Add missing changes to service files so kea starts as non-root

- Fix startup failures during upgrade due to wrong permissions and ownership Resolves: RHEL-52291
2024-08-19 10:44:02 +02:00 · 2024-08-19 10:44:02 +02:00 · 80eb1b3b52
commit 80eb1b3b52
parent 9b6f6b1278
5 changed files with 25 additions and 2 deletions
--- a/kea-ctrl-agent.service
+++ b/kea-ctrl-agent.service
@ -6,8 +6,11 @@ After=network-online.target
 After=time-sync.target

 [Service]
+User=kea
 ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
 Environment=KEA_PIDFILE_DIR=/var/run/kea
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure

 [Install]
 WantedBy=multi-user.target
--- a/kea-dhcp-ddns.service
+++ b/kea-dhcp-ddns.service
@ -6,8 +6,11 @@ After=network-online.target
 After=time-sync.target

 [Service]
+User=kea
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
 Environment=KEA_PIDFILE_DIR=/var/run/kea
+ExecReload=/bin/kill -HUP $MAINPID

 [Install]
 WantedBy=multi-user.target
--- a/kea-dhcp4.service
+++ b/kea-dhcp4.service
@ -6,8 +6,11 @@ After=network-online.target
 After=time-sync.target

 [Service]
+User=kea
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
 ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
 Environment=KEA_PIDFILE_DIR=/var/run/kea
+ExecReload=kill -HUP $MAINPID

 [Install]
 WantedBy=multi-user.target
--- a/kea-dhcp6.service
+++ b/kea-dhcp6.service
@ -6,8 +6,11 @@ After=network-online.target
 After=time-sync.target

 [Service]
+User=kea
+AmbientCapabilities=CAP_NET_BIND_SERVICE
 ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
 Environment=KEA_PIDFILE_DIR=/var/run/kea
+ExecReload=/bin/kill -HUP $MAINPID

 [Install]
 WantedBy=multi-user.target
--- a/kea.spec
+++ b/kea.spec
@ -94,7 +94,7 @@ BuildRequires: gnupg2

 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %upstream_name_compat %{upstream_name}
-Requires: util-linux
+Requires: coreutils util-linux
 %{?systemd_requires}
 %{?sysusers_requires_compat}

@ -263,6 +263,18 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
 %sysusers_create_compat %{S:16}

 %post
+# Kea runs under kea user instead of root now, but if its files got altered, their new
+# ownership&permissions won't get changed so fix them to prevent startup failures
+[ "`stat --format '%U:%G' %{_rundir}/kea/logger_lockfile 2>&1 | grep root:root`" = "root:root" ] \
+    && chown kea:kea %{_rundir}/kea/logger_lockfile
+[ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-leases4.csv 2>&1 | grep root:root`" = "root:root" ] \
+    && chown kea:kea %{_sharedstatedir}/kea/kea-leases4.csv && chmod 0640 %{_sharedstatedir}/kea/kea-leases4.csv
+[ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-leases6.csv 2>&1 | grep root:root`" = "root:root" ] \
+    && chown kea:kea %{_sharedstatedir}/kea/kea-leases6.csv && chmod 0640 %{_sharedstatedir}/kea/kea-leases6.csv
+[ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-dhcp6-serverid 2>&1 | grep root:root`" = "root:root" ] \
+    && chown kea:kea %{_sharedstatedir}/kea/kea-dhcp6-serverid
+[ "`stat --format '%U:%G' %{_sysconfdir}/kea/kea*.conf 2>&1 | grep root:root | head -1`" = "root:root" ] \
+    && chown root:kea %{_sysconfdir}/kea/kea*.conf && chmod 0640 %{_sysconfdir}/kea/kea*.conf
 %systemd_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service

 %preun
@ -271,7 +283,6 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
 %postun
 %systemd_postun_with_restart kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service

-
 %ldconfig_scriptlets libs