#!/bin/sh

PATH=/sbin:/bin:/usr/sbin:/usr/bin

# FILE:  /etc/init.d/bind9
#
# This file has been modified to use the Linux vserver 'chcontext'
# command to place the named in its own context, and to take away
# most capabilites from this process.  In addition, this is set
# up to use chroot to limit filesystem access.  Its also set up
# to set hard ulimits, since /etc/security/limits.conf seems to
# be ignored/misconfigured on some systems.
#
# See http://www.linux-vserver.org for vserver details
#
# FAQ: Why? Isn't chroot good enough?  Answer: I'm paranoid.
#
# Linas Vepstas <linas@linas.org> Oct 2003

# For a chrooted server: "-u bind -t /var/lib/named"
# Note that options are over-ridden in /etc/default 
OPTIONS="-u bind -t /home/bind/root"

# arbitrarily assign 'context 99' to named
CTXT=99

test -f /etc/default/bind9 && . /etc/default/bind9

test -x /usr/sbin/rndc || exit 0

case "$1" in
    start)
	echo -n "Starting domain name service: named"

	# dirs under /var/run can go away on reboots.
	mkdir -p /home/bind/root/var/run/bind/run
	chmod 775 /home/bind/root/var/run/bind/run
	chown root:bind /home/bind/root/var/run/bind/run >/dev/null 2>&1 || true

	if [ ! -x /usr/sbin/named ]; then
	    echo "named binary missing - not starting"
	    exit 1
	fi

	# Set some 'reasonable' limits on the kernel resources this user can use.
	ulimit -S -c 10 -f 50123 -l 50123 -m 50123 -n 50 -t 72123 -u 50 -v 50123 -s 8192
	ulimit -H -c 10 -f 50123 -l 50123 -m 50123 -n 50 -t 72123 -u 50 -v 50123 -s 8192
	
	# The current bind9 requires CAP_SYS_RESOURCE, since appreantly
	# named tries to take away capbilities on its own ... 
	# which means that specuifying --secure might be superfluous
	# Need to use CAP_SYS_CHROOT so that bind can actually 
	# perform the chroot. It would be nice to take away this
	# cap a  bit later ... 
	/usr/sbin/chcontext --flag lock --flag sched --ctx $CTXT \
		--secure \
		--cap CAP_SYS_RESOURCE \
		--cap CAP_SYS_CHROOT \
		start-stop-daemon --start --quiet --exec /usr/sbin/named \
		--pidfile /var/run/bind/run/named.pid -- $OPTIONS
	echo "."	
    ;;

    stop)
	echo -n "Stopping domain name service: named"
	/usr/sbin/chcontext --flag lock --flag sched --ctx $CTXT \
		/usr/sbin/rndc stop
	echo "."	
    ;;

    reload)
	/usr/sbin/chcontext --flag lock --flag sched --ctx $CTXT \
		/usr/sbin/rndc reload
    ;;

    restart|force-reload)
	$0 stop
	sleep 2
	$0 start
    ;;
    
    *)
	echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
	exit 1
    ;;
esac

exit 0