pkgsrc-WIP-changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bind920: Add a package for BIND 9.20.x.
Module Name: pkgsrc-wip
Committed By: Havard Eidnes <he%NetBSD.org@localhost>
Pushed By: he
Date: Sat Aug 24 17:03:32 2024 +0000
Changeset: 7f9f8870ad32b1eaa7c25c81d832d52fd748974c
Added Files:
bind920/DESCR
bind920/MESSAGE.rcd
bind920/Makefile
bind920/PLIST
bind920/TODO
bind920/buildlink3.mk
bind920/builtin.mk
bind920/distinfo
bind920/files/named9.sh
bind920/files/smf/manifest.xml
bind920/files/smf/named.sh
bind920/options.mk
bind920/patches/patch-bin_named_include_named_os.h
bind920/patches/patch-bin_named_os.c
bind920/patches/patch-bin_named_server.c
bind920/patches/patch-configure.ac
Log Message:
bind920: Add a package for BIND 9.20.x.
This is based on net/bind918, but almost none of the diffs
from that package have been ported over. In particular:
* No support here yet for NetBSD blacklist / blocklist.
* The "from in-tree version" patches need going over
and whether they should be submitted upstream.
This version has a couple of fixes added, primarily for NetBSD
portability, created by upstream but not present in this version:
* BIND issue #4793, merge request #9123: "BIND relinquishes
privileges too early" and ends up unable to open the control
port at 953.
* BIND issue #4862, merge request #9363: basically stop using
setresuid(), use the saved-id functionality of seteuid() instead.
To see a diff of this commit:
https://wip.pkgsrc.org/cgi-bin/gitweb.cgi?p=pkgsrc-wip.git;a=commitdiff;h=7f9f8870ad32b1eaa7c25c81d832d52fd748974c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
diffstat:
bind920/DESCR | 6 +
bind920/MESSAGE.rcd | 19 ++
bind920/Makefile | 100 +++++++
bind920/PLIST | 303 +++++++++++++++++++++
bind920/TODO | 8 +
bind920/buildlink3.mk | 13 +
bind920/builtin.mk | 96 +++++++
bind920/distinfo | 9 +
bind920/files/named9.sh | 74 +++++
bind920/files/smf/manifest.xml | 138 ++++++++++
bind920/files/smf/named.sh | 262 ++++++++++++++++++
bind920/options.mk | 156 +++++++++++
bind920/patches/patch-bin_named_include_named_os.h | 22 ++
bind920/patches/patch-bin_named_os.c | 188 +++++++++++++
bind920/patches/patch-bin_named_server.c | 52 ++++
bind920/patches/patch-configure.ac | 40 +++
16 files changed, 1486 insertions(+)
diffs:
diff --git a/bind920/DESCR b/bind920/DESCR
new file mode 100644
index 0000000000..389254b187
--- /dev/null
+++ b/bind920/DESCR
@@ -0,0 +1,6 @@
+BIND, the Berkeley Internet Name Daemon.
+
+Release notes are available via https://bind9.readthedocs.io/en/
+
+This package contains the BIND 9.18 release. Upstream labels it
+as supported.
diff --git a/bind920/MESSAGE.rcd b/bind920/MESSAGE.rcd
new file mode 100644
index 0000000000..df088a82df
--- /dev/null
+++ b/bind920/MESSAGE.rcd
@@ -0,0 +1,19 @@
+===========================================================================
+$NetBSD: MESSAGE.rcd,v 1.1 2022/12/11 01:57:55 sekiya Exp $
+
+Please consider running BIND under the pseudo user account "${BIND_USER}"
+in a chroot environment for security reasons.
+
+To achieve this, set the variable "named_chrootdir" in /etc/rc.conf to
+the directory with the chroot environment e.g. "${BIND_DIR}".
+
+Note: named(8) requires writable directories under "/etc/namedb" which
+specified by "directory" in "options" statement:
+
+ cache
+ keys
+ nta
+
+Make sure these directories exists with writable by "${BIND_USER}" user.
+
+===========================================================================
diff --git a/bind920/Makefile b/bind920/Makefile
new file mode 100644
index 0000000000..cbfddd564f
--- /dev/null
+++ b/bind920/Makefile
@@ -0,0 +1,100 @@
+# $NetBSD: Makefile,v 1.35 2024/07/31 20:54:37 markd Exp $
+
+DISTNAME= bind-${BIND_VERSION}
+PKGNAME= ${DISTNAME:S/-P/pl/}
+CATEGORIES= net
+MASTER_SITES= https://downloads.isc.org/isc/bind9/${BIND_VERSION}/
+EXTRACT_SUFX= .tar.xz
+
+MAINTAINER= sekiya%NetBSD.org@localhost
+HOMEPAGE= https://www.isc.org/bind/
+COMMENT= Berkeley Internet Name Daemon implementation of DNS, version 9.18
+LICENSE= mpl-2.0
+
+CONFLICTS+= host-[0-9]*
+
+MAKE_JOBS_SAFE= no
+
+BIND_VERSION= 9.20.0
+
+BUILD_DEFS+= BIND_DIR VARBASE
+
+.include "options.mk"
+
+USE_TOOLS+= aclocal autoconf automake pax perl pkg-config
+USE_LIBTOOL= yes
+# Requires support for C11 atomics.
+USE_CC_FEATURES+= c11
+GNU_CONFIGURE= yes
+CHECK_FILES_SKIP= bin/tests/system/system-test-driver.sh
+MAKE_ENV+= WRKDIR=${WRKDIR} PREFIX=${PREFIX}
+
+.if ${OPSYS} == "Linux" && !exists(/usr/include/sys/capability.h)
+CONFIGURE_ARGS+= --disable-linux-caps
+.endif
+
+CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR}
+CONFIGURE_ARGS+= --localstatedir=${VARBASE}
+CONFIGURE_ARGS+= --with-openssl=${SSLBASE:Q}
+CONFIGURE_ARGS.NetBSD+= --disable-tracing
+CONFIGURE_ARGS.DragonFly+= --disable-kqueue
+CONFIGURE_ARGS.SunOS+= --disable-epoll
+CONFIGURE_ENV+= ac_cv_path_SPHINX_BUILD=""
+
+# Remove WRKDIR reference by modifying pkg-config related path.
+SUBST_CLASSES+= pkgconf
+SUBST_STAGE.pkgconf= pre-configure
+SUBST_FILES.pkgconf= configure.ac
+SUBST_MESSAGE.pkgconf= Fixing pkg-config path.
+SUBST_VARS.pkgconf+= BUILDLINK_DIR PREFIX TOOLS_DIR
+
+BUILDLINK_TRANSFORM.SunOS+= rm:-zrelax=transtls
+
+PKG_GROUPS_VARS+= BIND_GROUP
+PKG_USERS_VARS= BIND_USER
+
+PKG_GROUPS= ${BIND_GROUP}
+PKG_USERS= ${BIND_USER}:${BIND_GROUP}
+
+PKG_GECOS.${BIND_USER}= Named pseudo-user
+PKG_HOME.${BIND_USER}= ${BIND_DIR}
+
+DOCS= CHANGES OPTIONS.md README.md
+
+FILES_SUBST+= BIND_GROUP=${BIND_GROUP} \
+ BIND_USER=${BIND_USER} PAX=${PAX:Q} \
+ SSLBASE=${SSLBASE}
+MESSAGE_SUBST+= BIND_DIR=${BIND_DIR} BIND_USER=${BIND_USER}
+
+DOCDIR= share/doc/bind9
+
+RCD_SCRIPTS= named9
+SMF_METHODS= named
+
+EGDIR= share/examples/bind9/
+INSTALL_MAKE_FLAGS+= sysconfdir=${PREFIX}/share/examples/bind9
+CONF_FILES+= ${EGDIR}/bind.keys \
+ ${PKG_SYSCONFDIR}/bind.keys
+
+INSTALLATION_DIRS+= ${DOCDIR} ${EGDIR}
+
+pre-configure:
+ cd ${WRKSRC} && \
+ rm -rf autom4te*.cache && \
+ aclocal && \
+ automake --include-deps --add-missing --copy && \
+ autoconf -f
+
+post-install:
+.for f in ${DOCS}
+ ${INSTALL_DATA} ${WRKSRC}/${f} ${DESTDIR}${PREFIX}/${DOCDIR}
+.endfor
+ ${INSTALL_DATA} ${WRKSRC}/bind.keys ${DESTDIR}${PREFIX}/${EGDIR}
+
+.include "../../mk/atomic64.mk"
+.include "../../devel/userspace-rcu/buildlink3.mk"
+.include "../../www/nghttp2/buildlink3.mk"
+.include "../../security/openssl/buildlink3.mk"
+.include "../../devel/libuv/buildlink3.mk"
+.include "../../devel/zlib/buildlink3.mk"
+.include "../../mk/bsd.pkg.mk"
diff --git a/bind920/PLIST b/bind920/PLIST
new file mode 100644
index 0000000000..131a340254
--- /dev/null
+++ b/bind920/PLIST
@@ -0,0 +1,303 @@
+@comment $NetBSD$
+bin/arpaname
+bin/delv
+bin/dig
+bin/dnssec-cds
+bin/dnssec-dsfromkey
+bin/dnssec-importkey
+bin/dnssec-keyfromlabel
+bin/dnssec-keygen
+bin/dnssec-ksr
+bin/dnssec-revoke
+bin/dnssec-settime
+bin/dnssec-signzone
+bin/dnssec-verify
+${PLIST.dnstap}bin/dnstap-read
+bin/host
+bin/mdig
+bin/named-checkconf
+bin/named-checkzone
+bin/named-compilezone
+bin/named-journalprint
+${PLIST.lmdb}bin/named-nzd2nzf
+bin/named-rrchecker
+bin/nsec3hash
+bin/nslookup
+bin/nsupdate
+include/dns/acl.h
+include/dns/adb.h
+include/dns/badcache.h
+include/dns/bit.h
+include/dns/byaddr.h
+include/dns/cache.h
+include/dns/callbacks.h
+include/dns/catz.h
+include/dns/cert.h
+include/dns/client.h
+include/dns/clientinfo.h
+include/dns/compress.h
+include/dns/db.h
+include/dns/dbiterator.h
+include/dns/diff.h
+include/dns/dispatch.h
+include/dns/dlz.h
+include/dns/dlz_dlopen.h
+include/dns/dns64.h
+include/dns/dnsrps.h
+include/dns/dnssec.h
+include/dns/dnstap.h
+include/dns/ds.h
+include/dns/dsdigest.h
+include/dns/dyndb.h
+include/dns/ecs.h
+include/dns/edns.h
+include/dns/enumclass.h
+include/dns/enumtype.h
+include/dns/fixedname.h
+include/dns/forward.h
+include/dns/geoip.h
+include/dns/ipkeylist.h
+include/dns/iptable.h
+include/dns/journal.h
+include/dns/kasp.h
+include/dns/keydata.h
+include/dns/keyflags.h
+include/dns/keymgr.h
+include/dns/keystore.h
+include/dns/keytable.h
+include/dns/keyvalues.h
+include/dns/librpz.h
+include/dns/log.h
+include/dns/master.h
+include/dns/masterdump.h
+include/dns/message.h
+include/dns/name.h
+include/dns/nametree.h
+include/dns/ncache.h
+include/dns/nsec.h
+include/dns/nsec3.h
+include/dns/nta.h
+include/dns/opcode.h
+include/dns/order.h
+include/dns/peer.h
+include/dns/private.h
+include/dns/qp.h
+include/dns/rbt.h
+include/dns/rcode.h
+include/dns/rdata.h
+include/dns/rdataclass.h
+include/dns/rdatalist.h
+include/dns/rdataset.h
+include/dns/rdatasetiter.h
+include/dns/rdataslab.h
+include/dns/rdatastruct.h
+include/dns/rdatatype.h
+include/dns/remote.h
+include/dns/request.h
+include/dns/resolver.h
+include/dns/result.h
+include/dns/rootns.h
+include/dns/rpz.h
+include/dns/rriterator.h
+include/dns/rrl.h
+include/dns/sdlz.h
+include/dns/secalg.h
+include/dns/secproto.h
+include/dns/soa.h
+include/dns/ssu.h
+include/dns/stats.h
+include/dns/time.h
+include/dns/tkey.h
+include/dns/trace.h
+include/dns/transport.h
+include/dns/tsig.h
+include/dns/ttl.h
+include/dns/types.h
+include/dns/update.h
+include/dns/validator.h
+include/dns/view.h
+include/dns/xfrin.h
+include/dns/zone.h
+include/dns/zonekey.h
+include/dns/zoneverify.h
+include/dns/zt.h
+include/dst/dst.h
+include/dst/gssapi.h
+include/irs/resconf.h
+include/isc/ascii.h
+include/isc/assertions.h
+include/isc/async.h
+include/isc/atomic.h
+include/isc/attributes.h
+include/isc/backtrace.h
+include/isc/barrier.h
+include/isc/base32.h
+include/isc/base64.h
+include/isc/buffer.h
+include/isc/commandline.h
+include/isc/condition.h
+include/isc/counter.h
+include/isc/crc64.h
+include/isc/dir.h
+include/isc/dnsstream.h
+include/isc/endian.h
+include/isc/entropy.h
+include/isc/errno.h
+include/isc/error.h
+include/isc/file.h
+include/isc/fips.h
+include/isc/formatcheck.h
+include/isc/fuzz.h
+include/isc/getaddresses.h
+include/isc/hash.h
+include/isc/hashmap.h
+include/isc/heap.h
+include/isc/hex.h
+include/isc/histo.h
+include/isc/hmac.h
+include/isc/ht.h
+include/isc/httpd.h
+include/isc/interfaceiter.h
+include/isc/iterated_hash.h
+include/isc/job.h
+include/isc/lang.h
+include/isc/lex.h
+include/isc/list.h
+include/isc/log.h
+include/isc/loop.h
+include/isc/magic.h
+include/isc/managers.h
+include/isc/md.h
+include/isc/mem.h
+include/isc/meminfo.h
+include/isc/mutex.h
+include/isc/mutexblock.h
+include/isc/net.h
+include/isc/netaddr.h
+include/isc/netmgr.h
+include/isc/netscope.h
+include/isc/nonce.h
+include/isc/once.h
+include/isc/os.h
+include/isc/overflow.h
+include/isc/parseint.h
+include/isc/pause.h
+include/isc/portset.h
+include/isc/proxy2.h
+include/isc/queue.h
+include/isc/quota.h
+include/isc/radix.h
+include/isc/random.h
+include/isc/ratelimiter.h
+include/isc/refcount.h
+include/isc/regex.h
+include/isc/region.h
+include/isc/result.h
+include/isc/rwlock.h
+include/isc/safe.h
+include/isc/serial.h
+include/isc/signal.h
+include/isc/siphash.h
+include/isc/sockaddr.h
+include/isc/spinlock.h
+include/isc/stats.h
+include/isc/stdio.h
+include/isc/stdtime.h
+include/isc/strerr.h
+include/isc/string.h
+include/isc/symtab.h
+include/isc/syslog.h
+include/isc/thread.h
+include/isc/tid.h
+include/isc/time.h
+include/isc/timer.h
+include/isc/tls.h
+include/isc/tm.h
+include/isc/types.h
+include/isc/urcu.h
+include/isc/url.h
+include/isc/utf8.h
+include/isc/util.h
+include/isc/uv.h
+include/isc/work.h
+include/isc/xml.h
+include/isccc/alist.h
+include/isccc/base64.h
+include/isccc/cc.h
+include/isccc/ccmsg.h
+include/isccc/sexpr.h
+include/isccc/symtab.h
+include/isccc/symtype.h
+include/isccc/types.h
+include/isccc/util.h
+include/isccfg/aclconf.h
+include/isccfg/cfg.h
+include/isccfg/check.h
+include/isccfg/duration.h
+include/isccfg/grammar.h
+include/isccfg/kaspconf.h
+include/isccfg/log.h
+include/isccfg/namedconf.h
+include/ns/client.h
+include/ns/hooks.h
+include/ns/interfacemgr.h
+include/ns/listenlist.h
+include/ns/log.h
+include/ns/notify.h
+include/ns/query.h
+include/ns/server.h
+include/ns/sortlist.h
+include/ns/stats.h
+include/ns/types.h
+include/ns/update.h
+include/ns/xfrout.h
+lib/bind/filter-a.la
+lib/bind/filter-aaaa.la
+lib/libdns.la
+lib/libisc.la
+lib/libisccc.la
+lib/libisccfg.la
+lib/libns.la
+man/man1/arpaname.1
+man/man1/delv.1
+man/man1/dig.1
+man/man1/dnssec-cds.1
+man/man1/dnssec-dsfromkey.1
+man/man1/dnssec-importkey.1
+man/man1/dnssec-keyfromlabel.1
+man/man1/dnssec-keygen.1
+man/man1/dnssec-ksr.1
+man/man1/dnssec-revoke.1
+man/man1/dnssec-settime.1
+man/man1/dnssec-signzone.1
+man/man1/dnssec-verify.1
+${PLIST.dnstap}man/man1/dnstap-read.1
+man/man1/host.1
+man/man1/mdig.1
+man/man1/named-checkconf.1
+man/man1/named-checkzone.1
+man/man1/named-compilezone.1
+man/man1/named-journalprint.1
+${PLIST.lmdb}man/man1/named-nzd2nzf.1
+man/man1/named-rrchecker.1
+man/man1/nsec3hash.1
+man/man1/nslookup.1
+man/man1/nsupdate.1
+man/man5/named.conf.5
+man/man5/rndc.conf.5
+man/man8/ddns-confgen.8
+man/man8/filter-a.8
+man/man8/filter-aaaa.8
+man/man8/named.8
+man/man8/rndc-confgen.8
+man/man8/rndc.8
+man/man8/tsig-keygen.8
+sbin/ddns-confgen
+sbin/named
+sbin/rndc
+sbin/rndc-confgen
+sbin/tsig-keygen
+share/doc/bind9/CHANGES
+share/doc/bind9/OPTIONS.md
+share/doc/bind9/README.md
+share/examples/bind9/bind.keys
diff --git a/bind920/TODO b/bind920/TODO
new file mode 100644
index 0000000000..35ba309497
--- /dev/null
+++ b/bind920/TODO
@@ -0,0 +1,8 @@
+A few things remain, mostly related to the patches
+from the net/bind918 package:
+
+ * Re-add support for blocklists / blacklists.
+
+ * Figure out the rest of the diffs, whether they're
+ worthy of "upstreaming" or not.
+
diff --git a/bind920/buildlink3.mk b/bind920/buildlink3.mk
new file mode 100644
index 0000000000..cbb8988e26
--- /dev/null
+++ b/bind920/buildlink3.mk
@@ -0,0 +1,13 @@
+# $NetBSD: buildlink3.mk,v 1.3 2024/07/22 18:09:01 adam Exp $
+
+BUILDLINK_TREE+= bind
+
+.if !defined(BIND_BUILDLINK3_MK)
+BIND_BUILDLINK3_MK:=
+
+BUILDLINK_API_DEPENDS.bind+= bind>=9.20.0
+BUILDLINK_ABI_DEPENDS.bind+= bind>=9.20.0
+BUILDLINK_PKGSRCDIR.bind?= ../../wip/bind920
+.endif # BIND_BUILDLINK3_MK
+
+BUILDLINK_TREE+= -bind
diff --git a/bind920/builtin.mk b/bind920/builtin.mk
new file mode 100644
index 0000000000..09724d5717
--- /dev/null
+++ b/bind920/builtin.mk
@@ -0,0 +1,96 @@
+# $NetBSD: builtin.mk,v 1.2 2024/01/13 20:08:25 riastradh Exp $
+
+BUILTIN_PKG:= bind
+
+BUILTIN_FIND_FILES_VAR:= EXE_NAMED
+BUILTIN_FIND_FILES.EXE_NAMED= /usr/sbin/named
+BUILTIN_FIND_LIBS:= bind
+
+.include "../../mk/buildlink3/bsd.builtin.mk"
+
+###
+### Figure out the version of BIND if an ISC BIND named exists on the
+### system.
+###
+### XXX This doesn't work for cross-compilation because we can't
+### execute the target system's program. Can the version be discovered
+### any other way?
+###
+.if ${USE_CROSS_COMPILE:tl} != "yes" && \
+ !defined(BUILTIN_VERSION.bind) && \
+ empty(EXE_NAMED:M__nonexistent__) && \
+ empty(EXE_NAMED:M${LOCALBASE}/*)
+BUILTIN_VERSION.bind!= \
+ ${EXE_NAMED} -v 2>/dev/null | ${HEAD} -1 | \
+ ${AWK} 'BEGIN { v = "4.9.11"; } \
+ /^BIND / { v = $$2; sub("-.*", "", v); } \
+ /^named / { v = $$2; sub("-.*", "", v); } \
+ END { print v; }'
+.endif
+MAKEVARS+= BUILTIN_VERSION.bind
+
+###
+### Determine if there is a built-in implementation of the package and
+### set IS_BUILTIN.<pkg> appropriately ("yes" or "no").
+###
+.if !defined(IS_BUILTIN.bind)
+IS_BUILTIN.bind= no
+. if defined(BUILTIN_VERSION.bind)
+IS_BUILTIN.bind= yes
+. endif
+.endif
+MAKEVARS+= IS_BUILTIN.bind
+
+###
+### If there is a built-in implementation, then set BUILTIN_PKG.<pkg> to
+### a package name to represent the built-in package.
+###
+.if !defined(BUILTIN_PKG.bind) && \
+ ${IS_BUILTIN.bind:tl} == yes && \
+ defined(BUILTIN_VERSION.bind)
+BUILTIN_PKG.bind= bind-${BUILTIN_VERSION.bind}
+.endif
+MAKEVARS+= BUILTIN_PKG.bind
+
+###
+### Determine whether we should use the built-in implementation if it
+### exists, and set USE_BUILTIN.<pkg> appropriate ("yes" or "no").
+###
+.if !defined(USE_BUILTIN.bind)
+. if ${PREFER.bind} == "pkgsrc"
+USE_BUILTIN.bind= no
+. else
+USE_BUILTIN.bind= ${IS_BUILTIN.bind}
+. if defined(BUILTIN_PKG.bind) && \
+ ${IS_BUILTIN.bind:tl} == yes
+USE_BUILTIN.bind= yes
+. for dep in ${BUILDLINK_API_DEPENDS.bind}
+. if ${USE_BUILTIN.bind:tl} == yes
+USE_BUILTIN.bind!= \
+ if ${PKG_ADMIN} pmatch ${dep:Q} ${BUILTIN_PKG.bind:Q}; then \
+ ${ECHO} yes; \
+ else \
+ ${ECHO} no; \
+ fi
+. endif
+. endfor
+. endif
+. endif # PREFER.bind
+.endif
+MAKEVARS+= USE_BUILTIN.bind
+
+###
+### The section below only applies if we are not including this file
+### solely to determine whether a built-in implementation exists.
+###
+CHECK_BUILTIN.bind?= no
+.if ${CHECK_BUILTIN.bind:tl} == no
+. if ${USE_BUILTIN.bind:tl} == yes
+. if ${BUILTIN_LIB_FOUND.bind:U:tl} == yes
+BUILDLINK_LDADD.bind?= -lbind
+. endif
+. elif ${USE_BUILTIN.bind:tl} == no
+BUILDLINK_LDADD.bind?= -lbind
+. endif
+
+.endif # CHECK_BUILTIN.bind
diff --git a/bind920/distinfo b/bind920/distinfo
new file mode 100644
index 0000000000..178c688d86
--- /dev/null
+++ b/bind920/distinfo
@@ -0,0 +1,9 @@
+$NetBSD: distinfo,v 1.20 2024/07/23 13:50:32 taca Exp $
+
+BLAKE2s (bind-9.20.0.tar.xz) = 72d36220b98533a0d386e5648c2da5944df5f0f170c07725d3cb97b42994caf9
+SHA512 (bind-9.20.0.tar.xz) = 38dcb5d401b357127f11af521594daf2a7df1fbf444f80a823d10d1077903a59faac4299f925ad77283610c54c816ac0f53edb6d1cdb664abc36368457840e55
+Size (bind-9.20.0.tar.xz) = 5760416 bytes
+SHA1 (patch-bin_named_include_named_os.h) = d14f7e2e6c45c6a6879a9b7900a9f0348975bbe7
+SHA1 (patch-bin_named_os.c) = 9496ffdb0cbc225222161f41e6fcb7d494d430cc
+SHA1 (patch-bin_named_server.c) = 7fa9617cbeb6eaa85a73422311319fdb62c18fe6
+SHA1 (patch-configure.ac) = 0cfceff37b5a1900a85e0e23b80270eb005134e6
diff --git a/bind920/files/named9.sh b/bind920/files/named9.sh
new file mode 100644
index 0000000000..d6e6a88ad2
--- /dev/null
+++ b/bind920/files/named9.sh
@@ -0,0 +1,74 @@
+#!@RCD_SCRIPTS_SHELL@
+#
+# $NetBSD: named9.sh,v 1.1 2022/12/11 03:00:01 sekiya Exp $
+#
+
+# PROVIDE: named
+# REQUIRE: NETWORKING mountcritremote syslogd
+# BEFORE: DAEMON
+# KEYWORD: chrootdir
+
+. /etc/rc.subr
+
+name="named"
+rcvar="${name}9"
+command="@PREFIX@/sbin/${name}"
+pidfile="@VARBASE@/run/named/${name}.pid"
+start_precmd="named_precmd"
+extra_commands="reload"
+required_dirs="$named_chrootdir" # if it is set, it must exist
+
+named_precmd()
+{
+ # Die if $named is also set (i.e. the system's named is not disabled
+ if checkyesno named ; then
+ warn \
+ "disable 'named' when setting 'named9'!"
+ return 1
+ fi
+
+ if [ ! -d @VARBASE@/run/named ]; then
+ @MKDIR@ @VARBASE@/run/named
+ fi
+
+ if [ -z "$named_chrootdir" ]; then
+ return 0;
+ fi
+
+ for i in crypto null random urandom
+ do
+ if [ ! -c "${named_chrootdir}/dev/$i" ]; then
+ @RM@ -f "${named_chrootdir}/dev/$i"
+ (cd /dev &&
+ @PAX@ -rw -pe "$i" "${named_chrootdir}/dev")
+ fi
+ done
+
+ if [ -f /etc/localtime ]; then
+ @CMP@ -s /etc/localtime "${named_chrootdir}/etc/localtime" || \
+ @CP@ -p /etc/localtime "${named_chrootdir}/etc/localtime"
+ fi
+
+ if [ -f @SSLBASE@/lib/engines/libgost.so ]; then
+ if [ ! -d ${named_chrootdir}@SSLBASE@/lib/engines ]; then
+ @MKDIR@ ${named_chrootdir}@SSLBASE@/lib/engines
+ fi
+ @CMP@ -s @SSLBASE@/lib/engines/libgost.so "${named_chrootdir}@SSLBASE@/lib/engines/libgost.so" || \
+ @CP@ -p @SSLBASE@/lib/engines/libgost.so "${named_chrootdir}@SSLBASE@/lib/engines/libgost.so"
+ fi
+
+ if [ ! -d ${named_chrootdir}@VARBASE@/run/named ]; then
+ @MKDIR@ ${named_chrootdir}@VARBASE@/run/named
+ @CHOWN@ @BIND_USER@ ${named_chrootdir}@VARBASE@/run/named
+ fi
+
+ @RM@ -f ${pidfile}
+ @LN@ -s "${named_chrootdir}${pidfile}" ${pidfile}
+
+ # Change run_rc_commands()'s internal copy of $named_flags
+ #
+ rc_flags="-u @BIND_USER@ -t ${named_chrootdir} $rc_flags"
+}
+
+load_rc_config "$rcvar"
+run_rc_command "$1"
diff --git a/bind920/files/smf/manifest.xml b/bind920/files/smf/manifest.xml
new file mode 100644
index 0000000000..3b9c596553
--- /dev/null
+++ b/bind920/files/smf/manifest.xml
@@ -0,0 +1,138 @@
+<?xml version="1.0"?>
+<!--
+CDDL HEADER START
+
+The contents of this file are subject to the terms of the
+Common Development and Distribution License (the "License").
+You may not use this file except in compliance with the License.
+
+You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+or http://www.opensolaris.org/os/licensing.
+See the License for the specific language governing permissions
+and limitations under the License.
+
+When distributing Covered Code, include this CDDL HEADER in each
+file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+If applicable, add the following below this CDDL HEADER, with the
+fields enclosed by brackets "[]" replaced with your own identifying
+information: Portions Copyright [yyyy] [name of copyright owner]
+
+CDDL HEADER END
+-->
+<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
+<!--
+ Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+ Use is subject to license terms.
+
+ ident "@(#)server.xml 1.8 07/06/19 SMI"
+-->
+<!-- Portions Copyright 2007 Vedran Bender -->
+<service_bundle type='manifest' name='export'>
+ <service name='@SMF_PREFIX@/@SMF_NAME@' type='service' version='1'>
+ <dependency name='filesystem_minimal' grouping='require_all' restart_on='none' type='service'>
+ <service_fmri value='svc:/system/filesystem/local' />
+ </dependency>
+ <dependency name='loopback' grouping='require_any' restart_on='error' type='service'>
+ <service_fmri value='svc:/network/loopback' />
+ </dependency>
+ <dependency name='network' grouping='optional_all' restart_on='error' type='service'>
+ <service_fmri value='svc:/milestone/network' />
+ </dependency>
+ <dependency name='config-files' grouping='require_any' restart_on='refresh' type='path'>
+ <service_fmri value='file://localhost@PKG_SYSCONFDIR@/named.conf' />
+ </dependency>
+ <!--
+ In order to run multiple named(1M) processes with their own
+ configuration file or properties each must have a unique
+ instance.
+ -->
+ <instance name='default' enabled='false'>
+ <exec_method type='method' name='start' exec='@PREFIX@/@SMF_METHOD_FILE.named@ %m %i' timeout_seconds='60'>
+ <method_context>
+ <method_credential user='root' group='root' />
+ </method_context>
+ </exec_method>
+ <exec_method type='method' name='stop' exec='@PREFIX@/@SMF_METHOD_FILE.named@ %m %i %{restarter/contract}' timeout_seconds='60'>
+ <method_context>
+ <method_credential user='root' group='root' />
+ </method_context>
+
+ </exec_method>
+ <!--
+ SIGHUP causes named to reread its configuration file, but not any
+ of the properties below.
+ -->
+ <exec_method type='method' name='refresh' exec=':kill -HUP' timeout_seconds='60'>
+ <method_context />
+ </exec_method>
+ <property_group name='general' type='framework'>
+ <!-- manage DNS server state -->
+ <propval name='action_authorization' type='astring' value='solaris.smf.manage.bind' />
+ <propval name='value_authorization' type='astring' value='solaris.smf.manage.bind' />
+ </property_group>
+ <!-- Default property settings for named(1M) instance. -->
+ <property_group name='options' type='application'>
+ <!--
+ server: specifies an alternative server command. If
+ not specified the default /usr/sbin/named is used.
+ -->
+ <propval name='server' type='astring' value='' />
+ <!--
+ configuration_file: specifies an alternative
+ configuration file to be used. The property is similar
+ to named(1M) command line option '-c'
+ -->
+ <propval name='configuration_file' type='astring' value='' />
+ <!--
+ ip_interfaces: specifies which IP transport BIND will
+ transmit on. Possible values are 'IPv4' or 'IPv6'. Any
+ other setting assumes 'all', the default.
+ Equivalent command line option '-4' or '-6'.
+ -->
+ <propval name='ip_interfaces' type='astring' value='all' />
+ <!--
+ listen_on_port: Specifies the default UDP and TCP port
+ which will be used to listen for DNS requests.
+ Equivalent command line option '-p <integer>'.
+ -->
+ <propval name='listen_on_port' type='integer' value='0' />
+ <!--
+ debug_level: Specifies the default debug level. The
+ default is 0; no debugging. The Higher the number the
+ more verbose debug information becomes.
+ Equivalent command line option '-d <integer>'.
+ -->
+ <propval name='debug_level' type='integer' value='0' />
+ <!--
+ threads: Specifies the number of cpu worker threads to
+ create. The default of 0 causes named to try and
+ determine the number of CPUs present and create one
+ thread per CPU.
+ Equivalent command line option '-n <integer>'.
+ -->
+ <propval name='threads' type='integer' value='0' />
+ <!--
+ chroot_dir: Change the root directory using chroot(2)
+ to directory after processing the command line
+ arguments, but before reading the configuration file.
+ Equivalent command line option '-t <pathname>'.
+ -->
+ <propval name='chroot_dir' type='astring' value='' />
+ <!--
+ user: Change the user id after processing command line
+ arguments, but before reading the configuration file.
+ Equivalent command line option '-u <user>'.
+ -->
+ <propval name='user' type='astring' value='named' />
+ </property_group>
+ </instance>
+ <template>
+ <common_name>
+ <loctext xml:lang='C'>BIND DNS server</loctext>
+ </common_name>
+ <documentation>
+ <manpage title='named' section='1M' manpath='@PREFIX@/@PKGMANDIR@' />
+ </documentation>
+ </template>
+ </service>
+</service_bundle>
diff --git a/bind920/files/smf/named.sh b/bind920/files/smf/named.sh
new file mode 100644
index 0000000000..db49b5534f
--- /dev/null
+++ b/bind920/files/smf/named.sh
@@ -0,0 +1,262 @@
+#!@SMF_METHOD_SHELL@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
+# Use is subject to license terms.
+#
+#pragma ident "@(#)dns-server.sh 1.1 07/03/26 SMI"
+
+# smf_method(5) start/stop script required for server DNS
+
+. /lib/svc/share/smf_include.sh
+
+mount_chroot ()
+{
+ c=$1
+ shift
+ for f in $*; do
+ if [ -z "${f}" -o ! -f "${f}" -o \
+ -z "${c}" -o ! -d "${c}" ]; then
+ exit ${SMF_EXIT_ERR_CONFIG}
+ fi
+
+ umount ${c}/${f} >/dev/null 2>&1
+ mkdir -p `dirname ${c}/${f}`
+ touch ${c}/${f}
+ mount -Flofs ${f} ${c}/${f}
+ done
+}
+
+umount_chroot ()
+{
+ c=$1
+ shift
+ for f in $*; do
+ umount ${c}/${f} >/dev/null 2>&1
+ done
+}
+
+get_config ()
+{
+ configuration_file=@PKG_SYSCONFDIR@/named.conf
+ rndc_config_file=@PKG_SYSCONFDIR@/rndc.conf
+ rndc_key_file=@PKG_SYSCONFDIR@/rndc.key
+ rndc_cmd_opts="-a"
+ libraries="/usr/pkg/lib/engines/libgost.so"
+ cmdopts=""
+ checkopts=""
+ properties="debug_level ip_interfaces listen_on_port
+ threads chroot_dir configuration_file server user"
+
+ for prop in $properties
+ do
+ value=`/usr/bin/svcprop -p options/${prop} ${SMF_FMRI}`
+ if [ -z "${value}" -o "${value}" = '""' ]; then
+ continue;
+ fi
+
+ case $prop in
+ 'debug_level')
+ if [ ${value} -gt 0 ]; then
+ cmdopts="${cmdopts} -d ${value}"
+ fi
+ ;;
+ 'ip_interfaces')
+ case ${value} in
+ 'IPv4')
+ cmdopts="${cmdopts} -4";;
+ 'IPv6')
+ cmdopts="${cmdopts} -6";;
+ 'all')
+ : # Default is all, therefore ignore.
+ ;;
+ *)
+ echo "$I: Unrecognised value in service instance property" >&2
+ echo "$I: options/${prop} : ${value}" >&2
+ ;;
+ esac
+ ;;
+ 'listen_on_port')
+ if [ ${value} -gt 0 ]; then
+ cmdopts="${cmdopts} -p ${value}"
+ fi
+ ;;
+ 'threads')
+ if [ ${value} -gt 0 ]; then
+ cmdopts="${cmdopts} -n ${value}"
+ fi
+ ;;
+ 'chroot_dir')
+ cmdopts="${cmdopts} -t ${value}"
+ checkopts="${checkopts} -t ${value}"
+ chroot_dir=${value};
+ ;;
+ 'configuration_file')
+ cmdopts="${cmdopts} -c ${value}"
+ checkopts="${checkopts} ${value}"
+ configuration_file=${value};
+ ;;
+ 'server')
+ set -- `echo ${value} | /usr/bin/sed -e 's/\\\\//g'`
+ server=$@
+ ;;
+ 'user')
+ cmdopts="${cmdopts} -u ${value}"
+ cmduser=${value};
+ ;;
+ esac
+ done
+
+ configuration_dir=$(sed -n -e 's,^[[:space:]]*directory.*"\(.*\)";,\1,p' \
+ ${configuration_file})
+ [ "${configuration_dir}" == "" ] && configuration_dir=@PKG_SYSCONFDIR@/namedb
+
+ configuration_files=$(sed -n -e \
+ "s,^[[:space:]]*file.*\"\(.*\)\";,${configuration_dir}/\1,p" \
+ ${configuration_file} | sort -u)
+ configuration_files="${configuration_files} ${configuration_file}"
+}
+
+result=${SMF_EXIT_OK}
+
+# Read command line arguments
+method="$1" # %m
+instance="$2" # %i
+contract="$3" # %{restarter/contract}
+
+# Set defaults; SMF_FMRI should have been set, but just in case.
+if [ -z "$SMF_FMRI" ]; then
+ SMF_FMRI="svc:/@SMF_PREFIX@/@SMF_NAME@:${instance}"
+fi
+server="@PREFIX@/sbin/named"
+checkconf="@PREFIX@/bin/named-checkconf"
+I=`/usr/bin/basename $0`
+
+case "$method" in
+'start')
+ get_config
+
+ # If chroot option is set, note zones(5) are preferred, then
+ # configuration file lives under chroot directory.
+ if [ "${chroot_dir}" != "" ]; then
+ if [ "${chroot_dir}" = "/" ]; then
+ msg="$I: chroot_dir must not be /"
+ echo ${msg} >&2
+ /usr/bin/logger -p daemon.error ${msg}
+ # dns-server should be placed in maintenance state.
+ exit ${SMF_EXIT_ERR_CONFIG}
+ fi
+
+ server="env LD_NOLAZYLOAD=1 ${server}"
+ checkconf="env LD_NOLAZYLOAD=1 ${checkconf}"
+
+ mkdir -p ${chroot_dir}
+
+ if [ "${SMF_ZONENAME}" = "global" ]; then
+ for dev in crypto log null poll random urandom; do
+ rm -f ${chroot_dir}/dev/${dev}
+ pax -rw -H -pe /dev/${dev} ${chroot_dir}
+ done
+ fi
+
+ missing=""
+ for dev in crypto null poll random urandom; do
+ if [ ! -e "${chroot_dir}/dev/${dev}" ]; then
+ missing="${missing} ${dev}"
+ fi
+ done
+
+ if [ ! -z "${missing}" ]; then
+ msg="$I: missing device nodes in ${chroot_dir}: ${missing}"
+ echo ${msg} >&2
+ /usr/bin/logger -p daemon.err ${msg}
+ # dns-server should be placed in maintenance state.
+ exit ${SMF_EXIT_ERR_CONFIG}
+ fi
+
+ mount_chroot ${chroot_dir} ${configuration_files} ${libraries}
+
+ mkdir -p ${chroot_dir}/var/run/named
+ chown ${cmduser}:${cmduser} ${chroot_dir}/var/run/named
+
+ configuration_file=${chroot_dir}${configuration_file}
+ rndc_config_file=${chroot_dir}${rndc_config_file}
+ rndc_key_file=${chroot_dir}${rndc_key_file}
+ rndc_cmd_opts="${rndc_cmd_opts} -t ${chroot_dir}"
+ else
+ mkdir -p -m 0770 @VARBASE@/run/named
+ chown ${cmduser}:${cmduser} @VARBASE@/run/named
+ fi
+
+ # Check if the rndc config file exists.
+ if [ ! -f ${rndc_config_file} ]; then
+ # If not, check if the default rndc key file exists.
+ if [ ! -f ${rndc_key_file} ]; then
+ echo "$I: Creating default rndc key file: ${rndc_key_file}." >&2
+ @PREFIX@/sbin/rndc-confgen ${rndc_cmd_opts}
+ if [ $? -ne 0 ]; then
+ echo "$I : Warning: rndc configuration failed! Use of 'rndc' to" \
+ "control 'named' may fail and 'named' may report further error" \
+ "messages to the system log. This is not fatal. For more" \
+ "information see rndc(1M) and rndc-confgen(1M)." >&2
+ fi
+ fi
+ fi
+
+ if [ ${result} = ${SMF_EXIT_OK} ]; then
+ ${checkconf} -z ${checkopts}
+ result=$?
+ if [ $result -ne 0 ]; then
+ msg="$I: named-checkconf failed to verify configuration"
+ echo ${msg} >&2
+ /usr/bin/logger -p daemon.error ${msg}
+ if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then
+ umount_chroot ${chroot_dir} ${configuration_files} ${libraries}
+ fi
+ # dns-server should be placed in maintenance state.
+ exit ${SMF_EXIT_ERR_CONFIG}
+ fi
+ fi
+
+ if [ ${result} = ${SMF_EXIT_OK} ]; then
+ echo "$I: Executing: ${server} ${cmdopts}"
+ # Execute named(1M) with relevant command line options.
+ ${server} ${cmdopts}
+ result=$?
+ fi
+ ;;
+'stop')
+ get_config
+
+ smf_kill_contract ${contract} TERM 1
+ [ $? -ne 0 ] && exit 1
+
+ if [ "${chroot_dir}" != "" -a "${chroot_dir}" != "/" ]; then
+ umount_chroot ${chroot_dir} ${configuration_files} ${libraries}
+ fi
+
+ ;;
+*)
+ echo "Usage: $I [stop|start] <instance>" >&2
+ exit 1
+ ;;
+esac
+exit ${result}
diff --git a/bind920/options.mk b/bind920/options.mk
new file mode 100644
index 0000000000..95ad28e6f8
--- /dev/null
+++ b/bind920/options.mk
@@ -0,0 +1,156 @@
+# $NetBSD: options.mk,v 1.4 2024/07/22 19:07:58 adam Exp $
+
+PKG_OPTIONS_VAR= PKG_OPTIONS.bind
+PKG_SUPPORTED_OPTIONS= bind-dig-sigchase bind-xml-statistics-server
+PKG_SUPPORTED_OPTIONS+= bind-json-statistics-server blacklist blocklist
+PKG_SUPPORTED_OPTIONS+= threads readline lmdb mysql pgsql ldap dlz-filesystem
+PKG_SUPPORTED_OPTIONS+= geoip gssapi tuning dnstap
+PKG_SUGGESTED_OPTIONS+= readline
+
+PLIST_VARS+= dnstap lmdb
+
+PTHREAD_OPTS+= native
+.include "../../mk/pthread.buildlink3.mk"
+
+.if defined(PTHREAD_TYPE) && (${PTHREAD_TYPE} == "none") || \
+ ${MACHINE_PLATFORM:MNetBSD-*-vax} || \
+ ${MACHINE_PLATFORM:MNetBSD-*-sparc} || \
+ ${MACHINE_PLATFORM:MNetBSD-*-sparc64} || \
+ ${MACHINE_PLATFORM:MNetBSD-*-m68k}
+# don't touch PKG_SUGGESTED_OPTIONS
+.else
+PKG_SUGGESTED_OPTIONS+= threads
+.endif
+
+.if ${OPSYS} == "NetBSD"
+. if !empty(PKG_OPTIONS:Mblacklist)
+. if exists(/usr/include/blacklist.h)
+PKG_SUGGESTED_OPTIONS+= blacklist
+. elif !empty(PKG_OPTIONS:Mblocklist) && exists(/usr/include/blocklist.h)
+PKG_SUGGESTED_OPTIONS+= blocklist
+. endif
+. endif
+.endif
+
+.include "../../mk/bsd.options.mk"
+
+###
+### The mysql pgsql ldap dlz-filesystem options are all for BIND
+### DLZ (Dynamically Loadable Zones) functionality
+###
+### NOTE: bdb is excluded on purpose as pkgsrc does not contain
+### a bdb v4.1 or 4.2 package which is what BIND needs.
+### The majority of these are compile tested only
+###
+
+.if !empty(PKG_OPTIONS:Mlmdb)
+.include "../../databases/lmdb/buildlink3.mk"
+CONFIGURE_ARGS+= --with-lmdb=${PREFIX}
+PLIST.lmdb= yes
+.else
+CONFIGURE_ARGS+= --with-lmdb=no
+.endif
+
+.if !empty(PKG_OPTIONS:Mmysql)
+.include "../../mk/mysql.buildlink3.mk"
+CONFIGURE_ARGS+= --with-dlz-mysql=${BUILDLINK_PREFIX.mysql-client}
+.endif
+
+.if !empty(PKG_OPTIONS:Mpgsql)
+.include "../../mk/pgsql.buildlink3.mk"
+CONFIGURE_ARGS+= --with-dlz-postgres=${BUILDLINK_PREFIX.${PGSQL_TYPE}}
+CONFIGURE_ENV+= ac_cv_path_PG_CONFIG=${PREFIX}/bin/pg_config
+.endif
+
+.if !empty(PKG_OPTIONS:Mldap)
+.include "../../databases/openldap-client/buildlink3.mk"
+CONFIGURE_ARGS+= --with-dlz-ldap=${BUILDLINK_PREFIX.openldap-client}
+.endif
+
+.if !empty(PKG_OPTIONS:Mdlz-filesystem)
+CONFIGURE_ARGS+= --with-dlz-filesystem
+.endif
+
+.if !empty(PKG_OPTIONS:Mblacklist)
+CONFIGURE_ARGS+= --with-blacklist=yes
+.else
+CONFIGURE_ARGS+= --with-blacklist=no
+.endif
+
+.if !empty(PKG_OPTIONS:Mblocklist)
+CONFIGURE_ARGS+= --with-blocklist=yes
+.else
+CONFIGURE_ARGS+= --with-blocklist=no
+.endif
+
+.if !empty(PKG_OPTIONS:Mgeoip)
+CONFIGURE_ARGS+= --with-geoip=${PREFIX}
+LDFLAGS+= -lGeoIP
+.include "../../net/GeoIP/buildlink3.mk"
+.endif
+
+.if !empty(PKG_OPTIONS:Mgssapi)
+.include "../../mk/krb5.buildlink3.mk"
+CONFIGURE_ARGS+= --with-gssapi=${KRB5_CONFIG}
+.else
+CONFIGURE_ARGS+= --without-gssapi
+.endif
+
+.if !empty(PKG_OPTIONS:Mtuning)
+CONFIGURE_ARGS+= --with-tuning=large
+.endif
+
+.if !empty(PKG_OPTIONS:Mdnstap)
+CONFIGURE_ARGS+= --enable-dnstap
+PLIST.dnstap= yes
+.include "../../net/fstrm/buildlink3.mk"
+.include "../../devel/protobuf/buildlink3.mk"
+.include "../../devel/protobuf-c/buildlink3.mk"
+.endif
+
+###
+### The statistics server in bind99 and later needs libxml2
+###
+.if !empty(PKG_OPTIONS:Mbind-xml-statistics-server)
+.include "../../textproc/libxml2/buildlink3.mk"
+CONFIGURE_ARGS+= --with-libxml2
+LDFLAGS+= -lxml2
+.else
+CONFIGURE_ARGS+= --without-libxml2
+.endif
+
+###
+### The statistics server in bind911 and later supports json
+###
+.if !empty(PKG_OPTIONS:Mbind-json-statistics-server)
+.include "../../textproc/json-c/buildlink3.mk"
+CONFIGURE_ARGS+= --with-json-c=yes
+.else
+CONFIGURE_ARGS+= --with-json-c=no
+.endif
+
+###
+### pthreads support (also see magic above)
+###
+.if !empty(PKG_OPTIONS:Mthreads)
+PTHREAD_AUTO_VARS= yes
+.endif
+
+###
+### readline support in dig(1) and nsupdate(1).
+###
+.if !empty(PKG_OPTIONS:Mreadline)
+.include "../../devel/readline/buildlink3.mk"
+CONFIGURE_ARGS+= --with-readline
+.else
+CONFIGURE_ARGS+= --without-readline
+.endif
+
+###
+### dig(1) option +sigchase for DNSSEC signature chasing
+###
+.if !empty(PKG_OPTIONS:Mbind-dig-sigchase)
+# If anything else needs to add entries to STD_CDEFINES, this will need
+# to be changed so that the two can cooperate.
+CONFIGURE_ENV+= STD_CDEFINES=-DDIG_SIGCHASE=1
+.endif
diff --git a/bind920/patches/patch-bin_named_include_named_os.h b/bind920/patches/patch-bin_named_include_named_os.h
new file mode 100644
index 0000000000..4e65f62618
--- /dev/null
+++ b/bind920/patches/patch-bin_named_include_named_os.h
@@ -0,0 +1,22 @@
+$NetBSD$
+
+Part of fix to
+https://gitlab.isc.org/isc-projects/bind9/-/issues/4793
+pulled from
+https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9123
+
+--- bin/named/include/named/os.h.orig 2024-07-08 13:09:16.770267986 +0000
++++ bin/named/include/named/os.h
+@@ -41,8 +41,11 @@ named_os_inituserinfo(const char *userna
+ void
+ named_os_changeuser(void);
+
++void
++named_os_tempuser(uid_t uid);
++
+ uid_t
+-ns_os_uid(void);
++named_os_uid(void);
+
+ void
+ named_os_adjustnofile(void);
diff --git a/bind920/patches/patch-bin_named_os.c b/bind920/patches/patch-bin_named_os.c
new file mode 100644
index 0000000000..d6dc01cacf
--- /dev/null
+++ b/bind920/patches/patch-bin_named_os.c
@@ -0,0 +1,188 @@
+$NetBSD$
+
+Part of fix to ("BIND relinquishes privileges too early")
+
+https://gitlab.isc.org/isc-projects/bind9/-/issues/4793
+pulled from
+https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9123
+
+Also fix to (compat setresuid() is mis-implemented)
+and follow-up fixes to get rid of setresuid() usage:
+
+https://gitlab.isc.org/isc-projects/bind9/-/issues/4862
+pulled from
+https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9363
+
+--- bin/named/os.c.orig 2024-07-08 13:09:16.774268226 +0000
++++ bin/named/os.c
+@@ -249,115 +249,6 @@ linux_keepcaps(void) {
+
+ #endif /* HAVE_LIBCAP */
+
+-/*
+- * First define compatibility shims if {set,get}res{uid,gid} are not available
+- */
+-
+-#if !HAVE_GETRESGID
+-static int
+-getresgid(gid_t *rgid, gid_t *egid, gid_t *sgid) {
+- *rgid = -1;
+- *egid = getegid();
+- *sgid = -1;
+-
+- return (0);
+-}
+-#endif /* !HAVE_GETRESGID */
+-
+-#if !HAVE_SETRESGID
+-static int
+-setresgid(gid_t rgid, gid_t egid, gid_t sgid) {
+- REQUIRE(rgid == (gid_t)-1);
+- REQUIRE(sgid == (gid_t)-1);
+-
+-#if HAVE_SETREGID
+- return (setregid(rgid, egid));
+-#else /* HAVE_SETREGID */
+- return (setegid(egid));
+-#endif /* HAVE_SETREGID */
+-}
+-#endif /* !HAVE_SETRESGID */
+-
+-#if !HAVE_GETRESUID
+-static int
+-getresuid(uid_t *ruid, uid_t *euid, uid_t *suid) {
+- *ruid = -1;
+- *euid = geteuid();
+- *suid = -1;
+-
+- return (0);
+-}
+-#endif /* !HAVE_GETRESUID */
+-
+-#if !HAVE_SETRESUID
+-static int
+-setresuid(uid_t ruid, uid_t euid, uid_t suid) {
+- REQUIRE(ruid == (uid_t)-1);
+- REQUIRE(suid == (uid_t)-1);
+-
+-#if HAVE_SETREGID
+- return (setregid(ruid, euid));
+-#else /* HAVE_SETREGID */
+- return (setegid(euid));
+-#endif /* HAVE_SETREGID */
+-}
+-#endif /* !HAVE_SETRESUID */
+-
+-static int
+-set_effective_gid(gid_t gid) {
+- gid_t oldgid;
+-
+- if (getresgid(&(gid_t){ 0 }, &oldgid, &(gid_t){ 0 }) == -1) {
+- return (-1);
+- }
+-
+- if (oldgid == gid) {
+- return (0);
+- }
+-
+- if (setresgid(-1, gid, -1) == -1) {
+- return (-1);
+- }
+-
+- if (getresgid(&(gid_t){ 0 }, &oldgid, &(gid_t){ 0 }) == -1) {
+- return (-1);
+- }
+-
+- if (oldgid != gid) {
+- return (-1);
+- }
+-
+- return (0);
+-}
+-
+-static int
+-set_effective_uid(uid_t uid) {
+- uid_t olduid;
+-
+- if (getresuid(&(uid_t){ 0 }, &olduid, &(uid_t){ 0 }) == -1) {
+- return (-1);
+- }
+-
+- if (olduid == uid) {
+- return (0);
+- }
+-
+- if (setresuid(-1, uid, -1) == -1) {
+- return (-1);
+- }
+-
+- if (getresuid(&(uid_t){ 0 }, &olduid, &(uid_t){ 0 }) == -1) {
+- return (-1);
+- }
+-
+- if (olduid != uid) {
+- return (-1);
+- }
+-
+- /* Success */
+- return (0);
+-}
+-
+ static void
+ setperms(uid_t uid, gid_t gid) {
+ char strbuf[ISC_STRERRORSIZE];
+@@ -366,13 +257,13 @@ setperms(uid_t uid, gid_t gid) {
+ * Drop the gid privilege first, because in some cases the gid privilege
+ * cannot be dropped after the uid privilege has been dropped.
+ */
+- if (set_effective_gid(gid) == -1) {
++ if (setegid(gid) == -1) {
+ strerror_r(errno, strbuf, sizeof(strbuf));
+ named_main_earlywarning("unable to set effective gid to %d: %s",
+ gid, strbuf);
+ }
+
+- if (set_effective_uid(uid) == -1) {
++ if (seteuid(uid) == -1) {
+ strerror_r(errno, strbuf, sizeof(strbuf));
+ named_main_earlywarning("unable to set effective uid to %d: %s",
+ uid, strbuf);
+@@ -578,12 +469,12 @@ named_os_changeuser(void) {
+
+ done_setuid = true;
+
+- if (setgid(runas_pw->pw_gid) < 0) {
++ if (setgid(runas_pw->pw_gid) == -1) {
+ strerror_r(errno, strbuf, sizeof(strbuf));
+ named_main_earlyfatal("setgid(): %s", strbuf);
+ }
+
+- if (setuid(runas_pw->pw_uid) < 0) {
++ if (setuid(runas_pw->pw_uid) == -1) {
+ strerror_r(errno, strbuf, sizeof(strbuf));
+ named_main_earlyfatal("setuid(): %s", strbuf);
+ }
+@@ -603,8 +494,22 @@ named_os_changeuser(void) {
+ #endif /* HAVE_LIBCAP */
+ }
+
++void
++named_os_tempuser(uid_t uid) {
++ char strbuf[ISC_STRERRORSIZE];
++
++ if (done_setuid) {
++ return;
++ }
++
++ if (getuid() == 0 && seteuid(uid) < 0) {
++ strerror_r(errno, strbuf, sizeof(strbuf));
++ named_main_earlyfatal("setuid(): %s", strbuf);
++ }
++}
++
+ uid_t
+-ns_os_uid(void) {
++named_os_uid(void) {
+ if (runas_pw == NULL) {
+ return (0);
+ }
diff --git a/bind920/patches/patch-bin_named_server.c b/bind920/patches/patch-bin_named_server.c
new file mode 100644
index 0000000000..9c06704668
--- /dev/null
+++ b/bind920/patches/patch-bin_named_server.c
@@ -0,0 +1,52 @@
+$NetBSD$
+
+Part of fix to ("BIND relinquishes privileges too early")
+
+https://gitlab.isc.org/isc-projects/bind9/-/issues/4793
+pulled from
+https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9123
+
+--- bin/named/server.c.orig 2024-07-08 13:09:16.774268226 +0000
++++ bin/named/server.c
+@@ -9281,7 +9281,7 @@ load_configuration(const char *filename,
+ * Relinquish root privileges.
+ */
+ if (first_time) {
+- named_os_changeuser();
++ named_os_tempuser(named_os_uid());
+ }
+
+ /*
+@@ -9628,6 +9628,9 @@ load_configuration(const char *filename,
+ isc_loopmgr_resume(named_g_loopmgr);
+ exclusive = false;
+
++ /* Take back root privileges temporarily */
++ named_os_tempuser(0);
++
+ /* Configure the statistics channel(s) */
+ result = named_statschannels_configure(named_g_server, config,
+ named_g_aclconfctx);
+@@ -9655,6 +9658,13 @@ load_configuration(const char *filename,
+ (void)ns_interfacemgr_scan(server->interfacemgr, true, true);
+
+ /*
++ * Permanently drop root privileges now.
++ */
++ if (first_time) {
++ named_os_changeuser();
++ }
++
++ /*
+ * These cleans up either the old production view list
+ * or our temporary list depending on whether they
+ * were swapped above or not.
+@@ -13175,7 +13185,7 @@ nzd_env_close(dns_view_t *view) {
+ /*
+ * Database files must be owned by the eventual user, not by root.
+ */
+- ret = chown(dbpath_copy, ns_os_uid(), -1);
++ ret = chown(dbpath_copy, named_os_uid(), -1);
+ UNUSED(ret);
+
+ /*
diff --git a/bind920/patches/patch-configure.ac b/bind920/patches/patch-configure.ac
new file mode 100644
index 0000000000..e11cf0f1da
--- /dev/null
+++ b/bind920/patches/patch-configure.ac
@@ -0,0 +1,40 @@
+$NetBSD$
+
+Fix to (compat setresuid() is mis-implemented)
+and follow-up fixes to get rid of setresuid() usage:
+
+https://gitlab.isc.org/isc-projects/bind9/-/issues/4862
+pulled from
+https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/9363
+
+And ...
+
+support removal of WRKDIR references from config.h
+
+--- configure.ac.orig 2024-07-08 13:09:17.034283885 +0000
++++ configure.ac
+@@ -36,7 +36,10 @@ AC_DEFINE([PACKAGE_DESCRIPTION], [m4_ifn
+ AC_DEFINE([PACKAGE_SRCID], ["][bind_SRCID]["], [A short hash from git])
+
+ bind_CONFIGARGS="${ac_configure_args:-default}"
+-AC_DEFINE_UNQUOTED([PACKAGE_CONFIGARGS], ["$bind_CONFIGARGS"], [Either 'defaults' or used ./configure options])
++faked_CONFIGARGS=$(echo ${bind_CONFIGARGS} | \
++ sed -e 's|@TOOLS_DIR@|@PREFIX@|g' -e 's|@BUILDLINK_DIR@|@PREFIX@|g')
++AC_DEFINE_UNQUOTED([PACKAGE_CONFIGARGS], ["$faked_CONFIGARGS"], [Either 'defaul
++ts' or used ./configure options])
+
+ AC_DEFINE([PACKAGE_BUILDER], ["make"], [make or Visual Studio])
+
+@@ -426,12 +429,6 @@ AS_CASE([$host],
+
+ AC_CHECK_FUNCS([sysctlbyname])
+
+-#
+-# Check for uid/gid setting variants
+-#
+-AC_CHECK_FUNCS([setresuid setreuid getresuid])
+-AC_CHECK_FUNCS([setresgid setregid getresgid])
+-
+ AC_TYPE_SIZE_T
+ AC_TYPE_SSIZE_T
+ AC_TYPE_UINTPTR_T
Home |
Main Index |
Thread Index |
Old Index