From c45de2faf0c38b57b5d3520b17faae8d34d31ef7 Mon Sep 17 00:00:00 2001 From: Jiri Popelka Date: Oct 09 2011 18:19:26 +0000 Subject: change ownership of /var/lib/dhcpd/ to dhcpd:dhcpd (#744292) no need to drop capabilies in dhcpd since it's been running as regular user --- diff --git a/dhcp-4.2.2-capability.patch b/dhcp-4.2.2-capability.patch index 79af036..db2fb38 100644 --- a/dhcp-4.2.2-capability.patch +++ b/dhcp-4.2.2-capability.patch @@ -248,76 +248,3 @@ diff -up dhcp-4.2.2b1/relay/Makefile.am.capability dhcp-4.2.2b1/relay/Makefile.a man_MANS = dhcrelay.8 EXTRA_DIST = $(man_MANS) -diff -up dhcp-4.2.2b1/server/dhcpd.c.capability dhcp-4.2.2b1/server/dhcpd.c ---- dhcp-4.2.2b1/server/dhcpd.c.capability 2011-07-01 15:09:06.636784192 +0200 -+++ dhcp-4.2.2b1/server/dhcpd.c 2011-07-01 15:09:06.670783841 +0200 -@@ -58,6 +58,11 @@ static const char url [] = - # undef group - #endif /* PARANOIA */ - -+#ifdef HAVE_LIBCAP_NG -+# include -+ int keep_capabilities = 0; -+#endif -+ - static void usage(void); - - struct iaddr server_identifier; -@@ -403,6 +408,10 @@ main(int argc, char **argv) { - traceinfile = argv [i]; - trace_replay_init (); - #endif /* TRACING */ -+ } else if (!strcmp(argv[i], "-nc")) { -+#ifdef HAVE_LIBCAP_NG -+ keep_capabilities = 1; -+#endif - } else if (argv [i][0] == '-') { - usage (); - } else { -@@ -459,6 +468,17 @@ main(int argc, char **argv) { - } - #endif /* DHCPv6 */ - -+#ifdef HAVE_LIBCAP_NG -+ /* Drop capabilities */ -+ if (!keep_capabilities) { -+ capng_clear(CAPNG_SELECT_BOTH); -+ capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, -+ CAP_NET_RAW, CAP_NET_BIND_SERVICE, CAP_SYS_CHROOT, CAP_SETUID, CAP_SETGID, -1); -+ capng_apply(CAPNG_SELECT_BOTH); -+ log_info ("Dropped all unnecessary capabilities."); -+ } -+#endif -+ - /* - * convert relative path names to absolute, for files that need - * to be reopened after chdir() has been called -@@ -859,6 +879,15 @@ main(int argc, char **argv) { - omapi_set_int_value ((omapi_object_t *)dhcp_control_object, - (omapi_object_t *)0, "state", server_running); - -+#ifdef HAVE_LIBCAP_NG -+ /* Drop all capabilities */ -+ if (!keep_capabilities) { -+ capng_clear(CAPNG_SELECT_BOTH); -+ capng_apply(CAPNG_SELECT_BOTH); -+ log_info ("Dropped all capabilities."); -+ } -+#endif -+ - /* Receive packets and dispatch them... */ - dispatch (); - -diff -up dhcp-4.2.2b1/server/Makefile.am.capability dhcp-4.2.2b1/server/Makefile.am ---- dhcp-4.2.2b1/server/Makefile.am.capability 2011-07-01 15:09:06.546785121 +0200 -+++ dhcp-4.2.2b1/server/Makefile.am 2011-07-01 15:09:06.671783830 +0200 -@@ -8,7 +8,8 @@ dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c c - - dhcpd_CFLAGS = $(LDAP_CFLAGS) - dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ -- ../dhcpctl/libdhcpctl.a $(BIND9_LIBDIR) -ldns-export -lisc-export -+ ../dhcpctl/libdhcpctl.a $(BIND9_LIBDIR) -ldns-export -lisc-export \ -+ $(CAPNG_LDADD) - - man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5 - EXTRA_DIST = $(man_MANS) diff --git a/dhcp.spec b/dhcp.spec index cd0bb2b..68e129e 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -19,7 +19,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.2.2 -Release: 9%{?dist} +Release: 10%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and # that's why it is at 12 now. It should have never been used, but it was. @@ -499,6 +499,11 @@ if [ $1 -eq 1 ] ; then /bin/systemctl daemon-reload >/dev/null 2>&1 || : fi +# Update +if [ $1 -gt 1 ] ; then + chown -R dhcpd:dhcpd %{_localstatedir}/lib/dhcpd/ +fi + %post -n dhclient /bin/ls -1 %{_sysconfdir}/dhclient* >/dev/null 2>&1 @@ -569,10 +574,10 @@ fi %files %doc dhcpd.conf.sample dhcpd6.conf.sample %doc contrib/* -%dir %{_localstatedir}/lib/dhcpd %attr(0750,root,root) %dir %{dhcpconfdir} -%verify(not size md5 mtime) %config(noreplace) %{_localstatedir}/lib/dhcpd/dhcpd.leases -%verify(not size md5 mtime) %config(noreplace) %{_localstatedir}/lib/dhcpd/dhcpd6.leases +%attr(0755,dhcpd,dhcpd) %dir %{_localstatedir}/lib/dhcpd +%attr(0644,dhcpd,dhcpd) %verify(not size md5 mtime) %config(noreplace) %{_localstatedir}/lib/dhcpd/dhcpd.leases +%attr(0644,dhcpd,dhcpd) %verify(not size md5 mtime) %config(noreplace) %{_localstatedir}/lib/dhcpd/dhcpd6.leases %config(noreplace) %{_sysconfdir}/sysconfig/dhcpd %config(noreplace) %{_sysconfdir}/sysconfig/dhcpd6 %config(noreplace) %{_sysconfdir}/sysconfig/dhcrelay @@ -637,6 +642,10 @@ fi %{_initddir}/dhcrelay %changelog +* Sun Oct 09 2011 Jiri Popelka - 12:4.2.2-10 +- change ownership of /var/lib/dhcpd/ to dhcpd:dhcpd (#744292) +- no need to drop capabilies in dhcpd since it's been running as regular user + * Fri Sep 30 2011 Jiri Popelka - 12:4.2.2-9 - 56dhclient: ifcfg file was not sourced (#742482) diff --git a/dhcp420-sharedlib.patch b/dhcp420-sharedlib.patch index 74fe9f1..d30b8e1 100644 --- a/dhcp420-sharedlib.patch +++ b/dhcp420-sharedlib.patch @@ -1,7 +1,7 @@ diff -up dhcp-4.2.2/client/Makefile.am.sharedlib dhcp-4.2.2/client/Makefile.am ---- dhcp-4.2.2/client/Makefile.am.sharedlib 2011-09-09 16:35:56.000000000 +0200 -+++ dhcp-4.2.2/client/Makefile.am 2011-09-09 16:36:29.849007951 +0200 -@@ -4,7 +4,7 @@ dhclient_SOURCES = clparse.c dhclient.c +--- dhcp-4.2.2/client/Makefile.am.sharedlib 2011-10-09 20:07:40.000000000 +0200 ++++ dhcp-4.2.2/client/Makefile.am 2011-10-09 20:07:40.000000000 +0200 +@@ -4,7 +4,7 @@ dhclient_SOURCES = clparse.c dhclient.c scripts/bsdos scripts/freebsd scripts/linux scripts/macos \ scripts/netbsd scripts/nextstep scripts/openbsd \ scripts/solaris scripts/openwrt @@ -11,8 +11,8 @@ diff -up dhcp-4.2.2/client/Makefile.am.sharedlib dhcp-4.2.2/client/Makefile.am man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5 EXTRA_DIST = $(man_MANS) diff -up dhcp-4.2.2/configure.ac.sharedlib dhcp-4.2.2/configure.ac ---- dhcp-4.2.2/configure.ac.sharedlib 2011-09-09 16:35:56.097000001 +0200 -+++ dhcp-4.2.2/configure.ac 2011-09-09 16:35:56.383000000 +0200 +--- dhcp-4.2.2/configure.ac.sharedlib 2011-10-09 20:07:40.000000000 +0200 ++++ dhcp-4.2.2/configure.ac 2011-10-09 20:07:40.000000000 +0200 @@ -30,7 +30,8 @@ fi # Use this to define _GNU_SOURCE to pull in the IPv6 Advanced Socket API. AC_USE_SYSTEM_EXTENSIONS @@ -24,8 +24,8 @@ diff -up dhcp-4.2.2/configure.ac.sharedlib dhcp-4.2.2/configure.ac # we sometimes need to know byte order for building packets diff -up dhcp-4.2.2/dhcpctl/Makefile.am.sharedlib dhcp-4.2.2/dhcpctl/Makefile.am ---- dhcp-4.2.2/dhcpctl/Makefile.am.sharedlib 2011-09-09 16:35:55.459000001 +0200 -+++ dhcp-4.2.2/dhcpctl/Makefile.am 2011-09-09 16:35:56.384000000 +0200 +--- dhcp-4.2.2/dhcpctl/Makefile.am.sharedlib 2011-10-09 20:07:39.000000000 +0200 ++++ dhcp-4.2.2/dhcpctl/Makefile.am 2011-10-09 20:07:40.000000000 +0200 @@ -1,15 +1,15 @@ bin_PROGRAMS = omshell -lib_LIBRARIES = libdhcpctl.a @@ -48,7 +48,7 @@ diff -up dhcp-4.2.2/dhcpctl/Makefile.am.sharedlib dhcp-4.2.2/dhcpctl/Makefile.am $(BIND9_LIBDIR) -ldns-export -lisc-export diff -up dhcp-4.2.2/dst/base64.c.sharedlib dhcp-4.2.2/dst/base64.c --- dhcp-4.2.2/dst/base64.c.sharedlib 2009-11-20 02:49:01.000000000 +0100 -+++ dhcp-4.2.2/dst/base64.c 2011-09-09 16:35:56.385000000 +0200 ++++ dhcp-4.2.2/dst/base64.c 2011-10-09 20:07:40.000000000 +0200 @@ -64,6 +64,7 @@ static const char rcsid[] = "$Id: base64 #include @@ -59,7 +59,7 @@ diff -up dhcp-4.2.2/dst/base64.c.sharedlib dhcp-4.2.2/dst/base64.c #include "arpa/nameser.h" diff -up dhcp-4.2.2/dst/Makefile.am.sharedlib dhcp-4.2.2/dst/Makefile.am --- dhcp-4.2.2/dst/Makefile.am.sharedlib 2007-05-29 18:32:10.000000000 +0200 -+++ dhcp-4.2.2/dst/Makefile.am 2011-09-09 16:35:56.386000000 +0200 ++++ dhcp-4.2.2/dst/Makefile.am 2011-10-09 20:07:40.000000000 +0200 @@ -1,8 +1,8 @@ AM_CPPFLAGS = -DMINIRES_LIB -DHMAC_MD5 @@ -72,8 +72,8 @@ diff -up dhcp-4.2.2/dst/Makefile.am.sharedlib dhcp-4.2.2/dst/Makefile.am EXTRA_DIST = dst_internal.h md5.h md5_locl.h diff -up dhcp-4.2.2/omapip/Makefile.am.sharedlib dhcp-4.2.2/omapip/Makefile.am ---- dhcp-4.2.2/omapip/Makefile.am.sharedlib 2011-09-09 16:35:55.000000000 +0200 -+++ dhcp-4.2.2/omapip/Makefile.am 2011-09-09 16:37:36.734000324 +0200 +--- dhcp-4.2.2/omapip/Makefile.am.sharedlib 2011-10-09 20:07:39.000000000 +0200 ++++ dhcp-4.2.2/omapip/Makefile.am 2011-10-09 20:07:40.000000000 +0200 @@ -1,7 +1,7 @@ -lib_LIBRARIES = libomapi.a +lib_LTLIBRARIES = libomapi.la @@ -92,8 +92,8 @@ diff -up dhcp-4.2.2/omapip/Makefile.am.sharedlib dhcp-4.2.2/omapip/Makefile.am +svtest_LDADD = libomapi.la $(BIND9_LIBDIR) -ldns-export -lisc-export diff -up dhcp-4.2.2/relay/Makefile.am.sharedlib dhcp-4.2.2/relay/Makefile.am ---- dhcp-4.2.2/relay/Makefile.am.sharedlib 2011-09-09 16:35:56.000000000 +0200 -+++ dhcp-4.2.2/relay/Makefile.am 2011-09-09 16:37:57.058019749 +0200 +--- dhcp-4.2.2/relay/Makefile.am.sharedlib 2011-10-09 20:07:40.000000000 +0200 ++++ dhcp-4.2.2/relay/Makefile.am 2011-10-09 20:07:40.000000000 +0200 @@ -2,7 +2,7 @@ AM_CPPFLAGS = -DLOCALSTATEDIR='"@localst sbin_PROGRAMS = dhcrelay @@ -104,16 +104,16 @@ diff -up dhcp-4.2.2/relay/Makefile.am.sharedlib dhcp-4.2.2/relay/Makefile.am man_MANS = dhcrelay.8 EXTRA_DIST = $(man_MANS) diff -up dhcp-4.2.2/server/Makefile.am.sharedlib dhcp-4.2.2/server/Makefile.am ---- dhcp-4.2.2/server/Makefile.am.sharedlib 2011-09-09 16:35:56.000000000 +0200 -+++ dhcp-4.2.2/server/Makefile.am 2011-09-09 16:38:56.291004599 +0200 +--- dhcp-4.2.2/server/Makefile.am.sharedlib 2011-10-09 20:07:39.000000000 +0200 ++++ dhcp-4.2.2/server/Makefile.am 2011-10-09 20:08:26.000000000 +0200 @@ -7,8 +7,8 @@ dhcpd_SOURCES = dhcpd.c dhcp.c bootp.c c dhcpv6.c mdb6.c ldap.c ldap_casa.c dhcpd_CFLAGS = $(LDAP_CFLAGS) -dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.a \ -- ../dhcpctl/libdhcpctl.a $(BIND9_LIBDIR) -ldns-export -lisc-export \ +- ../dhcpctl/libdhcpctl.a $(BIND9_LIBDIR) -ldns-export -lisc-export +dhcpd_LDADD = ../common/libdhcp.a ../omapip/libomapi.la \ -+ ../dhcpctl/libdhcpctl.la $(BIND9_LIBDIR) -ldns-export -lisc-export \ - $(CAPNG_LDADD) ++ ../dhcpctl/libdhcpctl.la $(BIND9_LIBDIR) -ldns-export -lisc-export man_MANS = dhcpd.8 dhcpd.conf.5 dhcpd.leases.5 + EXTRA_DIST = $(man_MANS)