From: Andreas Schneider <asn@samba.org>
Date: Tue, 5 Sep 2017 09:47:27 +0000 (+0200)
Subject: samba_upgradedns: When we setup the internal dns cleanup bind-dns dir
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=05169a6047e6e3271949c96652a667f624e9a62d;p=metze%2Fsamba%2Fwip.git

samba_upgradedns: When we setup the internal dns cleanup bind-dns dir

Make sure to remove everything from the bind-dns directory to avoid
possible security issues with the named group having write access to all
AD partions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---

diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns
index 3369bcfed930..261d8a1922da 100755
--- a/source4/scripting/bin/samba_upgradedns
+++ b/source4/scripting/bin/samba_upgradedns
@@ -553,6 +553,23 @@ if __name__ == '__main__':
                         "updates", paths.namedtxt)
 
     elif opts.dns_backend == "SAMBA_INTERNAL":
+        # Make sure to remove everything from the bind-dns directory to avoid
+        # possible security issues with the named group having write access
+        # to all AD partions
+        cleanup_remove_file(os.path.join(paths.binddns_dir, "dns.keytab"))
+        cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf"))
+        cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf.update"))
+        cleanup_remove_file(os.path.join(paths.binddns_dir, "named.txt"))
+
+        cleanup_remove_dir(os.path.dirname(paths.dns))
+
+        try:
+            os.chmod(paths.private_dir, 0o700)
+            os.chown(paths.private_dir, -1, 0)
+        except:
+            logger.warn("Failed to restore owner and permissions for %s",
+                        (paths.private_dir))
+
         # Check if dns-HOSTNAME account exists and delete it if required
         try:
             dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname