[Pkg-aide-maintainers] Bug#475983: Bug#475983: Suggestion: bind9 chroot rule

[Marc Haber]

On Mon, May 05, 2008 at 10:46:26AM +0200, Guido Bozzetto wrote:
> On domenica 04 maggio 2008, alle 09:38, Marc Haber wrote:
> > I currently think that this is driving the magic "too far". If one
> > decides to run bind chrooted, that one should also be able to modify
> > the aide rules themselves.
> 
> OK, it's clear.
> 
> I think is usefull to insert something like example:
> - directly in commented lines into 31_aide_bind9:
> 
> #! /bin/bash
> #
> # # Automagically extract chroot directory
> # . /etc/default/bind9
> # set $OPTIONS
> # for i in $@;do
> #   if [ "$1" == "-t" ]
> #     then echo "@@define BINDCHROOT $2"; break
> #     else shift
> #   fi
> # done
> # # Or manually set chroot directory
> # # BINDCHROOT=/var/cache/bind

I have put this code with a little more prose into 30_aide_bind9,
commented out. It is a good idea to show people what's possible with
the Debian configuration scheme.

> cat << !EOF
> @@ifdef BINDCHROOT
> @@{BINDCHROOT}/dev/log$ LowLogs
> @@{BINDCHROOT}/dev VarDir
> @@endif

I don't understand that. My systems don't have a /dev/log inside the
chroot.

> - in the /etc/bind9/named.conf.options installation file of bind9
>   there is the directive
> directory "/var/cache/bind";
>   so is usefull to introduce:

That would have to be

@@{BINDCHROOT}/var/cache/bind$ VarDir
@@{BINDCHROOT}/var/cache/bind/xxx$ VarFile

with xxx being a regexp that applies to all zone files that we are
slave for. But to achive that, we'd need to parse bind configuration
even more...

So it would probably be sensible to exclude /var/cache/bind entirely,
but I am not convinced about that yet.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835