diff --git a/dhcp-4.2.2-paranoia-pid.patch b/dhcp-4.2.2-paranoia-pid.patch new file mode 100644 index 0000000..c74f4e2 --- /dev/null +++ b/dhcp-4.2.2-paranoia-pid.patch @@ -0,0 +1,49 @@ +diff -up dhcp-4.2.2/server/dhcpd.c.paranoia-pid dhcp-4.2.2/server/dhcpd.c +--- dhcp-4.2.2/server/dhcpd.c.paranoia-pid 2011-09-12 16:07:01.000000000 +0200 ++++ dhcp-4.2.2/server/dhcpd.c 2011-09-12 16:08:55.680988466 +0200 +@@ -791,22 +791,6 @@ main(int argc, char **argv) { + exit (0); + } + +-#if defined (PARANOIA) +- /* change uid to the specified one */ +- +- if (set_gid) { +- if (setgroups (0, (void *)0)) +- log_fatal ("setgroups: %m"); +- if (setgid (set_gid)) +- log_fatal ("setgid(%d): %m", (int) set_gid); +- } +- +- if (set_uid) { +- if (setuid (set_uid)) +- log_fatal ("setuid(%d): %m", (int) set_uid); +- } +-#endif /* PARANOIA */ +- + /* + * Deal with pid files. If the user told us + * not to write a file we don't read one either +@@ -843,6 +827,22 @@ main(int argc, char **argv) { + } + } + ++#if defined (PARANOIA) ++ /* change uid to the specified one */ ++ ++ if (set_gid) { ++ if (setgroups (0, (void *)0)) ++ log_fatal ("setgroups: %m"); ++ if (setgid (set_gid)) ++ log_fatal ("setgid(%d): %m", (int) set_gid); ++ } ++ ++ if (set_uid) { ++ if (setuid (set_uid)) ++ log_fatal ("setuid(%d): %m", (int) set_uid); ++ } ++#endif /* PARANOIA */ ++ + /* If we were requested to log to stdout on the command line, + keep doing so; otherwise, stop. */ + if (log_perror == -1) diff --git a/dhcp.spec b/dhcp.spec index ddce17d..23f97f7 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -4,6 +4,9 @@ # vendor string (e.g., Fedora, EL) %global vvendor Fedora +#http://lists.fedoraproject.org/pipermail/devel/2011-August/155358.html +%global _hardened_build 1 + # Where dhcp configuration files are stored %global dhcpconfdir %{_sysconfdir}/dhcp @@ -19,7 +22,7 @@ Summary: Dynamic host configuration protocol software Name: dhcp Version: 4.2.3 -Release: 1%{?dist} +Release: 2%{?dist} # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # dcantrell maintaining the package) made incorrect use of the epoch and # that's why it is at 12 now. It should have never been used, but it was. @@ -68,10 +71,11 @@ Patch28: dhcp-4.2.0-noprefixavail.patch Patch29: dhcp-4.2.2-remove-bind.patch Patch30: dhcp-4.2.2-sharedlib.patch Patch31: dhcp-4.2.0-PPP.patch -Patch32: dhcp-4.2.2-lpf-ib.patch -Patch33: dhcp-4.2.2-improved-xid.patch -Patch34: dhcp-4.2.2-gpxe-cid.patch -Patch35: dhcp-4.2.2-systemtap.patch +Patch32: dhcp-4.2.2-paranoia-pid.patch +Patch33: dhcp-4.2.2-lpf-ib.patch +Patch34: dhcp-4.2.2-improved-xid.patch +Patch35: dhcp-4.2.2-gpxe-cid.patch +Patch36: dhcp-4.2.2-systemtap.patch BuildRequires: autoconf BuildRequires: automake @@ -311,14 +315,18 @@ rm bind/bind.tar.gz # DHCPv6 over PPP support (#626514) %patch31 -p1 -b .PPP +# Move changing of the effective user/group ID after writing new PID file. +# (Submitted to dhcp-bugs@isc.org - [ISC-Bugs #25806]) +%patch32 -p1 -b .paranoia-pid + # IPoIB support (#660681) # (Submitted to dhcp-bugs@isc.org - [ISC-Bugs #24249]) -%patch32 -p1 -b .lpf-ib -%patch33 -p1 -b .improved-xid -%patch34 -p1 -b .gpxe-cid +%patch33 -p1 -b .lpf-ib +%patch34 -p1 -b .improved-xid +%patch35 -p1 -b .gpxe-cid # http://sourceware.org/systemtap/wiki/SystemTap -%patch35 -p1 -b .systemtap +%patch36 -p1 -b .systemtap # Copy in the Fedora/RHEL dhclient script %{__install} -p -m 0755 %{SOURCE4} client/scripts/linux @@ -662,6 +670,10 @@ fi %{_initddir}/dhcrelay %changelog +* Thu Oct 20 2011 Jiri Popelka - 12:4.2.3-2 +- Move changing of the effective user/group ID after writing new PID file. +- Really define _hardened_build this time + * Thu Oct 20 2011 Jiri Popelka - 12:4.2.3-1 - 4.2.3