rpms/freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Upgrade to upstream v3.0.13 release

Browse Source
This commit is contained in:
Nikolai Kondrashov 2017-03-07 16:09:22 +02:00
parent e28f5dcc06
commit 611a967618
12 changed files with 20 additions and 6802 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -17,3 +17,4 @@
/freeradius-server-3.0.10.tar.bz2
/freeradius-server-3.0.11.tar.bz2
/freeradius-server-3.0.12.tar.bz2
/freeradius-server-3.0.13.tar.bz2

51
freeradius-Fix-three-cases-of-comparing-pointer-to-zero-char.patch
View File

@ -1,51 +0,0 @@
From be7f52f986918bf7eac10345304464b2aea54150 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 20 Feb 2017 14:04:06 +0100
Subject: [PATCH] Fix three cases of comparing pointer to zero char
Fix three cases of comparing pointer to a zero character, where pointers
were apparently intended to be dereferenced first and then compared.
Found with the help of GCC 7 warnings.
---
src/main/evaluate.c | 2 +-
src/modules/rlm_mschap/rlm_mschap.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/main/evaluate.c b/src/main/evaluate.c
index 64be4966a..f01eeec88 100644
--- a/src/main/evaluate.c
+++ b/src/main/evaluate.c
@@ -99,7 +99,7 @@ int radius_evaluate_tmpl(REQUEST *request, int modreturn, UNUSED int depth, vp_t
* The VPT *doesn't* have a "bare word" type,
* which arguably it should.
*/
- rcode = (vpt->name != '\0');
+ rcode = (*vpt->name != '\0');
break;
case TMPL_TYPE_ATTR:
diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c
index 3509bd6f5..13d02c539 100644
--- a/src/modules/rlm_mschap/rlm_mschap.c
+++ b/src/modules/rlm_mschap/rlm_mschap.c
@@ -436,7 +436,7 @@ static ssize_t mschap_xlat(void *instance, REQUEST *request,
char const *p;
p = fmt + 8; /* 7 is the length of 'NT-Hash' */
- if ((p == '\0') || (outlen <= 32))
+ if ((*p == '\0') || (outlen <= 32))
return 0;
while (isspace(*p)) p++;
@@ -459,7 +459,7 @@ static ssize_t mschap_xlat(void *instance, REQUEST *request,
char const *p;
p = fmt + 8; /* 7 is the length of 'LM-Hash' */
- if ((p == '\0') || (outlen <= 32))
+ if ((*p == '\0') || (outlen <= 32))
return 0;
while (isspace(*p)) p++;
--
2.11.0

68
freeradius-Handle-hostnames-in-fr_pton4-6.patch
View File

@ -1,68 +0,0 @@
From 881f11e7d4c5303a5b1e44f854be22bb65a29142 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Fri, 17 Feb 2017 16:16:42 +0100
Subject: [PATCH] Handle hostnames in fr_pton4/6
Make fr_pton4/6 handle hostnames longer than the longest address +
prefix.
(cherry picked from commit d825d4e73fb0c61dc76f535fceb2930e555fe148)
---
src/lib/misc.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
diff --git a/src/lib/misc.c b/src/lib/misc.c
index af6ee2ce9..ba3fc362f 100644
--- a/src/lib/misc.c
+++ b/src/lib/misc.c
@@ -302,10 +302,12 @@ static int ip_prefix_from_str(char const *str, uint32_t *paddr)
}
-/** Parse an IPv4 address or IPv4 prefix in presentation format (and others)
+/**
+ * Parse an IPv4 address, IPv4 prefix in presentation format (and others), or
+ * a hostname.
*
* @param out Where to write the ip address value.
- * @param value to parse, may be dotted quad [+ prefix], or integer, or octal number, or '*' (INADDR_ANY).
+ * @param value to parse, may be dotted quad [+ prefix], or integer, or octal number, or '*' (INADDR_ANY), or a hostname.
* @param inlen Length of value, if value is \0 terminated inlen may be -1.
* @param resolve If true and value doesn't look like an IP address, try and resolve value as a hostname.
* @param fallback to IPv6 resolution if no A records can be found.
@@ -317,8 +319,8 @@ int fr_pton4(fr_ipaddr_t *out, char const *value, ssize_t inlen, bool resolve, b
unsigned int mask;
char *eptr;
- /* Dotted quad + / + [0-9]{1,2} */
- char buffer[INET_ADDRSTRLEN + 3];
+ /* Dotted quad + / + [0-9]{1,2} or a hostname (RFC1035 2.3.4 Size limits) */
+ char buffer[256];
/*
* Copy to intermediary buffer if we were given a length
@@ -400,7 +402,9 @@ int fr_pton4(fr_ipaddr_t *out, char const *value, ssize_t inlen, bool resolve, b
return 0;
}
-/** Parse an IPv6 address or IPv6 prefix in presentation format (and others)
+/**
+ * Parse an IPv6 address or IPv6 prefix in presentation format (and others),
+ * or a hostname.
*
* @param out Where to write the ip address value.
* @param value to parse.
@@ -415,8 +419,8 @@ int fr_pton6(fr_ipaddr_t *out, char const *value, ssize_t inlen, bool resolve, b
unsigned int prefix;
char *eptr;
- /* IPv6 + / + [0-9]{1,3} */
- char buffer[INET6_ADDRSTRLEN + 4];
+ /* IPv6 + / + [0-9]{1,3} or a hostname (RFC1035 2.3.4 Size limits) */
+ char buffer[256];
/*
* Copy to intermediary buffer if we were given a length
--
2.11.0

71
freeradius-Improve-ip-v4-v6-addr-documentation.patch
View File

@ -1,71 +0,0 @@
From be6f4e52a984bfc10ca3cc79bf812223447802ab Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Wed, 22 Feb 2017 10:48:51 -0500
Subject: [PATCH] Improve ip/v4/v6/addr documentation
Contains the following commits.
better documentation for ipaddr & friends. Fixes #1921
(cherry picked from commit 99e08b85b33e27eb0e0f4e870c50caf8fff6d84f)
typo
(cherry picked from commit 81fe1079edcb94f5b810d894ea255cef5d84985d)
---
raddb/sites-available/default | 39 +++++++++++++++++++++++++++++----------
1 file changed, 29 insertions(+), 10 deletions(-)
diff --git a/raddb/sites-available/default b/raddb/sites-available/default
index 083407596..e47f19192 100644
--- a/raddb/sites-available/default
+++ b/raddb/sites-available/default
@@ -85,16 +85,35 @@ listen {
# proxy listeners are automatically created.
# ipaddr/ipv4addr/ipv6addr - IP address on which to listen.
- # Out of several options the first one will be used.
- #
- # Allowed values are:
- # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr)
- # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr)
- # hostname (radius.example.com,
- # A record for ipv4addr,
- # AAAA record for ipv6addr,
- # A or AAAA record for ipaddr)
- # wildcard (*)
+ # If multiple ones are listed, only the first one will
+ # be used, and the others will be ignored.
+ #
+ # The configuration options accept the following syntax:
+ #
+ # ipv4addr - IPv4 address (e.g.192.0.2.3)
+ # - wildcard (i.e. *)
+ # - hostname (radius.example.com)
+ # Only the A record for the host name is used.
+ # If there is no A record, an error is returned,
+ # and the server fails to start.
+ #
+ # ipv6addr - IPv6 address (e.g. 2001:db8::1)
+ # - wildcard (i.e. *)
+ # - hostname (radius.example.com)
+ # Only the AAAA record for the host name is used.
+ # If there is no AAAA record, an error is returned,
+ # and the server fails to start.
+ #
+ # ipaddr - IPv4 address as above
+ # - IPv6 address as above
+ # - wildcard (i.e. *), which means IPv4 wildcard.
+ # - hostname
+ # If there is only one A or AAAA record returned
+ # for the host name, it is used.
+ # If multiple A or AAAA records are returned
+ # for the host name, only the first one is used.
+ # If both A and AAAA records are returned
+ # for the host name, only the A record is used.
#
# ipv4addr = *
# ipv6addr = *
--
2.11.0

54
freeradius-Remove-mentions-of-Auth-Type-System-from-docs.patch
View File

@ -1,54 +0,0 @@
From 76cfdaac92ac3cf49f3a360a8bea06e4531f08e3 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Wed, 22 Feb 2017 13:36:05 +0100
Subject: [PATCH] Remove mentions of Auth-Type = System from docs
Remove mentions of "Auth-Type = System" support from the manpages,
as it is removed.
(cherry picked from commit f3717e030657cdc8bc75dedbb4de1175b9fc2c91)
---
man/man5/rlm_unix.5 | 3 +--
man/man5/users.5 | 12 ------------
2 files changed, 1 insertion(+), 14 deletions(-)
diff --git a/man/man5/rlm_unix.5 b/man/man5/rlm_unix.5
index d1b838eee..38668e0ff 100644
--- a/man/man5/rlm_unix.5
+++ b/man/man5/rlm_unix.5
@@ -19,8 +19,7 @@ password file, and allows the server to use them for authentication.
The module also provides FreeRADIUS an interface into a radwtmp file
(used by "radlast") when added to the accounting section.
.PP
-The \fIrlm_unix\fP module does provides the functionality for
-"Auth-Type = System". The module should be listed in the
+The \fIrlm_unix\fP module should be listed in the
"authenticate" section. Please see the default \fIradiusd.conf\fP
shipped with the server for an example of the correct usage of this
module.
diff --git a/man/man5/users.5 b/man/man5/users.5
index deae8a9b1..4c6336639 100644
--- a/man/man5/users.5
+++ b/man/man5/users.5
@@ -169,18 +169,6 @@ reply items, so the reply will be empty.
.RE
.DS
-DEFAULT Auth-Type = System
-.br
- Fall-Through = Yes
-
-.DE
-.RS
-For all users reaching this entry, perform authentication against the
-system, unless Auth-Type has already been set. Also, process any
-following entries which may match.
-.RE
-
-.DS
DEFAULT Service-Type == Framed-User, Framed-Protocol == PPP
.br
Service-Type = Framed-User,
--
2.11.0

196
freeradius-Rename-lt_-to-fr_-.-Fixes-1277.patch
View File

@ -1,196 +0,0 @@
From 2ba62cd5c0d267ede8f935b2473bb317f93a25d3 Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Thu, 3 Nov 2016 09:50:56 -0400
Subject: [PATCH] Rename lt_* to fr_*. Fixes #1277
Which fixes linker issues in libraries which link to libtool,
and then sometimes get the wrong function.
Changed via:
perl -p -i -e 's/lt_dlhandle/fr_dlhandle/g;s/lt_dlopenext/fr_dlopenext/g;s/lt_dlsym/fr_dlsym/g;s/lt_dlclose/fr_dlclose/g;s/lt_dlerror/fr_dlerror/g;' $(find . -name "*.[ch]" -print)
---
src/include/modpriv.h | 12 ++++++------
src/main/listen.c | 10 +++++-----
src/main/modules.c | 10 +++++-----
src/modules/rlm_cache/rlm_cache.c | 2 +-
src/modules/rlm_eap/eap.c | 2 +-
src/modules/rlm_eap/rlm_eap.h | 2 +-
src/modules/rlm_sql/rlm_sql.c | 2 +-
7 files changed, 20 insertions(+), 20 deletions(-)
diff --git a/src/include/modpriv.h b/src/include/modpriv.h
index d5e2c2392..f69b47c35 100644
--- a/src/include/modpriv.h
+++ b/src/include/modpriv.h
@@ -18,12 +18,12 @@
extern "C" {
#endif
-typedef void *lt_dlhandle;
+typedef void *fr_dlhandle;
-lt_dlhandle lt_dlopenext(char const *name);
-void *lt_dlsym(lt_dlhandle handle, char const *symbol);
-int lt_dlclose(lt_dlhandle handle);
-char const *lt_dlerror(void);
+fr_dlhandle fr_dlopenext(char const *name);
+void *fr_dlsym(fr_dlhandle handle, char const *symbol);
+int fr_dlclose(fr_dlhandle handle);
+char const *fr_dlerror(void);
/*
* Keep track of which modules we've loaded.
@@ -31,7 +31,7 @@ char const *lt_dlerror(void);
typedef struct module_entry_t {
char name[MAX_STRING_LEN];
module_t const *module;
- lt_dlhandle handle;
+ fr_dlhandle handle;
} module_entry_t;
typedef struct fr_module_hup_t fr_module_hup_t;
diff --git a/src/main/listen.c b/src/main/listen.c
index 65e5c8bf1..5bf9c7b8a 100644
--- a/src/main/listen.c
+++ b/src/main/listen.c
@@ -2936,7 +2936,7 @@ static const FR_NAME_NUMBER listen_compare[] = {
{ NULL, 0 },
};
-static int _free_proto_handle(lt_dlhandle *handle)
+static int _free_proto_handle(fr_dlhandle *handle)
{
dlclose(*handle);
return 0;
@@ -2949,7 +2949,7 @@ static rad_listen_t *listen_parse(CONF_SECTION *cs, char const *server)
rad_listen_t *this;
CONF_PAIR *cp;
char const *value;
- lt_dlhandle handle;
+ fr_dlhandle handle;
CONF_SECTION *server_cs;
char buffer[32];
@@ -2968,10 +2968,10 @@ static rad_listen_t *listen_parse(CONF_SECTION *cs, char const *server)
}
snprintf(buffer, sizeof(buffer), "proto_%s", value);
- handle = lt_dlopenext(buffer);
+ handle = fr_dlopenext(buffer);
if (handle) {
fr_protocol_t *proto;
- lt_dlhandle *marker;
+ fr_dlhandle *marker;
proto = dlsym(handle, buffer);
if (!proto) {
@@ -2990,7 +2990,7 @@ static rad_listen_t *listen_parse(CONF_SECTION *cs, char const *server)
/*
* Ensure handle gets closed if config section gets freed
*/
- marker = talloc(cs, lt_dlhandle);
+ marker = talloc(cs, fr_dlhandle);
*marker = handle;
talloc_set_destructor(marker, _free_proto_handle);
diff --git a/src/main/modules.c b/src/main/modules.c
index 885cbee21..91218dd5f 100644
--- a/src/main/modules.c
+++ b/src/main/modules.c
@@ -155,7 +155,7 @@ static int check_module_magic(CONF_SECTION *cs, module_t const *module)
return 0;
}
-lt_dlhandle lt_dlopenext(char const *name)
+fr_dlhandle fr_dlopenext(char const *name)
{
int flags = RTLD_NOW;
void *handle;
@@ -273,19 +273,19 @@ lt_dlhandle lt_dlopenext(char const *name)
return handle;
}
-void *lt_dlsym(lt_dlhandle handle, char const *symbol)
+void *fr_dlsym(fr_dlhandle handle, char const *symbol)
{
return dlsym(handle, symbol);
}
-int lt_dlclose(lt_dlhandle handle)
+int fr_dlclose(fr_dlhandle handle)
{
if (!handle) return 0;
return dlclose(handle);
}
-char const *lt_dlerror(void)
+char const *fr_dlerror(void)
{
return dlerror();
}
@@ -516,7 +516,7 @@ static module_entry_t *module_dlopen(CONF_SECTION *cs, char const *module_name)
/*
* Keep the handle around so we can dlclose() it.
*/
- handle = lt_dlopenext(module_name);
+ handle = fr_dlopenext(module_name);
if (!handle) {
cf_log_err_cs(cs, "Failed to link to module '%s': %s", module_name, fr_strerror());
return NULL;
diff --git a/src/modules/rlm_cache/rlm_cache.c b/src/modules/rlm_cache/rlm_cache.c
index 76ba6a442..248de8bf9 100644
--- a/src/modules/rlm_cache/rlm_cache.c
+++ b/src/modules/rlm_cache/rlm_cache.c
@@ -712,7 +712,7 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance)
/*
* Load the appropriate driver for our database
*/
- inst->handle = lt_dlopenext(inst->driver_name);
+ inst->handle = fr_dlopenext(inst->driver_name);
if (!inst->handle) {
cf_log_err_cs(conf, "Could not link driver %s: %s", inst->driver_name, dlerror());
cf_log_err_cs(conf, "Make sure it (and all its dependent libraries!) are in the search path"
diff --git a/src/modules/rlm_eap/eap.c b/src/modules/rlm_eap/eap.c
index d9660ed42..b03654fed 100644
--- a/src/modules/rlm_eap/eap.c
+++ b/src/modules/rlm_eap/eap.c
@@ -125,7 +125,7 @@ int eap_module_instantiate(rlm_eap_t *inst, eap_module_t **m_inst, eap_type_t nu
/*
* Link the loaded EAP-Type
*/
- method->handle = lt_dlopenext(mod_name);
+ method->handle = fr_dlopenext(mod_name);
if (!method->handle) {
ERROR("rlm_eap (%s): Failed to link %s: %s", inst->xlat_name, mod_name, fr_strerror());
diff --git a/src/modules/rlm_eap/rlm_eap.h b/src/modules/rlm_eap/rlm_eap.h
index 0edf462bd..384f7f78d 100644
--- a/src/modules/rlm_eap/rlm_eap.h
+++ b/src/modules/rlm_eap/rlm_eap.h
@@ -36,7 +36,7 @@ RCSIDH(rlm_eap_h, "$Id$")
typedef struct eap_module {
char const *name;
rlm_eap_module_t *type;
- lt_dlhandle handle;
+ fr_dlhandle handle;
CONF_SECTION *cs;
void *instance;
} eap_module_t;
diff --git a/src/modules/rlm_sql/rlm_sql.c b/src/modules/rlm_sql/rlm_sql.c
index fafcd6353..e005f79a2 100644
--- a/src/modules/rlm_sql/rlm_sql.c
+++ b/src/modules/rlm_sql/rlm_sql.c
@@ -843,7 +843,7 @@ static int mod_bootstrap(CONF_SECTION *conf, void *instance)
*
* We need this to check if the sql_fields callback is provided.
*/
- inst->handle = lt_dlopenext(inst->config->sql_driver_name);
+ inst->handle = fr_dlopenext(inst->config->sql_driver_name);
if (!inst->handle) {
ERROR("Could not link driver %s: %s", inst->config->sql_driver_name, fr_strerror());
ERROR("Make sure it (and all its dependent libraries!) are in the search path of your system's ld");
--
2.11.0

6284
freeradius-Support-OpenSSL-v1.1.0.patch
View File

File diff suppressed because it is too large Load Diff

16
freeradius-Use-system-crypto-policy-by-default.patch
View File

@ -1,4 +1,4 @@
From f6ca45b1bab63cbb75d81de3c17b8e7c43983acc Mon Sep 17 00:00:00 2001
From 20779164a67f77bd9530a9c5ac9cfbe249977db9 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 26 Sep 2016 19:48:36 +0300
Subject: [PATCH] Use system crypto policy by default
@ -11,7 +11,7 @@ Subject: [PATCH] Use system crypto policy by default
4 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 5c99b09d4..83b5f95c7 100644
index 9659db1cd..b1ece3ad0 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -323,7 +323,7 @@ eap {
@ -21,8 +21,8 @@ index 5c99b09d4..83b5f95c7 100644
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
# Work-arounds for OpenSSL nonsense
# OpenSSL 1.0.1f and 1.0.1g do not calculate
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
diff --git a/raddb/mods-available/inner-eap b/raddb/mods-available/inner-eap
index 2b4df6267..af9aa88cd 100644
--- a/raddb/mods-available/inner-eap
@ -50,7 +50,7 @@ index 79d74e6fc..d04d6be89 100644
cache {
enable = no
diff --git a/raddb/sites-available/tls b/raddb/sites-available/tls
index eb60fa57b..9b340d2af 100644
index c9555e1c7..a34d009a7 100644
--- a/raddb/sites-available/tls
+++ b/raddb/sites-available/tls
@@ -197,7 +197,7 @@ listen {
@ -60,9 +60,9 @@ index eb60fa57b..9b340d2af 100644
- cipher_list = "DEFAULT"
+ cipher_list = "PROFILE=SYSTEM"
#
# Session resumption / fast reauthentication
@@ -493,7 +493,7 @@ home_server tls {
# If enabled, OpenSSL will use server cipher list
# (possibly defined by cipher_list option above)
@@ -501,7 +501,7 @@ home_server tls {
# Set this option to specify the allowed
# TLS cipher suites. The format is listed
# in "man 1 ciphers".

8
freeradius-redhat-config.patch
View File

@ -1,4 +1,4 @@
From 1d732eca0c45ea670202f7cb643dc533d831b422 Mon Sep 17 00:00:00 2001
From f703a845b46ea8fc4af5938038abedb4ac78004c Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Mon, 8 Sep 2014 12:32:13 +0300
Subject: [PATCH] Adjust configuration to fit Red Hat specifics
@ -9,10 +9,10 @@ Subject: [PATCH] Adjust configuration to fit Red Hat specifics
2 files changed, 5 insertions(+), 6 deletions(-)
diff --git a/raddb/mods-available/eap b/raddb/mods-available/eap
index 0e8d5caef..5c99b09d4 100644
index 427016c66..9659db1cd 100644
--- a/raddb/mods-available/eap
+++ b/raddb/mods-available/eap
@@ -462,7 +462,7 @@ eap {
@@ -470,7 +470,7 @@ eap {
#
# You should also delete all of the files
# in the directory when the server starts.
@ -21,7 +21,7 @@ index 0e8d5caef..5c99b09d4 100644
# The command used to verify the client cert.
# We recommend using the OpenSSL command-line
@@ -476,7 +476,7 @@ eap {
@@ -484,7 +484,7 @@ eap {
# in PEM format. This file is automatically
# deleted by the server when the command
# returns.

49
freeradius-suid-down-after-fchown.-Fixes-1914.patch
View File

@ -1,49 +0,0 @@
From ea411c1bc571aae541e609d4501184f21c67c10f Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Thu, 16 Feb 2017 10:59:22 -0500
Subject: [PATCH] suid down after fchown. Fixes #1914
(cherry picked from commit a408998ab22c4e3e443e53bdf07eff4986f26132)
---
src/main/mainconfig.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/src/main/mainconfig.c b/src/main/mainconfig.c
index 43bc2b136..938a47ae2 100644
--- a/src/main/mainconfig.c
+++ b/src/main/mainconfig.c
@@ -643,15 +643,6 @@ static int switch_users(CONF_SECTION *cs)
}
/*
- * Once we're done with all of the privileged work,
- * permanently change the UID.
- */
- if (do_suid) {
- rad_suid_set_down_uid(server_uid);
- rad_suid_down();
- }
-
- /*
* If we don't already have a log file open, open one
* now. We may not have been logging anything yet. The
* server normally starts up fairly quietly.
@@ -685,6 +676,15 @@ static int switch_users(CONF_SECTION *cs)
}
/*
+ * Once we're done with all of the privileged work,
+ * permanently change the UID.
+ */
+ if (do_suid) {
+ rad_suid_set_down_uid(server_uid);
+ rad_suid_down();
+ }
+
+ /*
* This also clears the dumpable flag if core dumps
* aren't allowed.
*/
--
2.11.0

22
freeradius.spec
View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.12
Release: 3%{?dist}
Version: 3.0.13
Release: 1%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons
URL: http://www.freeradius.org/
@ -23,13 +23,6 @@ Source104: freeradius-tmpfiles.conf
Patch1: freeradius-redhat-config.patch
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
Patch3: freeradius-Fix-three-cases-of-comparing-pointer-to-zero-char.patch
Patch4: freeradius-Support-OpenSSL-v1.1.0.patch
Patch5: freeradius-suid-down-after-fchown.-Fixes-1914.patch
Patch6: freeradius-Handle-hostnames-in-fr_pton4-6.patch
Patch7: freeradius-Rename-lt_-to-fr_-.-Fixes-1277.patch
Patch8: freeradius-Remove-mentions-of-Auth-Type-System-from-docs.patch
Patch9: freeradius-Improve-ip-v4-v6-addr-documentation.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -197,13 +190,6 @@ This plugin provides the REST support for the FreeRADIUS server project.
# mistakenly includes the backup files, especially problematic for raddb config files.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
# Force compile/link options, extra security for network facing daemon
@ -805,6 +791,10 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog
* Tue Mar 07 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.13-1
- Upgrade to upstream v3.0.13 release.
See upstream ChangeLog for details (in freeradius-doc subpackage).
* Tue Feb 21 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.12-3
- Do not fail logrotate if radiusd is not running.
- Fix output to log file specified with -l option.

2
sources
View File

@ -1 +1 @@
SHA512 (freeradius-server-3.0.12.tar.bz2) = a79797b7d783083a926960c53e928c4fc06a77b77ec12d1ed80f2dbeec5add5ae4162be439ec3258fc9b7d85a1c709e586dcb5e0238065a3aff0a1f93de88b2f
SHA512 (freeradius-server-3.0.13.tar.bz2) = 3184eb19e70a217706fceb22675be0e51f713f60d7341e7ee6e4e87d58e7efb948192d6206433d76de6b440633b31f4f897839751597370fe9c784d7c3eef30b