From 5e88c7bbd079229953eceb8ccbc00f0c3a91586f Mon Sep 17 00:00:00 2001
From: Jiri Popelka <jpopelka@redhat.com>
Date: Aug 12 2011 13:23:39 +0000
Subject: Do not run dhcpd as root (BZ#699713)


Use '--enable-paranoia --enable-early-chroot' configure flags
Create/delete dhcpd user in %post/%postun
Run dhcpd/dhcpd6 services with '-user dhcpd -group dhcpd'

---

diff --git a/dhcp.spec b/dhcp.spec
index 5954127..bb4d53b 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -16,7 +16,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.2.2
-Release:  1%{?dist}
+Release:  2%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -366,7 +366,8 @@ CFLAGS="%{optflags} -fno-strict-aliasing -D_GNU_SOURCE" \
     --with-ldap \
     --with-ldapcrypto \
     --with-libbind=%{_includedir} --with-libbind-libs=%{_libdir} \
-    --disable-static
+    --disable-static \
+    --enable-paranoia --enable-early-chroot
 %{__make} %{?_smp_mflags}
 
 %install
@@ -488,6 +489,9 @@ fi
 
 # Initial installation 
 if [ $1 -eq 1 ] ; then 
+#   create system user/group dhcpd
+    useradd --system dhcpd
+
     /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 fi
 
@@ -530,6 +534,12 @@ if [ $1 -ge 1 ]; then
     /bin/systemctl try-restart dhcrelay.service >/dev/null 2>&1 || :
 fi
 
+# uninstall
+if [ $1 -eq 0 ]; then
+#   delete user/group dhcpd
+    userdel dhcpd
+fi
+
 
 %post libs -p /sbin/ldconfig
 
@@ -629,6 +639,12 @@ fi
 %{_initddir}/dhcrelay
 
 %changelog
+* Fri Aug 12 2011 Jiri Popelka <jpopelka@redhat.com> - 12:4.2.2-2
+- #699713:
+  - Use '--enable-paranoia --enable-early-chroot' configure flags
+  - Create/delete dhcpd user in %%post/%%postun
+  - Run dhcpd/dhcpd6 services with '-user dhcpd -group dhcpd'
+
 * Thu Aug 11 2011 Jiri Popelka <jpopelka@redhat.com> - 12:4.2.2-1
 - 4.2.2: fix for CVE-2011-2748, CVE-2011-2749 (#729850)
 
diff --git a/dhcpd.service b/dhcpd.service
index 3e36c25..c9a73a1 100644
--- a/dhcpd.service
+++ b/dhcpd.service
@@ -4,7 +4,7 @@ After=syslog.target network.target
 
 [Service]
 EnvironmentFile=/etc/sysconfig/dhcpd
-ExecStart=/usr/sbin/dhcpd -d --no-pid $DHCPDARGS
+ExecStart=/usr/sbin/dhcpd -d -user dhcpd -group dhcpd --no-pid $DHCPDARGS
 
 [Install]
 WantedBy=multi-user.target
diff --git a/dhcpd6.service b/dhcpd6.service
index 0e38429..33f145a 100644
--- a/dhcpd6.service
+++ b/dhcpd6.service
@@ -4,7 +4,7 @@ After=syslog.target network.target
 
 [Service]
 EnvironmentFile=/etc/sysconfig/dhcpd6
-ExecStart=/usr/sbin/dhcpd -6 -d --no-pid $DHCPDARGS
+ExecStart=/usr/sbin/dhcpd -d -6 -user dhcpd -group dhcpd --no-pid $DHCPDARGS
 
 [Install]
 WantedBy=multi-user.target