From d4f93c3c5e0f1aa367cddf6f47ec09ba910b94c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 14 Jun 2023 11:59:01 +0200 Subject: [PATCH] Add group writeable permission for log file When log-facility is used to create a new file, make that file also writeable by root. Systemd strips the ability to write into this file even when started by root. Allow root explicitly. Resolves: rhbz#2207798 (cherry picked from commit cafac891ea16ed82f18a0f0959d9a40347ad0064) --- dnsmasq-2.87-log-root-writeable.patch | 64 +++++++++++++++++++++++++++ dnsmasq.spec | 8 +++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 dnsmasq-2.87-log-root-writeable.patch diff --git a/dnsmasq-2.87-log-root-writeable.patch b/dnsmasq-2.87-log-root-writeable.patch new file mode 100644 index 0000000..6a4a241 --- /dev/null +++ b/dnsmasq-2.87-log-root-writeable.patch @@ -0,0 +1,64 @@ +From e342e4d5c3093d8dd9e2d622e46d36f67bfb4925 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= +Date: Mon, 10 Jan 2022 12:34:42 +0100 +Subject: [PATCH] Add root group writeable flag to log file + +Some systems strips even root process capability of writing to different +users file. That include systemd under Fedora. When +log-facility=/var/log/dnsmasq.log is used, log file with mode 0640 +is created. But restart then fails, because such log file can be used +only when created new. Existing file cannot be opened by root when +starting, causing fatal error. Avoid that by adding root group writeable flag. + +Ensure group is always root when granting write access. If it is +anything else, administrator has to configure correct rights. + +(cherry picked from commit 1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c) +--- + src/log.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/src/log.c b/src/log.c +index 1ec3447..bcd6e52 100644 +--- a/src/log.c ++++ b/src/log.c +@@ -100,10 +100,23 @@ int log_start(struct passwd *ent_pw, int errfd) + /* If we're running as root and going to change uid later, + change the ownership here so that the file is always owned by + the dnsmasq user. Then logrotate can just copy the owner. +- Failure of the chown call is OK, (for instance when started as non-root) */ +- if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 && +- fchown(log_fd, ent_pw->pw_uid, -1) != 0) +- ret = errno; ++ Failure of the chown call is OK, (for instance when started as non-root). ++ ++ If we've created a file with group-id root, we also make ++ the file group-writable. This gives processes in the root group ++ write access to the file and avoids the problem that on some systems, ++ once the file is owned by the dnsmasq user, it can't be written ++ whilst dnsmasq is running as root during startup. ++ */ ++ if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0) ++ { ++ struct stat ls; ++ if (getgid() == 0 && fstat(log_fd, &ls) == 0 && ls.st_gid == 0 && ++ (ls.st_mode & S_IWGRP) == 0) ++ (void)fchmod(log_fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP); ++ if (fchown(log_fd, ent_pw->pw_uid, -1) != 0) ++ ret = errno; ++ } + + return ret; + } +@@ -118,7 +131,7 @@ int log_reopen(char *log_file) + /* NOTE: umask is set to 022 by the time this gets called */ + + if (log_file) +- log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP); ++ log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP); + else + { + #if defined(HAVE_SOLARIS_NETWORK) || defined(__ANDROID__) +-- +2.40.1 + diff --git a/dnsmasq.spec b/dnsmasq.spec index 8c5ed9b..1229f95 100644 --- a/dnsmasq.spec +++ b/dnsmasq.spec @@ -13,7 +13,7 @@ Name: dnsmasq Version: 2.79 -Release: 29%{?extraversion:.%{extraversion}}%{?dist} +Release: 30%{?extraversion:.%{extraversion}}%{?dist} Summary: A lightweight DHCP/caching DNS server License: GPLv2 or GPLv3 @@ -91,6 +91,8 @@ Patch41: dnsmasq-2.85-serv_domain-rh2186481.patch # Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481 # complements patch10 Patch42: dnsmasq-2.85-serv_domain-rh2186481-2.patch +# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c +Patch43: dnsmasq-2.87-log-root-writeable.patch # This is workaround to nettle bug #1549190 # https://bugzilla.redhat.com/show_bug.cgi?id=1549190 @@ -166,6 +168,7 @@ server's leases. %patch40 -p1 -b .CVE-2023-28450 %patch41 -p1 -b .rh2186481 %patch42 -p1 -b .rh2186481-2 +%patch43 -p1 -b .rh2156789 # use /var/lib/dnsmasq instead of /var/lib/misc for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do @@ -265,6 +268,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf %{_mandir}/man1/dhcp_* %changelog +* Wed Jun 14 2023 Petr Menšík - 2.79-30 +- Make create logfile writeable by root (#2156789) + * Wed May 10 2023 Petr Menšík - 2.79-29 - Fix also dynamically set resolvers over dbus (#2186481)