From 80eb1b3b522b235ef4ea9b42bb230079a0312840 Mon Sep 17 00:00:00 2001 From: Martin Osvald Date: Mon, 19 Aug 2024 10:44:02 +0200 Subject: [PATCH] Add missing changes to service files so kea starts as non-root - Fix startup failures during upgrade due to wrong permissions and ownership Resolves: RHEL-52291 --- kea-ctrl-agent.service | 3 +++ kea-dhcp-ddns.service | 3 +++ kea-dhcp4.service | 3 +++ kea-dhcp6.service | 3 +++ kea.spec | 15 +++++++++++++-- 5 files changed, 25 insertions(+), 2 deletions(-) diff --git a/kea-ctrl-agent.service b/kea-ctrl-agent.service index b5c860c..f40396a 100644 --- a/kea-ctrl-agent.service +++ b/kea-ctrl-agent.service @@ -6,8 +6,11 @@ After=network-online.target After=time-sync.target [Service] +User=kea ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf Environment=KEA_PIDFILE_DIR=/var/run/kea +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure [Install] WantedBy=multi-user.target diff --git a/kea-dhcp-ddns.service b/kea-dhcp-ddns.service index 5fdbe0b..e252375 100644 --- a/kea-dhcp-ddns.service +++ b/kea-dhcp-ddns.service @@ -6,8 +6,11 @@ After=network-online.target After=time-sync.target [Service] +User=kea +AmbientCapabilities=CAP_NET_BIND_SERVICE ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf Environment=KEA_PIDFILE_DIR=/var/run/kea +ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target diff --git a/kea-dhcp4.service b/kea-dhcp4.service index 0a72768..eea0227 100644 --- a/kea-dhcp4.service +++ b/kea-dhcp4.service @@ -6,8 +6,11 @@ After=network-online.target After=time-sync.target [Service] +User=kea +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf Environment=KEA_PIDFILE_DIR=/var/run/kea +ExecReload=kill -HUP $MAINPID [Install] WantedBy=multi-user.target diff --git a/kea-dhcp6.service b/kea-dhcp6.service index e1fc05a..6911bee 100644 --- a/kea-dhcp6.service +++ b/kea-dhcp6.service @@ -6,8 +6,11 @@ After=network-online.target After=time-sync.target [Service] +User=kea +AmbientCapabilities=CAP_NET_BIND_SERVICE ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf Environment=KEA_PIDFILE_DIR=/var/run/kea +ExecReload=/bin/kill -HUP $MAINPID [Install] WantedBy=multi-user.target diff --git a/kea.spec b/kea.spec index b13b363..3ab0d2c 100644 --- a/kea.spec +++ b/kea.spec @@ -94,7 +94,7 @@ BuildRequires: gnupg2 Requires: %{name}-libs%{?_isa} = %{version}-%{release} %upstream_name_compat %{upstream_name} -Requires: util-linux +Requires: coreutils util-linux %{?systemd_requires} %{?sysusers_requires_compat} @@ -263,6 +263,18 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf %sysusers_create_compat %{S:16} %post +# Kea runs under kea user instead of root now, but if its files got altered, their new +# ownership&permissions won't get changed so fix them to prevent startup failures +[ "`stat --format '%U:%G' %{_rundir}/kea/logger_lockfile 2>&1 | grep root:root`" = "root:root" ] \ + && chown kea:kea %{_rundir}/kea/logger_lockfile +[ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-leases4.csv 2>&1 | grep root:root`" = "root:root" ] \ + && chown kea:kea %{_sharedstatedir}/kea/kea-leases4.csv && chmod 0640 %{_sharedstatedir}/kea/kea-leases4.csv +[ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-leases6.csv 2>&1 | grep root:root`" = "root:root" ] \ + && chown kea:kea %{_sharedstatedir}/kea/kea-leases6.csv && chmod 0640 %{_sharedstatedir}/kea/kea-leases6.csv +[ "`stat --format '%U:%G' %{_sharedstatedir}/kea/kea-dhcp6-serverid 2>&1 | grep root:root`" = "root:root" ] \ + && chown kea:kea %{_sharedstatedir}/kea/kea-dhcp6-serverid +[ "`stat --format '%U:%G' %{_sysconfdir}/kea/kea*.conf 2>&1 | grep root:root | head -1`" = "root:root" ] \ + && chown root:kea %{_sysconfdir}/kea/kea*.conf && chmod 0640 %{_sysconfdir}/kea/kea*.conf %systemd_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service %preun @@ -271,7 +283,6 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf %postun %systemd_postun_with_restart kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service - %ldconfig_scriptlets libs