rpms/dhcp
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Do not run dhcpd as root (BZ#699713)

Browse Source 
Use '--enable-paranoia --enable-early-chroot' configure flags
Create/delete dhcpd user in %post/%postun
Run dhcpd/dhcpd6 services with '-user dhcpd -group dhcpd'
This commit is contained in:
Jiri Popelka 2011-08-12 14:50:08 +02:00
parent 5c346262c0
commit d7e74c83b3
3 changed files with 20 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
dhcp.spec
View File

@ -16,7 +16,7 @@
Summary: Dynamic host configuration protocol software Summary: Dynamic host configuration protocol software
Name: dhcp Name: dhcp
Version: 4.2.2 Version: 4.2.2
Release: 1%{?dist} Release: 2%{?dist}
# NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to # NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to
# dcantrell maintaining the package) made incorrect use of the epoch and # dcantrell maintaining the package) made incorrect use of the epoch and
# that's why it is at 12 now. It should have never been used, but it was. # that's why it is at 12 now. It should have never been used, but it was.
@ -366,7 +366,8 @@ CFLAGS="%{optflags} -fno-strict-aliasing -D_GNU_SOURCE" \
--with-ldap \ --with-ldap \
--with-ldapcrypto \ --with-ldapcrypto \
--with-libbind=%{_includedir} --with-libbind-libs=%{_libdir} \ --with-libbind=%{_includedir} --with-libbind-libs=%{_libdir} \
--disable-static --disable-static \
--enable-paranoia --enable-early-chroot
%{__make} %{?_smp_mflags} %{__make} %{?_smp_mflags}
%install %install
@ -488,6 +489,9 @@ fi
# Initial installation # Initial installation
if [ $1 -eq 1 ] ; then if [ $1 -eq 1 ] ; then
# create system user/group dhcpd
useradd --system dhcpd
/bin/systemctl daemon-reload >/dev/null 2>&1 || : /bin/systemctl daemon-reload >/dev/null 2>&1 || :
fi fi
@ -530,6 +534,12 @@ if [ $1 -ge 1 ]; then
/bin/systemctl try-restart dhcrelay.service >/dev/null 2>&1 || : /bin/systemctl try-restart dhcrelay.service >/dev/null 2>&1 || :
fi fi
# uninstall
if [ $1 -eq 0 ]; then
# delete user/group dhcpd
userdel dhcpd
fi
%post libs -p /sbin/ldconfig %post libs -p /sbin/ldconfig
@ -629,6 +639,12 @@ fi
%{_initddir}/dhcrelay %{_initddir}/dhcrelay
%changelog %changelog
* Fri Aug 12 2011 Jiri Popelka <jpopelka@redhat.com> - 12:4.2.2-2
- #699713:
- Use '--enable-paranoia --enable-early-chroot' configure flags
- Create/delete dhcpd user in %%post/%%postun
- Run dhcpd/dhcpd6 services with '-user dhcpd -group dhcpd'
* Thu Aug 11 2011 Jiri Popelka <jpopelka@redhat.com> - 12:4.2.2-1 * Thu Aug 11 2011 Jiri Popelka <jpopelka@redhat.com> - 12:4.2.2-1
- 4.2.2: fix for CVE-2011-2748, CVE-2011-2749 (#729850) - 4.2.2: fix for CVE-2011-2748, CVE-2011-2749 (#729850)

2
dhcpd.service
View File

@ -4,7 +4,7 @@ After=syslog.target network.target
[Service] [Service]
EnvironmentFile=/etc/sysconfig/dhcpd EnvironmentFile=/etc/sysconfig/dhcpd
ExecStart=/usr/sbin/dhcpd -d --no-pid $DHCPDARGS ExecStart=/usr/sbin/dhcpd -d -user dhcpd -group dhcpd --no-pid $DHCPDARGS
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

2
dhcpd6.service
View File

@ -4,7 +4,7 @@ After=syslog.target network.target
[Service] [Service]
EnvironmentFile=/etc/sysconfig/dhcpd6 EnvironmentFile=/etc/sysconfig/dhcpd6
ExecStart=/usr/sbin/dhcpd -6 -d --no-pid $DHCPDARGS ExecStart=/usr/sbin/dhcpd -d -6 -user dhcpd -group dhcpd --no-pid $DHCPDARGS
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target