Do not run as root and restrict file access

Resolves: RHEL-52291
2024-08-06 09:21:10 +02:00 · 2024-08-06 09:21:10 +02:00 · e0d522870d
commit e0d522870d
parent dec6708ab2
4 changed files with 25 additions and 12 deletions
--- a/kea-tmpfiles.d.conf
+++ b/kea-tmpfiles.d.conf
@ -1,5 +0,0 @@
-# kea needs existing /run/kea/ to create logger_lockfile there
-# See tmpfiles.d(5) for details
-
-d /run/kea 0755 root root -
-
--- a/kea.spec
+++ b/kea.spec
@ -32,7 +32,8 @@ Source11:       kea-dhcp4.service
 Source12:       kea-dhcp6.service
 Source13:       kea-dhcp-ddns.service
 Source14:       kea-ctrl-agent.service
-Source15:       kea-tmpfiles.d.conf
+Source15:       systemd-tmpfiles.conf
+Source16:       systemd-sysusers.conf

 Patch1:         kea-openssl-version.patch
 Patch2:         kea-gtest.patch
@ -43,6 +44,10 @@ BuildRequires: boost-devel
 BuildRequires: gcc-c++
 # %%configure --with-openssl
 BuildRequires: openssl-devel
+%if 0%{?fedora} > 40
+# https://bugzilla.redhat.com/show_bug.cgi?id=2300868#c4
+BuildRequires: openssl-devel-engine
+%endif
 %if 0%{?fedora} || 0%{?rhel} > 7
 # %%configure --with-mysql
 BuildRequires: mariadb-connector-c-devel
@ -81,6 +86,7 @@ BuildRequires: python3-devel
 # in case you ever wanted to use %%configure --enable-generate-docs
 #BuildRequires: elinks asciidoc plantuml
 BuildRequires: systemd
+BuildRequires: systemd-rpm-macros
 BuildRequires: python3-sphinx
 BuildRequires: python3-sphinx_rtd_theme
 BuildRequires: make
@ -89,9 +95,8 @@ BuildRequires: gnupg2
 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %upstream_name_compat %{upstream_name}
 Requires: util-linux
-Requires(post): systemd
-Requires(preun): systemd
-Requires(postun): systemd
+%{?systemd_requires}
+%{?sysusers_requires_compat}


 %description
@ -237,6 +242,9 @@ install -Dpm 0644 %{S:12} %{buildroot}%{_unitdir}/kea-dhcp6.service
 install -Dpm 0644 %{S:13} %{buildroot}%{_unitdir}/kea-dhcp-ddns.service
 install -Dpm 0644 %{S:14} %{buildroot}%{_unitdir}/kea-ctrl-agent.service

+# systemd-sysusers
+install -p -D -m 0644 %{S:16} %{buildroot}%{_sysusersdir}/kea.conf
+
 # Start empty lease databases
 mkdir -p %{buildroot}%{_sharedstatedir}/kea/
 touch %{buildroot}%{_sharedstatedir}/kea/kea-leases4.csv
@ -251,6 +259,9 @@ install -dm 0755 %{buildroot}/run/kea/
 install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf


+%pre
+%sysusers_create_compat %{S:16}
+
 %post
 %systemd_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service

@ -278,10 +289,10 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
 %{_sbindir}/perfdhcp
 %{_unitdir}/kea*.service
 %dir %{_sysconfdir}/kea/
-%config(noreplace) %{_sysconfdir}/kea/kea*.conf
+%config(noreplace) %attr(640,root,kea) %{_sysconfdir}/kea/kea*.conf
 %{_datarootdir}/kea
-%dir %{_sharedstatedir}/kea
-%config(noreplace) %{_sharedstatedir}/kea/kea-leases*.csv
+%dir %attr(750,kea,kea) %{_sharedstatedir}/kea
+%config(noreplace) %attr(640,kea,kea) %{_sharedstatedir}/kea/kea-leases*.csv
 %{python3_sitelib}/kea
 %{_mandir}/man8/kea-admin.8*
 %{_mandir}/man8/kea-ctrl-agent.8*
@ -297,6 +308,7 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
 %{_mandir}/man8/perfdhcp.8*
 %dir /run/kea/
 %{_tmpfilesdir}/kea.conf
+%{_sysusersdir}/kea.conf

 %files doc
 %dir %{_pkgdocdir}
--- a/systemd-sysusers.conf
+++ b/systemd-sysusers.conf
@ -0,0 +1,2 @@
+g kea -
+u kea -:kea "Kea DHCP Server" /var/lib/kea
--- a/systemd-tmpfiles.conf
+++ b/systemd-tmpfiles.conf
@ -0,0 +1,4 @@
+# kea needs existing /run/kea/ to create logger_lockfile and pidfile there
+# See tmpfiles.d(5) for details
+
+d /run/kea 0755 kea kea -