Add group writeable permission for log file
When log-facility is used to create a new file, make that file also
writeable by root. Systemd strips the ability to write into this file
even when started by root. Allow root explicitly.
Resolves: rhbz#2207798
(cherry picked from commit cafac891ea
)
This commit is contained in:
parent
27f283ccd5
commit
d4f93c3c5e
64
dnsmasq-2.87-log-root-writeable.patch
Normal file
64
dnsmasq-2.87-log-root-writeable.patch
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
From e342e4d5c3093d8dd9e2d622e46d36f67bfb4925 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Mon, 10 Jan 2022 12:34:42 +0100
|
||||||
|
Subject: [PATCH] Add root group writeable flag to log file
|
||||||
|
|
||||||
|
Some systems strips even root process capability of writing to different
|
||||||
|
users file. That include systemd under Fedora. When
|
||||||
|
log-facility=/var/log/dnsmasq.log is used, log file with mode 0640
|
||||||
|
is created. But restart then fails, because such log file can be used
|
||||||
|
only when created new. Existing file cannot be opened by root when
|
||||||
|
starting, causing fatal error. Avoid that by adding root group writeable flag.
|
||||||
|
|
||||||
|
Ensure group is always root when granting write access. If it is
|
||||||
|
anything else, administrator has to configure correct rights.
|
||||||
|
|
||||||
|
(cherry picked from commit 1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c)
|
||||||
|
---
|
||||||
|
src/log.c | 23 ++++++++++++++++++-----
|
||||||
|
1 file changed, 18 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/log.c b/src/log.c
|
||||||
|
index 1ec3447..bcd6e52 100644
|
||||||
|
--- a/src/log.c
|
||||||
|
+++ b/src/log.c
|
||||||
|
@@ -100,10 +100,23 @@ int log_start(struct passwd *ent_pw, int errfd)
|
||||||
|
/* If we're running as root and going to change uid later,
|
||||||
|
change the ownership here so that the file is always owned by
|
||||||
|
the dnsmasq user. Then logrotate can just copy the owner.
|
||||||
|
- Failure of the chown call is OK, (for instance when started as non-root) */
|
||||||
|
- if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0 &&
|
||||||
|
- fchown(log_fd, ent_pw->pw_uid, -1) != 0)
|
||||||
|
- ret = errno;
|
||||||
|
+ Failure of the chown call is OK, (for instance when started as non-root).
|
||||||
|
+
|
||||||
|
+ If we've created a file with group-id root, we also make
|
||||||
|
+ the file group-writable. This gives processes in the root group
|
||||||
|
+ write access to the file and avoids the problem that on some systems,
|
||||||
|
+ once the file is owned by the dnsmasq user, it can't be written
|
||||||
|
+ whilst dnsmasq is running as root during startup.
|
||||||
|
+ */
|
||||||
|
+ if (log_to_file && !log_stderr && ent_pw && ent_pw->pw_uid != 0)
|
||||||
|
+ {
|
||||||
|
+ struct stat ls;
|
||||||
|
+ if (getgid() == 0 && fstat(log_fd, &ls) == 0 && ls.st_gid == 0 &&
|
||||||
|
+ (ls.st_mode & S_IWGRP) == 0)
|
||||||
|
+ (void)fchmod(log_fd, S_IRUSR|S_IWUSR|S_IRGRP|S_IWGRP);
|
||||||
|
+ if (fchown(log_fd, ent_pw->pw_uid, -1) != 0)
|
||||||
|
+ ret = errno;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
@@ -118,7 +131,7 @@ int log_reopen(char *log_file)
|
||||||
|
/* NOTE: umask is set to 022 by the time this gets called */
|
||||||
|
|
||||||
|
if (log_file)
|
||||||
|
- log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
|
||||||
|
+ log_fd = open(log_file, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR|S_IRGRP);
|
||||||
|
else
|
||||||
|
{
|
||||||
|
#if defined(HAVE_SOLARIS_NETWORK) || defined(__ANDROID__)
|
||||||
|
--
|
||||||
|
2.40.1
|
||||||
|
|
@ -13,7 +13,7 @@
|
|||||||
|
|
||||||
Name: dnsmasq
|
Name: dnsmasq
|
||||||
Version: 2.79
|
Version: 2.79
|
||||||
Release: 29%{?extraversion:.%{extraversion}}%{?dist}
|
Release: 30%{?extraversion:.%{extraversion}}%{?dist}
|
||||||
Summary: A lightweight DHCP/caching DNS server
|
Summary: A lightweight DHCP/caching DNS server
|
||||||
|
|
||||||
License: GPLv2 or GPLv3
|
License: GPLv2 or GPLv3
|
||||||
@ -91,6 +91,8 @@ Patch41: dnsmasq-2.85-serv_domain-rh2186481.patch
|
|||||||
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
|
# Downstream only patch; https://bugzilla.redhat.com/show_bug.cgi?id=2186481
|
||||||
# complements patch10
|
# complements patch10
|
||||||
Patch42: dnsmasq-2.85-serv_domain-rh2186481-2.patch
|
Patch42: dnsmasq-2.85-serv_domain-rh2186481-2.patch
|
||||||
|
# http://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commit;h=1f8f78a49b8fd6b2862a3882053b1c6e6e111e5c
|
||||||
|
Patch43: dnsmasq-2.87-log-root-writeable.patch
|
||||||
|
|
||||||
# This is workaround to nettle bug #1549190
|
# This is workaround to nettle bug #1549190
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1549190
|
||||||
@ -166,6 +168,7 @@ server's leases.
|
|||||||
%patch40 -p1 -b .CVE-2023-28450
|
%patch40 -p1 -b .CVE-2023-28450
|
||||||
%patch41 -p1 -b .rh2186481
|
%patch41 -p1 -b .rh2186481
|
||||||
%patch42 -p1 -b .rh2186481-2
|
%patch42 -p1 -b .rh2186481-2
|
||||||
|
%patch43 -p1 -b .rh2156789
|
||||||
|
|
||||||
# use /var/lib/dnsmasq instead of /var/lib/misc
|
# use /var/lib/dnsmasq instead of /var/lib/misc
|
||||||
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
for file in dnsmasq.conf.example man/dnsmasq.8 man/es/dnsmasq.8 src/config.h; do
|
||||||
@ -265,6 +268,9 @@ install -Dpm 644 %{SOURCE2} %{buildroot}%{_sysusersdir}/dnsmasq.conf
|
|||||||
%{_mandir}/man1/dhcp_*
|
%{_mandir}/man1/dhcp_*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Jun 14 2023 Petr Menšík <pemensik@redhat.com> - 2.79-30
|
||||||
|
- Make create logfile writeable by root (#2156789)
|
||||||
|
|
||||||
* Wed May 10 2023 Petr Menšík <pemensik@redhat.com> - 2.79-29
|
* Wed May 10 2023 Petr Menšík <pemensik@redhat.com> - 2.79-29
|
||||||
- Fix also dynamically set resolvers over dbus (#2186481)
|
- Fix also dynamically set resolvers over dbus (#2186481)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user