Mercurial Mercurial > upstream > oracle > userland-gate / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
15807411 BIND extended privilege policy support - ports
authorStacey Marshall <Stacey.Marshall@Oracle.COM>
Thu, 16 Jun 2016 13:48:33 +0100
changeset 6228 37f9819bc49d
parent 6227 a498cb624014
child 6229 df01c95b47c5
15807411 BIND extended privilege policy support - ports
components/bind/Solaris/server.xml file | annotate | diff | comparison | revisions 
--- a/components/bind/Solaris/server.xml	Thu Jun 16 13:48:33 2016 +0100
+++ b/components/bind/Solaris/server.xml	Thu Jun 16 13:48:33 2016 +0100
@@ -65,9 +65,9 @@
       timeout_seconds='60' />
 
     <!--
-      	In order to run multiple named(8) processes with their own
-      	configuration file or properties each must have a unique
-      	instance.
+	In order to run multiple named(8) processes with their own
+	configuration file or properties each must have a unique
+	instance.
     -->
     <instance name='default' enabled='false' >
 
@@ -78,28 +78,36 @@
 	timeout_seconds='60' >
 	<method_context>
 	  <!--
-	  	privileges: (see privileges(5) and /etc/security/priv_names)
-		file_dac_read, file_dac_search:
-	  		Necessary for reading the configuration file
-			even it is restricted by the file permission.
-	  	net_privaddr:
-	  		Bind to a privileged port number.
-  		sys_resource:
-	  		Permit the setting of resource limits (eg. stack
-	  		size).
+	      privileges: (see privileges(5) and /etc/security/priv_names)
+	      file_dac_read, file_dac_search:
+			Necessary for reading the configuration file
+			even if it is restricted by the file
+			permission.
+	      net_privaddr:
+			Allow Binding to privileged port-number/proto.
+			*Port* | *Protocol* | *Comment*
+			~~~~~~~|~~~~~~~~~~~~|~~~~~~~~~~~~~~~~~~~~~~~~~~
+			53     | TCP/UDP    | Domain Queries
+			80     | TCP        | Statistics channel
+			921    | UDP        | Lightweight resolver
+			953    | TCP        | Remote diagnostic control
+		sys_resource:
+			Permit the setting of resource limits
+			(eg. stack size).
 		proc_chroot:
-	  		Permit use of chroot(2).
+			Permit use of chroot(2).
 	  -->
 	  <method_credential
 	    user='root'
 	    group='root'
-	    privileges='basic,!proc_session,!proc_info,!file_link_any,net_privaddr,file_dac_read,file_dac_search,sys_resource,proc_chroot' />
+	    privileges='basic,!proc_session,!proc_info,!file_link_any,{net_privaddr}:53/*,{net_privaddr}:80/tcp,{net_privaddr}:921/udp,{net_privaddr}:953/tcp,file_dac_read,file_dac_search,sys_resource,proc_chroot'
+	    />
 	</method_context>
       </exec_method>
 
       <!--
-	      SIGHUP causes named to reread its configuration file, but not any
-	      of the properties below.
+	  SIGHUP causes named to reread its configuration file, but not any
+	  of the properties below.
       -->
       <exec_method
 	type='method'
@@ -207,7 +215,7 @@
 		</common_name>
 		<documentation>
 			<manpage title='dns-server' section='8s'
- 			    manpath='/usr/man' />
+			    manpath='/usr/man' />
 		</documentation>
 	</template>
upstream/oracle/userland-gate