#!/bin/sh
#
# Kyle Amon
# GNUTEC Information Technology Solutions
# http://www.gnutec.com/
# amonk@gnutec.com
# 203-668-UNIX
#
# chroot-bind
#
# Automate the steps necessary to set up BIND in a chroot(2) jail
# on OpenBSD systems.

#
# What the hell, a little sanity
#

forbindver=8.2.2-P6
PORTVERSION=`grep PKGNAME /usr/ports/net/bind8/Makefile|awk '{print $2}'|cut -d- -f 2-3`

if [ "$forbindver" != "$PORTVERSION" ] ; then
   echo "Whoa! This script was written for use with a ports collection"
   echo "containing bind $forbindver and the ports tree on your system"
   echo "appears to contain bind $PORTVERSION.  Make sure this script"
   echo "will behave as expected on your system prior to running it or"
   echo "you may be sorry.  Edit the script if needed, sending any" 
   echo "improvements to amonk@gnutec.com as context diffs."
   exit 1
fi

#
# Make static binaries
#

cd /usr/ports/net/bind8
make install
rm work/named/named/named
rm work/named/named-xfer/named-xfer
rm work/named/ndc/ndc
rm work/named/ndc/ndc.o
#sed 's/CDEBUG=-O2/CDEBUG=-O2 -static/g' work/named/.settings > /tmp/.settings.tmp
##??##sed 's/CDEBUG=${CFLAGS}/CDEBUG=-O2 -static/g' work/named/named/.settings > /tmp/.settings.tmp
mv /tmp/.settings.tmp work/named/named/.settings
sed 's/\/var\/run\/ndc/\/var\/named\/var\/run\/ndc/g' work/named/ndc/pathnames.h > /tmp/pathnames.h.temp
mv /tmp/pathnames.h.temp work/named/ndc/pathnames.h
cd work/named
make

#
# Create chroot jail
#

chmod 2750 /var/named

mkdir -m 2750 /var/named/dev
mkdir -m 2750 /var/named/etc
mkdir -m 2750 /var/named/var/named
mkdir -m 2750 /var/named/var/named/pz
mkdir -m 2770 /var/named/var/named/sz
mkdir -m 2770 /var/named/var/named/stubz
#mkdir -m 2750 -p /var/named/usr/local/libexec
mkdir -m 2750 /var/named/usr/local/sbin
mkdir -m 2770 -p /var/named/var/run
mkdir -m 2770 /var/named/var/log
mkdir -m 2770 /var/named/var/tmp

chmod 2750 /var/named/usr
chmod 2750 /var/named/usr/local
chmod 2750 /var/named/var
chown -R root.named /var/named

#
# Copy staticly linked binaries into chroot jail
#

cd /usr/ports/net/bind8
cp work/named/named/named /var/named/usr/local/sbin
cp /var/named/named-xfer /var/named/named-xfer.nonport	# backup existing file
cp work/named/named-xfer/named-xfer /var/named/named-xfer
cp work/named/ndc/ndc /usr/local/sbin/ndc

#
# Copy/create remaining files necessary for the chroot jail
#

cp /etc/localtime /var/named/etc
mknod /var/named/dev/null c 2 2 ; chmod 666 /var/named/dev/null

#
# Massage initialization files into shape
#

rc=/etc/rc.conf
echo "" >> $rc
echo "# -- generated with chroot-bind for OpenBSD  -- #" >> $rc
echo "# -- by Kyle Amon                            -- #" >> $rc
echo "# -- GNUTEC Information Technology Solutions -- #" >> $rc
echo "# -- http://www.gnutec.com/                  -- #" >> $rc
echo "# -- amonk@gnutec.com                        -- #" >> $rc
echo "# -- 203-668-UNIX                            -- #" >> $rc
echo 'named_enable="YES"' >> $rc 
echo 'named_program="/var/named/usr/local/sbin/named"' >> $rc
echo 'named_flags="-t /var/named -u named -g named /var/named/named.conf"' >> $rc
echo 'syslogd_flags="-a /var/named/dev/log"' >> $rc
echo "" >> $rc

#
# Disable original named
#

chmod 000 /usr/sbin/named
chmod 000 /usr/local/sbin/named
chmod 000 /usr/sbin/ndc
#chmod 000 /usr/libexec/named-xfer
#chmod 000 /usr/local/libexec/named-xfer
chmod 000 /var/named/named-xfer.nonport