01-30 05:55:51.000000000 +0100 -+++ bind-9.5.0b3/configure.in 2008-05-05 13:28:34.000000000 +0200 -@@ -1876,7 +1876,7 @@ AC_ARG_ENABLE(linux-caps, - case "$enable_linux_caps" in - yes|'') - AC_CHECK_HEADERS(linux/capability.h sys/capability.h) -- AC_CHECK_FUNCS(capset) -+ AC_CHECK_LIB(cap, cap_set_proc) - ;; - no) - ;; diff --git a/bind.spec b/bind.spec index e5036be..127c165 100644 --- a/bind.spec +++ b/bind.spec @@ -1,94 +1,93 @@ # -# Red Hat BIND package .spec file +# Red Hat BIND package .spec file # -%define RELEASEVER b3 - -%{?!SDB: %define SDB 1} -%{?!LIBBIND: %define LIBBIND 1} -%{?!test: %define test 0} -%{?!WITH_DBUS: %define WITH_DBUS 0} # + dynamic forwarder table management with D-BUS -%{?!bind_uid: %define bind_uid 25} -%{?!bind_gid: %define bind_gid 25} -%{?!GSSTSIG: %define GSSTSIG 1} -%define bind_dir /var/named -%define chroot_prefix %{bind_dir}/chroot +%define RELEASEVER rc1 + +%{?!SDB: %define SDB 1} +%{?!LIBBIND: %define LIBBIND 1} +%{?!test: %define test 0} +%{?!WITH_DBUS: %define WITH_DBUS 0} # + dynamic forwarder table management with D-BUS +%{?!bind_uid: %define bind_uid 25} +%{?!bind_gid: %define bind_gid 25} +%{?!GSSTSIG: %define GSSTSIG 1} +%define bind_dir /var/named +%define chroot_prefix %{bind_dir}/chroot # -Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server -Name: bind -License: ISC -Version: 9.5.0 -Release: 32.%{RELEASEVER}%{dist} -Epoch: 32 -Url: http://www.isc.org/products/BIND/ -Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Group: System Environment/Daemons +Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server +Name: bind +License: ISC +Version: 9.5.0 +Release: 33.%{RELEASEVER}%{dist} +Epoch: 32 +Url: http://www.isc.org/products/BIND/ +Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +Group: System Environment/Daemons # -Source: ftp://ftp.isc.org/isc/bind9/%{version}%{RELEASEVER}/bind-%{version}%{RELEASEVER}.tar.gz -Source1: named.sysconfig -Source2: named.init -Source3: named.logrotate -Source4: keygen.c -Source5: rfc1912.txt -Source6: bind-chroot.tar.bz2 -Source7: bind-9.3.1rc1-sdb_tools-Makefile.in -Source8: dnszone.schema -Source9: libbind-man.tar.gz -Source10: named-dbus.conf -Source11: named.service -Source12: README.sdb_pgsql -Source13: namedSetForwarders -Source14: namedGetForwarders -Source21: Copyright.caching-nameserver -Source22: bind-chroot-admin.in -Source24: libbind.pc -Source25: named.conf.sample -Source28: config-3.tar.bz2 -Source30: ldap2zone.c +Source: ftp://ftp.isc.org/isc/bind9/%{version}%{RELEASEVER}/bind-%{version}%{RELEASEVER}.tar.gz +Source1: named.sysconfig +Source2: named.init +Source3: named.logrotate +Source4: keygen.c +Source5: rfc1912.txt +Source6: bind-chroot.tar.bz2 +Source7: bind-9.3.1rc1-sdb_tools-Makefile.in +Source8: dnszone.schema +Source9: libbind-man.tar.gz +Source10: named-dbus.conf +Source11: named.service +Source12: README.sdb_pgsql +Source13: namedSetForwarders +Source14: namedGetForwarders +Source21: Copyright.caching-nameserver +Source22: bind-chroot-admin.in +Source24: libbind.pc +Source25: named.conf.sample +Source28: config-3.tar.bz2 +Source30: ldap2zone.c # Common patches -Patch0: bind-9.2.0rc3-varrun.patch -Patch1: bind-9.3.3rc2-rndckey.patch -Patch5: bind-nonexec.patch -Patch10: bind-9.5-PIE.patch -Patch13: bind-9.3.1rc1-fix_libbind_includedir.patch -Patch16: bind-9.3.2-redhat_doc.patch -Patch63: bind-9.4.0-dnssec-directory.patch -Patch71: bind-9.5-overflow.patch -Patch72: bind-9.5-dlz-64bit.patch -Patch87: bind-9.5-parallel-build.patch -Patch88: bind-9.5-libcap.patch -Patch89: bind-9.5-recv-race.patch -Patch90: bind-9.5-edns.patch +Patch0: bind-9.2.0rc3-varrun.patch +Patch1: bind-9.3.3rc2-rndckey.patch +Patch5: bind-nonexec.patch +Patch10: bind-9.5-PIE.patch +Patch13: bind-9.3.1rc1-fix_libbind_includedir.patch +Patch16: bind-9.3.2-redhat_doc.patch +Patch63: bind-9.4.0-dnssec-directory.patch +Patch71: bind-9.5-overflow.patch +Patch72: bind-9.5-dlz-64bit.patch +Patch87: bind-9.5-parallel-build.patch +Patch89: bind-9.5-recv-race.patch +Patch90: bind-9.5-edns.patch # SDB patches -Patch11: bind-9.3.2b2-sdbsrc.patch -Patch12: bind-9.5-sdb.patch -Patch62: bind-9.5-sdb-sqlite-bld.patch -Patch68: bind-9.4.1-ldap-api.patch +Patch11: bind-9.3.2b2-sdbsrc.patch +Patch12: bind-9.5-sdb.patch +Patch62: bind-9.5-sdb-sqlite-bld.patch +Patch68: bind-9.4.1-ldap-api.patch # needs inpection -Patch17: bind-9.3.2b1-fix_sdb_ldap.patch +Patch17: bind-9.3.2b1-fix_sdb_ldap.patch # D-BUS patches -Patch15: bind-9.5.0-dbus.patch -Patch23: bind-9.5-dbus_archdep_libdir.patch -Patch81: bind-9.5-dbus-leak.patch -Patch82: bind-9.5-dbus-va_end.patch +Patch15: bind-9.5.0-dbus.patch +Patch23: bind-9.5-dbus_archdep_libdir.patch +Patch81: bind-9.5-dbus-leak.patch +Patch82: bind-9.5-dbus-va_end.patch # IDN paches -Patch73: bind-9.5-libidn.patch -Patch83: bind-9.5-libidn2.patch -Patch85: bind-9.5-libidn3.patch +Patch73: bind-9.5-libidn.patch +Patch83: bind-9.5-libidn2.patch +Patch85: bind-9.5-libidn3.patch # -Requires: mktemp +Requires: mktemp Requires(post): grep, chkconfig >= 1.3.26 -Requires(pre): shadow-utils +Requires(pre): shadow-utils Requires(preun):chkconfig >= 1.3.26 -Obsoletes: bind-config, caching-nameserver -Provides: bind-config, caching-nameserver -BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel +Obsoletes: bind-config < 30:9.3.2-34.fc6, caching-nameserver < 31:9.4.1-7.fc8 +Provides: bind-config = 30:9.3.2-34.fc6, caching-nameserver = 31:9.4.1-7.fc8 +BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel BuildRequires: libidn-devel %if %{SDB} BuildRequires: openldap-devel, postgresql-devel, sqlite-devel, mysql-devel @@ -98,10 +97,10 @@ BuildRequires: db4-devel unixODBC-devel BuildRequires: dbus-devel %endif %if %{test} -BuildRequires: net-tools, perl +BuildRequires: net-tools %endif %if %{GSSTSIG} -BuildRequires: krb5-devel +BuildRequires: krb5-devel %endif %description @@ -127,18 +126,19 @@ or in the filesystem (dirdb), in addition to the standard in-memory RBT (Dynamic Loadable Zones) %endif -%package libs +%package libs Summary: Libraries used by the BIND DNS packages Group: Applications/System -Obsoletes: bind-libbind-devel +Obsoletes:bind-libbind-devel < 31:9.3.3-4.fc7 +Provides: bind-libbind-devel = 31:9.3.3-4.fc7 %description libs -Contains libraries used by both the bind server package as well as the utils packages. +Contains libraries used by both the bind server package as well as the utils +packages. - -%package utils -Summary: Utilities for querying DNS name servers -Group: Applications/System +%package utils +Summary: Utilities for querying DNS name servers +Group: Applications/System %description utils Bind-utils contains a collection of utilities for querying DNS (Domain @@ -150,23 +150,23 @@ network addresses. You should install bind-utils if you need to get information from DNS name servers. - -%package devel -Summary: Header files and libraries needed for BIND DNS development -Group: Development/Libraries -Obsoletes: bind-libbind-devel +%package devel +Summary: Header files and libraries needed for BIND DNS development +Group: Development/Libraries +Obsoletes:bind-libbind-devel < 31:9.3.3-4.fc7 +Provides: bind-libbind-devel = 31:9.3.3-4.fc7 %description devel The bind-devel package contains all the header files and libraries required for development with ISC BIND 9 and BIND 8 -%package chroot -Summary: A chroot runtime environment for the ISC BIND DNS server, named(8) -Group: System Environment/Daemons -Prefix: %{chroot_prefix} -Requires(post): grep -Requires(preun): grep +%package chroot +Summary: A chroot runtime environment for the ISC BIND DNS server, named(8) +Group: System Environment/Daemons +Prefix: %{chroot_prefix} +Requires(post): grep +Requires(preun):grep %description chroot This package contains a tree of files which can be used as a @@ -182,7 +182,6 @@ Based on the code from Jan "Yenya" Kasprzak %patch5 -p1 -b .nonexec %patch10 -p1 -b .PIE %patch16 -p1 -b .redhat_doc -%patch88 -p1 -b .libcap %if %{SDB} mkdir bin/named-sdb cp -r bin/named/* bin/named-sdb @@ -259,41 +258,64 @@ export DBUS_ARCHDEP_LIBDIR=lib64 %endif %endif if pkg-config openssl ; then - export CFLAGS="$CFLAGS `pkg-config --cflags openssl`" - export CPPFLAGS="$CPPFLAGS `pkg-config --cflags-only-I openssl`" - export LDFLAGS="$LDFLAGS `pkg-config --libs-only-L openssl`" + export CFLAGS="$CFLAGS `pkg-config --cflags openssl`" + export CPPFLAGS="$CPPFLAGS `pkg-config --cflags-only-I openssl`" + export LDFLAGS="$LDFLAGS `pkg-config --libs-only-L openssl`" fi %configure \ - --with-libtool \ - --localstatedir=/var \ - --enable-threads \ - --enable-ipv6 \ - --with-pic \ - --disable-openssl-version-check \ + --with-libtool \ + --localstatedir=/var \ + --enable-threads \ + --enable-ipv6 \ + --with-pic \ + --disable-openssl-version-check \ %if %{LIBBIND} - --enable-libbind \ + --enable-libbind \ %endif %if %{SDB} - --with-dlz-ldap=yes \ - --with-dlz-postgres=yes \ - --with-dlz-mysql=yes \ - --with-dlz-filesystem=yes \ - --with-dlz-odbc=yes \ - --with-dlz-bdb=yes \ + --with-dlz-ldap=yes \ + --with-dlz-postgres=yes \ + --with-dlz-mysql=yes \ + --with-dlz-filesystem=yes \ + --with-dlz-odbc=yes \ + --with-dlz-bdb=yes \ %endif %if %{GSSTSIG} - --with-gssapi=yes \ - --disable-isc-spnego \ + --with-gssapi=yes \ + --disable-isc-spnego \ %endif ; if [ -s openssl_config.h ]; then cat openssl_config.h >> config.h ; fi; make %{?_smp_mflags} +%if %{test} +%check +if [ "`whoami`" = 'root' ]; then + set -e + chmod -R a+rwX . + pushd bin/tests + pushd system + ./ifconfig.sh up + popd + make test + e=$? + pushd system + ./ifconfig.sh down + popd + popd + if [ "$e" -ne 0 ]; then + echo "ERROR: this build of BIND failed 'make test'. Aborting." + exit $e; + fi; +else + echo 'only root can run the tests (they require an ifconfig).' +%endif + %install rm -rf ${RPM_BUILD_ROOT} cp --preserve=timestamps %{SOURCE5} doc/rfc -gzip -9 doc/rfc/* +gzip -9 doc/rfc/* mkdir -p ${RPM_BUILD_ROOT}/etc/{rc.d/init.d,logrotate.d} mkdir -p ${RPM_BUILD_ROOT}/usr/{bin,lib,sbin,include} mkdir -p ${RPM_BUILD_ROOT}/var/named @@ -343,28 +365,6 @@ cp -fp %{SOURCE11} ${RPM_BUILD_ROOT}%{_datadir}/dbus-1/services/named.service cp -fp %{SOURCE13} ${RPM_BUILD_ROOT}%{_sbindir}/namedSetForwarders cp -fp %{SOURCE14} ${RPM_BUILD_ROOT}%{_sbindir}/namedGetForwarders %endif -%if %{test} -if [ "`whoami`" = 'root' ]; then - set -e - chmod -R a+rwX . - pushd bin/tests - pushd system - ./ifconfig.sh up - popd - make test - e=$? - pushd system - ./ifconfig.sh down - popd - popd - if [ "$e" -ne 0 ]; then - echo "ERROR: this build of BIND failed 'make test'. Aborting." - exit $e; - fi; -else - echo 'test==1 : only root can run the tests (they require an ifconfig).'; -fi -%endif # Files required to run test-suite outside of build tree: cp -fp config.h ${RPM_BUILD_ROOT}/%{_includedir}/bind9 cp -fp lib/dns/include/dns/forward.h ${RPM_BUILD_ROOT}/%{_includedir}/dns @@ -380,7 +380,7 @@ touch ${RPM_BUILD_ROOT}%{_localstatedir}/log/named.log # configuration files: tar -C ${RPM_BUILD_ROOT} -xf %{SOURCE28} for f in /etc/named.conf /var/named/{named.ca,named.localhost,named.loopback,named.empty}; do - touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/$f; + touch ${RPM_BUILD_ROOT}/%{chroot_prefix}/$f; done install -m 644 %{SOURCE5} ./rfc1912.txt install -m 644 %{SOURCE21} ./Copyright @@ -407,8 +407,8 @@ chmod 0755 ${RPM_BUILD_ROOT}%{_libdir}/lib*so.* %pre if [ "$1" -eq 1 ]; then - /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :; - /usr/sbin/useradd -u %{bind_uid} -r -n -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :; + /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :; + /usr/sbin/useradd -u %{bind_uid} -r -n -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :; fi; :; @@ -416,36 +416,36 @@ fi; /sbin/ldconfig /sbin/chkconfig --add named if [ "$1" -eq 1 ]; then - # no more named.boot autoconversion! No-one should be using BIND-4 anymore. - if [ ! -e /etc/rndc.key ]; then - # create the rndc.key file: - echo 'key "rndckey" { - algorithm hmac-md5; - secret "'`/usr/sbin/dns-keygen`'"; -};' > /etc/rndc.key; - elif /bin/egrep -q '@KEY@' /etc/rndc.key; then - # fix potential problem with older versions - /bin/sed -i -e 's^@KEY@^'`/usr/sbin/dns-keygen`'^' /etc/rndc.key ; - fi - [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ; - # rndc.key has to have correct perms and ownership, CVE-2007-6283 - [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key - [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key - [ -x /usr/sbin/bind-chroot-admin ] && /usr/sbin/bind-chroot-admin --sync; + # no more named.boot autoconversion! No-one should be using BIND-4 anymore. + if [ ! -e /etc/rndc.key ]; then + # create the rndc.key file: + echo 'key "rndckey" { + algorithm hmac-md5; + secret "'`/usr/sbin/dns-keygen`'"; +};' > /etc/rndc.key; + elif /bin/egrep -q '@KEY@' /etc/rndc.key; then + # fix potential problem with older versions + /bin/sed -i -e 's^@KEY@^'`/usr/sbin/dns-keygen`'^' /etc/rndc.key ; + fi + [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ; + # rndc.key has to have correct perms and ownership, CVE-2007-6283 + [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key + [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key + [ -x /usr/sbin/bind-chroot-admin ] && /usr/sbin/bind-chroot-admin --sync; fi :; %preun if [ "$1" -eq 0 ]; then - /sbin/service named stop >/dev/null 2>&1 || :; - /sbin/chkconfig --del named || :; + /sbin/service named stop >/dev/null 2>&1 || :; + /sbin/chkconfig --del named || :; fi; :; %postun /sbin/ldconfig if [ "$1" -ge 1 ]; then - /sbin/service named try-restart >/dev/null 2>&1 || :; + /sbin/service named try-restart >/dev/null 2>&1 || :; fi; :; @@ -459,33 +459,30 @@ fi; %triggerpostun -n bind -- bind <= 32:9.5.0-20.b1 if [ "$1" -gt 0 ]; then - [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key - [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key + [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key + [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key fi :; - %post libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig - %post chroot if [ "$1" -gt 0 ]; then - /usr/sbin/bind-chroot-admin --enable > /dev/null 2>&1; + /usr/sbin/bind-chroot-admin --enable > /dev/null 2>&1; fi; :; %posttrans chroot -if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled && \ - [ -x /sbin/restorecon ]; then - /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1; +if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then + [ -x /usr/sbin/restorecon ] && /sbin/restorecon %{chroot_prefix}/dev/* > /dev/null 2>&1; fi; :; %preun chroot if [ "$1" -eq 0 ]; then - /usr/sbin/bind-chroot-admin --disable > /dev/null 2>&1; + /usr/sbin/bind-chroot-admin --disable > /dev/null 2>&1; fi :; @@ -494,6 +491,7 @@ rm -rf ${RPM_BUILD_ROOT} :; %files +# Hide configuration %defattr(0640,root,named,0750) %dir %{_localstatedir}/named %config(noreplace) %verify(not link) %{_sysconfdir}/named.conf @@ -502,17 +500,12 @@ rm -rf ${RPM_BUILD_ROOT} %config %verify(not link) %{_localstatedir}/named/named.localhost %config %verify(not link) %{_localstatedir}/named/named.loopback %config %verify(not link) %{_localstatedir}/named/named.empty -%defattr(0644,root,root,0755) -%doc Copyright -%doc rfc1912.txt %defattr(0660,named,named,0770) %dir %{_localstatedir}/named/slaves %dir %{_localstatedir}/named/data %dir %{_localstatedir}/named/dynamic %dir %{_localstatedir}/run/named %ghost %{_localstatedir}/log/named.log -%defattr(0754,root,root,0750) -%config %{_sysconfdir}/rc.d/init.d/named %defattr(0640,root,named,0750) %config(noreplace) %{_sysconfdir}/sysconfig/named %ghost %config(noreplace) %{_sysconfdir}/rndc.key @@ -524,17 +517,16 @@ rm -rf ${RPM_BUILD_ROOT} # ^- The default rndc.conf which uses rndc.key is in named's default internal config - # so rndc.conf is not necessary. %config(noreplace) %{_sysconfdir}/logrotate.d/named -%defattr(-,root,root) +%defattr(-,root,root,-) +%{_sysconfdir}/rc.d/init.d/named %{_sbindir}/dnssec* %{_sbindir}/named-check* %{_sbindir}/dns-keygen -%defattr(0750,root,root,0755) %{_sbindir}/lwresd %{_sbindir}/named %{_sbindir}/named-bootconf %{_sbindir}/rndc* %{_sbindir}/named-compilezone -%defattr(0644,root,root,0755) %{_mandir}/man5/named.conf.5* %{_mandir}/man5/rndc.conf.5* %{_mandir}/man8/rndc.8* @@ -548,49 +540,47 @@ rm -rf ${RPM_BUILD_ROOT} %doc CHANGES COPYRIGHT README %doc doc/arm doc/misc %doc sample/ +%doc Copyright +%doc rfc1912.txt %if %{WITH_DBUS} %doc contrib/dbus/README.DBUS -%attr(644,root,root) %config %{_sysconfdir}/dbus-1/system.d/named.conf -%attr(644,root,root) %config %{_datadir}/dbus-1/services/named.service -%attr(750,root,root) %{_sbindir}/namedGetForwarders -%attr(750,root,root) %{_sbindir}/namedSetForwarders +%config %{_sysconfdir}/dbus-1/system.d/named.conf +%config %{_datadir}/dbus-1/services/named.service +%{_sbindir}/namedGetForwarders +%{_sbindir}/namedSetForwarders %endif %if %{SDB} %files sdb -%defattr(0644,root,root,0755) +%defattr(-,root,root,-) %{_mandir}/man1/zone2ldap.1* %doc contrib/sdb/ldap/README.ldap contrib/sdb/ldap/INSTALL.ldap contrib/sdb/pgsql/README.sdb_pgsql %dir %{_sysconfdir}/openldap/schema %config(noreplace) %{_sysconfdir}/openldap/schema/dnszone.schema -%defattr(0750,root,root,0755) %{_sbindir}/named-sdb %{_sbindir}/zone2ldap %{_sbindir}/ldap2zone %{_sbindir}/zonetodb %{_sbindir}/zone2sqlite - %endif - %files libs -%defattr(-,root,root,0755) +%defattr(-,root,root,-) %{_libdir}/*so.* %files utils -%defattr(0755,root,root,0755) +%defattr(-,root,root,-) %{_bindir}/dig %{_bindir}/host %{_bindir}/nslookup %{_bindir}/nsupdate -%defattr(0644,root,root,0755) %{_mandir}/man1/host.1* %{_mandir}/man8/nsupdate.8* %{_mandir}/man1/dig.1* %{_mandir}/man1/nslookup.1* %files devel -%defattr(-,root,root,0755) +%defattr(-,root,root,-) %{_libdir}/libbind9.a %{_libdir}/libdns.a %{_libdir}/libisc.a @@ -643,10 +633,16 @@ rm -rf ${RPM_BUILD_ROOT} %ghost %{chroot_prefix}/dev/null %ghost %{chroot_prefix}/dev/random %ghost %{chroot_prefix}/dev/zero -%defattr(0750,root,root,0755) +%defattr(-,root,root,-) %{_sbindir}/bind-chroot-admin %changelog +* Wed May 14 2008 Adam Tkac 32:9.5.0-33.rc1 +- updated to 9.5.0rc1 +- merged patches + - bind-9.5-libcap.patch +- make binaries readable by others (#427826) + * Tue May 13 2008 Adam Tkac 32:9.5.0-32.b3 - reverted "any" patch, upstream says not needed - log EDNS failure only when we really switch to plain EDNS (#275091) @@ -998,7 +994,7 @@ rm -rf ${RPM_BUILD_ROOT} - prever macro has been removed from version * Mon Jan 29 2007 Adam Tkac 31:9.3.4-2.fc7 -- redirected output from bind-chroot prep and preun stages to /dev/null +- redirected output from bind-chroot prep and %%preun stages to /dev/null * Wed Jan 25 2007 Adam Tkac 31:9.3.4-1.fc7 - updated to version 9.3.4 which contains security bugfixes @@ -1037,7 +1033,7 @@ rm -rf ${RPM_BUILD_ROOT} - fix for #211282: EDNS is globally enabled, crashing CheckPoint FW-1, added edns-enable options to named configuration file which can suppress EDNS in queries to DNS servers (see /usr/share/doc/bind-9.3.3/misc/options) -- fix for #212961: bind-chroot doesn't clean up its mess on %preun +- fix for #212961: bind-chroot doesn't clean up its mess on %%preun - update to 9.3.3rc3, removed already merged patches * Fri Oct 13 2006 Martin Stransky - 30:9.3.3-5 @@ -1055,7 +1051,7 @@ rm -rf ${RPM_BUILD_ROOT} shell variable. * Mon Oct 2 2006 Martin Stransky - 30:9.3.3-2 -- removed chcon from post script, replaced by restorecon +- removed chcon from %%post script, replaced by restorecon (Bug 202547, comment no. 37) * Fri Sep 15 2006 Martin Stransky - 30:9.3.3-1 @@ -1085,7 +1081,7 @@ rm -rf ${RPM_BUILD_ROOT} - fix bug 197493: renaming subpackage bind-config to caching-nameserver * Mon Jul 24 2006 Jason Vas Dias - 30:9.3.2-34 -- fix bug 199876: make '%exclude libbbind.*' conditional on %{LIBBIND} +- fix bug 199876: make '%%exclude libbbind.*' conditional on %{LIBBIND} * Mon Jul 24 2006 Florian La Roche - 30:9.3.2-33 - fix #195881, perms are not packaged correctly @@ -1170,7 +1166,7 @@ rm -rf ${RPM_BUILD_ROOT} * Wed Mar 29 2006 Jason Vas Dias - 30:9.3.2-14 - fix bug 186577: remove -L/usr/lib from libbind.pc and more .spec file cleanup -- add '%doc' sample configuration files in /usr/share/doc/bind*/sample +- add '%%doc' sample configuration files in /usr/share/doc/bind*/sample - rebuild with new gcc and glibc * Wed Mar 22 2006 Jason Vas Dias - 30:9.3.2-12 @@ -1262,7 +1258,7 @@ rm -rf ${RPM_BUILD_ROOT} - When forwarder nameservers are changed with D-BUS, flush the cache. * Mon Sep 26 2005 Jason Vas Dias - 24:9.3.1-12 -- fix bug 168302: use %{__cc} for compiling dns-keygen +- fix bug 168302: use %%{__cc} for compiling dns-keygen - fix bug 167682: bind-chroot directory permissions - fix issues with -D dbus option when dbus service not running or disabled @@ -1287,8 +1283,8 @@ rm -rf ${RPM_BUILD_ROOT} * Tue Jul 12 2005 Jason Vas Dias - 24:9.3.1-7 - fix bug 160914: resolver utilities should try next server on empty referral (now that glibc bug 162625 is fixed) - host and nslookup now by default try next server on SERVFAIL - (host now has '-s' option to disable, and nslookup given + host and nslookup now by default try next server on SERVFAIL + (host now has '-s' option to disable, and nslookup given '[no]fail' option similar to dig's [no]fail option). - rebuild and re-test with new glibc & gcc (all tests passed). @@ -1357,10 +1353,10 @@ rm -rf ${RPM_BUILD_ROOT} - AAAA addresses are queried * Mon Oct 18 2004 Jason Vas Dias - 20:9.2.4-2 -- Fix bug 136243: bind-chroot %post must run restorecon -R %{prefix} +- Fix bug 136243: bind-chroot %%post must run restorecon -R %{prefix} - Fix bug 135175: named.init must return non-zero if named is not run -- Fix bug 134060: bind-chroot %post must use mktemp, not /tmp/named -- Fix bug 133423: bind-chroot %files entries should have been %dirs +- Fix bug 134060: bind-chroot %%post must use mktemp, not /tmp/named +- Fix bug 133423: bind-chroot %%files entries should have been %dirs * Thu Sep 23 2004 Jason Vas Dias - 20:9.2.4-1 - BIND 9.2.4 (final release) released - source code actually @@ -1384,13 +1380,13 @@ rm -rf ${RPM_BUILD_ROOT} * Wed Sep 8 2004 Jason Vas Dias - 10:9.2.4rc7-11_EL3 - Fix bug 131803: replace ROOTDIR line removed by broken -- bind-chroot 9.2.2-21's '%postun'; added %triggerpostun for bind-chroot +- bind-chroot 9.2.2-21's '%%postun'; added %%triggerpostun for bind-chroot * Tue Sep 7 2004 Jason Vas Dias - 10:9.2.4rc7-10_EL3 - Fix bugs 130121 & 130981 for RHEL-3 * Mon Aug 30 2004 Jason Vas Dias - 10:9.2.4rc7-10 -- Fix bug 130121: add '%ghost' entries for files included in previous +- Fix bug 130121: add '%%ghost' entries for files included in previous - bind-chroot & not in current - ie. named.conf, rndc.key, dev/* - - that RPM removed after upgrade . @@ -1718,7 +1714,7 @@ versions). * Mon Sep 3 2001 Bernhard Rosenkraenzer 9.1.3-4 - Make sure /etc/rndc.conf isn't world-readable even after the - %post script inserted a random key (#53009) + %%post script inserted a random key (#53009) * Thu Jul 19 2001 Bernhard Rosenkraenzer 9.1.3-3 - Add build dependencies (#49368) @@ -1857,7 +1853,7 @@ versions). * Tue Dec 19 2000 Bernhard Rosenkraenzer - Fix reverse lookups (#22272) -- Run ldconfig in %post utils +- Run ldconfig in %%post utils * Tue Dec 12 2000 Karsten Hopp - fixed logrotate script (wrong path to kill) @@ -1939,7 +1935,7 @@ versions). - Fix TTL (patch from ISC, Bug #9820) * Wed Feb 16 2000 Bernhard Rosenkranzer -- fix typo in spec (it's %post, without a leading blank) introduced in -6 +- fix typo in spec (it's %%post, without a leading blank) introduced in -6 - change SYSTYPE to linux * Sat Feb 11 2000 Bill Nottingham @@ -1978,7 +1974,7 @@ versions). problems when named has changed during a package update... (# 4890) * Fri Sep 10 1999 Bill Nottingham -- chkconfig --del in %preun, not %postun +- chkconfig --del in %%preun, not %%postun * Mon Aug 16 1999 Bill Nottingham - initscript munging @@ -1990,7 +1986,7 @@ versions). - conflict with new (in man-1.24) man pages (#3876,#3877). * Tue Jun 29 1999 Bill Nottingham -- fix named.logrotate (wrong %SOURCE) +- fix named.logrotate (wrong %%SOURCE) * Fri Jun 25 1999 Jeff Johnson - update to 8.2.1. @@ -2045,8 +2041,8 @@ versions). - don't start if /etc/named.conf doesn't exist. * Sat Aug 8 1998 Jeff Johnson -- autmagically create /etc/named.conf from /etc/named.boot in %post -- remove echo in %post +- autmagically create /etc/named.conf from /etc/named.boot in %%post +- remove echo in %%post * Wed Jun 10 1998 Jeff Johnson - merge in 5.1 mods diff --git a/sources b/sources index 7f032c8..9682981 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ 4faa4395b955e5f8a3d50f308b9fabc8 bind-chroot.tar.bz2 d4bc7234a0d7b93328335ed9c076c6e9 config-3.tar.bz2 13fef79f99fcefebb51d84b08805de51 libbind-man.tar.gz -9dbacfd7a957efd36e30736d579ed519 bind-9.5.0b3.tar.gz +bf50ba674a8e2f9a762d423eba7dc01a bind-9.5.0rc1.tar.gz