Change named shell to /bin/false
Related: rhbz#1569466 Signed-off-by: Petr Menšík <pemensik@redhat.com>
This commit is contained in:
parent
0188ce47c6
commit
5c4c792b8d
13
bind.spec
13
bind.spec
@ -126,6 +126,9 @@ Requires(preun): systemd
|
|||||||
Requires(postun): systemd
|
Requires(postun): systemd
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
Requires(pre): shadow-utils
|
Requires(pre): shadow-utils
|
||||||
|
Requires(post): shadow-utils
|
||||||
|
Requires(post): glibc-common
|
||||||
|
Requires(post): grep
|
||||||
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||||
Obsoletes: bind-config < 30:9.3.2-34.fc6
|
Obsoletes: bind-config < 30:9.3.2-34.fc6
|
||||||
Provides: bind-config = 30:9.3.2-34.fc6
|
Provides: bind-config = 30:9.3.2-34.fc6
|
||||||
@ -925,20 +928,25 @@ install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named
|
|||||||
%pre
|
%pre
|
||||||
if [ "$1" -eq 1 ]; then
|
if [ "$1" -eq 1 ]; then
|
||||||
/usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
|
/usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :;
|
||||||
/usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :;
|
/usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :;
|
||||||
fi;
|
fi;
|
||||||
:;
|
:;
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%?ldconfig
|
%?ldconfig
|
||||||
%systemd_post named.service
|
|
||||||
if [ "$1" -eq 1 ]; then
|
if [ "$1" -eq 1 ]; then
|
||||||
# Initial installation
|
# Initial installation
|
||||||
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
|
[ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ;
|
||||||
# rndc.key has to have correct perms and ownership, CVE-2007-6283
|
# rndc.key has to have correct perms and ownership, CVE-2007-6283
|
||||||
[ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
|
[ -e /etc/rndc.key ] && chown root:named /etc/rndc.key
|
||||||
[ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
|
[ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key
|
||||||
|
else
|
||||||
|
# Upgrade, use invalid shell
|
||||||
|
if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then
|
||||||
|
usermod -s /bin/false named
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
|
%systemd_post named.service
|
||||||
:;
|
:;
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
@ -1401,6 +1409,7 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
%changelog
|
%changelog
|
||||||
* Fri May 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-9
|
* Fri May 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-9
|
||||||
- Make named home writeable (#1422680)
|
- Make named home writeable (#1422680)
|
||||||
|
- Change named shell to /bin/false
|
||||||
|
|
||||||
* Fri May 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-8
|
* Fri May 25 2018 Petr Menšík <pemensik@redhat.com> - 32:9.11.3-8
|
||||||
- Require C++ on build when shipped atf library is used
|
- Require C++ on build when shipped atf library is used
|
||||||
|
Loading…
Reference in New Issue
Block a user