Add group writeable permission for log file
When log-facility is used to create a new file, make that file also
writeable by root. Systemd strips the ability to write into this file
even when started by root. Allow root explicitly.
Resolves: rhbz#2207798
(cherry picked from commit cafac891ea)
This commit is contained in:
Petr Menšík
parent
27f283ccd5
commit
d4f93c3c5e
64
dnsmasq-2.87-log-root-writeable.patch
Normal file
64
dnsmasq-2.87-log-root-writeable.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From e342e4d5c3093d8dd9e2d622e46d36f67bfb4925 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||
Date: Mon, 10 Jan 2022 12:34:42 +0100
|
||||
Subject: [PATCH] Add root group writeable flag to log file
|
||||
|
||||
Some systems strips even root process capability of writing to different
|
||||
users file. That include systemd under Fedora. When
|
||||
log-facility=/var/log/dnsmasq.log is used, log file with mode 0640
|
||||
is created. But restart then fails, because such log file can be used
|
||||
only when created new. Existing file cannot be opened by root when
|
||||
starting, causing fatal error. Avoid that by adding root group writeable flag.
|
||||
|
||||
Ensure group is always root when granting write access. If it is
|
||||
anything else, administrator has to configure correct rights.
|
||||
|
||||
(cherry picked from commit 1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c)
|
||||
---
|
||||
src/log.c | 23 ++++++++++++++++++-----
|
||||
1 file changed, 18 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/src/log.c b/src/log.c
|
||||
index 1ec3447..bcd6e52 100644
|
||||
--- a/src/log.c
|
||||
+++ b/src/log.c
|
||||
@@ -100,10 +100,23 @@ int log_start(struct passwd *ent_pw, int errfd)
|
||||
/* If we're running as root and going to change uid later,
|
||||
change the ownership here so that the file is always owned by
|
||||
the dnsmasq user. Then logrotate can just copy the owner.
|
||||
- Failure of the chown call is OK, (for instance when started as non-root) */
|
||||
- if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 &&
|
||||
- fchown(log_fd, ent_pw->pw_uid, -1) != 0)
|
||||
- ret = errno;
|
||||
+ Failure of the chown call is OK, (for instance when started as non-root).
|
||||
+
|
||||
+ If we've created a file with group-id root, we also make
|
||||
+ the file group-writable. This gives processes in the root group
|
||||
+ write access to the file and avoids the problem that on some systems,
|
||||
+ once the file is owned by the dnsmasq user, it can't be written
|
||||
+ whilst dnsmasq is running as root during startup.
|
||||
+ */
|
||||
+ if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0)
|
||||
+ {
|
||||
+ struct stat ls;
|
||||
+ if (getgid() == 0 && fstat(log_fd, &ls) == 0 && ls.st_gid == 0 &&
|
||||
+ (ls.st_mode & S_IWGRP) == 0)
|
||||
+ (void)fchmod(log_fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
|
||||
+ if (fchown(log_fd, ent_pw->pw_uid, -1) != 0)
|
||||
+ ret = errno;
|
||||
+ }
|
||||
|
||||
return ret;
|
||||
}
|
||||
@@ -118,7 +131,7 @@ int log_reopen(char *log_file)
|
||||
/* NOTE: umask is set to 022 by the time this gets called */
|
||||
|
||||
if (log_file)
|
||||
- log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
|
||||
+ log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
|
||||
else
|
||||
{
|
||||
#if defined(HAVE_SOLARIS_NETWORK) || defined(__ANDROID__)
|
||||
--
|
||||
2.40.1
|
||||
|
||||
@ -13,7 +13,7 @@
|
||||
|
||||
Name: dnsmasq
|
||||
Version: 2.79
|
||||
Release: 29%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Release: 30%{?extraversion:.%{extraversion}}%{?dist}
|
||||
Summary: A lightweight DHCP/caching DNS server
|
||||
|
||||
License: GPLv2 or GPLv3
|
||||
@ -91,6 +91,8 @@ Patch41: dnsmasq-2.85-serv_domain-rh2186481.patch
|
||||
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
|
||||
# complements patch10
|
||||
Patch42: dnsmasq-2.85-serv_domain-rh2186481-2.patch
|
||||
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c
|
||||
Patch43: dnsmasq-2.87-log-root-writeable.patch
|
||||
|
||||
# This is workaround to nettle bug #1549190
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
||||
@ -166,6 +168,7 @@ server's leases.
|
||||
%patch40 -p1 -b .CVE-2023-28450
|
||||
%patch41 -p1 -b .rh2186481
|
||||
%patch42 -p1 -b .rh2186481-2
|
||||
%patch43 -p1 -b .rh2156789
|
||||
|
||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
||||
@ -265,6 +268,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
|
||||
%{_mandir}/man1/dhcp_*
|
||||
|
||||
%changelog
|
||||
* Wed Jun 14 2023 Petr Menšík <pemensik@redhat.com> - 2.79-30
|
||||
- Make create logfile writeable by root (#2156789)
|
||||
|
||||
* Wed May 10 2023 Petr Menšík <pemensik@redhat.com> - 2.79-29
|
||||
- Fix also dynamically set resolvers over dbus (#2186481)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user