From 05169a6047e6e3271949c96652a667f624e9a62d Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 5 Sep 2017 11:47:27 +0200 Subject: [PATCH] samba_upgradedns: When we setup the internal dns cleanup bind-dns dir Make sure to remove everything from the bind-dns directory to avoid possible security issues with the named group having write access to all AD partions BUG: https://bugzilla.samba.org/show_bug.cgi?id=12957 Signed-off-by: Andreas Schneider Reviewed-by: Jeremy Allison --- source4/scripting/bin/samba_upgradedns | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/source4/scripting/bin/samba_upgradedns b/source4/scripting/bin/samba_upgradedns index 3369bcfed930..261d8a1922da 100755 --- a/source4/scripting/bin/samba_upgradedns +++ b/source4/scripting/bin/samba_upgradedns @@ -553,6 +553,23 @@ if __name__ == '__main__': "updates", paths.namedtxt) elif opts.dns_backend == "SAMBA_INTERNAL": + # Make sure to remove everything from the bind-dns directory to avoid + # possible security issues with the named group having write access + # to all AD partions + cleanup_remove_file(os.path.join(paths.binddns_dir, "dns.keytab")) + cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf")) + cleanup_remove_file(os.path.join(paths.binddns_dir, "named.conf.update")) + cleanup_remove_file(os.path.join(paths.binddns_dir, "named.txt")) + + cleanup_remove_dir(os.path.dirname(paths.dns)) + + try: + os.chmod(paths.private_dir, 0o700) + os.chown(paths.private_dir, -1, 0) + except: + logger.warn("Failed to restore owner and permissions for %s", + (paths.private_dir)) + # Check if dns-HOSTNAME account exists and delete it if required try: dn_str = 'samAccountName=dns-%s,CN=Principals' % hostname -- 2.34.1