From 17c9b5a49366fa421164cb2a3d5b8332bc2edcc4 Mon Sep 17 00:00:00 2001 From: Paul Wouters Date: Wed, 20 May 2009 16:17:12 +0000 Subject: [PATCH] Added unbound-initgroups-r1453.patch to properly drop group root --- unbound-initgroups-r1453.patch | 105 +++++++++++++++++++++++++++++++++ unbound.spec | 2 + 2 files changed, 107 insertions(+) create mode 100644 unbound-initgroups-r1453.patch diff --git a/unbound-initgroups-r1453.patch b/unbound-initgroups-r1453.patch new file mode 100644 index 0000000..061c1f8 --- /dev/null +++ b/unbound-initgroups-r1453.patch @@ -0,0 +1,105 @@ +commit b1a2731277dd0939572901bf018afa7a0debdb54 +Author: wouter +Date: Thu Feb 5 11:12:01 2009 +0000 + + call initgroups. + + + git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@1453 be551aaa-1e26-0410-a405-d3ace91eadb9 + +diff --git a/config.h.in b/config.h.in +index 956224d..aa7ce2d 100644 +--- a/config.h.in ++++ b/config.h.in +@@ -85,6 +85,9 @@ + /* Define to 1 if you have the `gmtime_r' function. */ + #undef HAVE_GMTIME_R + ++/* Define to 1 if you have the header file. */ ++#undef HAVE_GRP_H ++ + /* If you have HMAC_CTX_init */ + #undef HAVE_HMAC_CTX_INIT + +@@ -97,6 +100,9 @@ + /* Define to 1 if you have the `inet_pton' function. */ + #undef HAVE_INET_PTON + ++/* Define to 1 if you have the `initgroups' function. */ ++#undef HAVE_INITGROUPS ++ + /* Define to 1 if you have the header file. */ + #undef HAVE_INTTYPES_H + +diff --git a/configure b/configure +index a823b0b..0b1f96a 100755 +--- a/configure ++++ b/configure +@@ -19961,7 +19961,8 @@ fi + + + +-for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h ++ ++for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h + do + as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` + { echo "$as_me:$LINENO: checking for $ac_header" >&5 +@@ -25282,7 +25283,8 @@ fi + + + +-for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob ++ ++for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob initgroups + do + as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` + { echo "$as_me:$LINENO: checking for $ac_func" >&5 +diff --git a/configure.ac b/configure.ac +index bd000bc..48a4385 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -480,7 +480,7 @@ AC_PROG_LIBTOOL + + # Checks for header files. + AC_HEADER_STDC +-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h],,, [AC_INCLUDES_DEFAULT]) ++AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h],,, [AC_INCLUDES_DEFAULT]) + + # check for types + AC_CHECK_TYPE(int8_t, char) +@@ -854,7 +854,7 @@ AC_CHECK_GETADDRINFO_WITH_INCLUDES + if test $ac_cv_func_getaddrinfo = no; then + AC_LIBOBJ([fake-rfc2553]) + fi +-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob]) ++AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob initgroups]) + + # check if setreuid en setregid fail, on MacOSX10.4(darwin8). + if echo $build_os | grep darwin8 > /dev/null; then +diff --git a/daemon/unbound.c b/daemon/unbound.c +index 09767a4..6c5fb6f 100644 +--- a/daemon/unbound.c ++++ b/daemon/unbound.c +@@ -56,6 +56,9 @@ + #ifdef HAVE_PWD_H + #include + #endif ++#ifdef HAVE_GRP_H ++#include ++#endif + + #ifdef HAVE_SYS_RESOURCE_H + #include +@@ -451,6 +454,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, + /* drop permissions after chroot, getpwnam, pidfile, syslog done*/ + #ifdef HAVE_GETPWNAM + if(cfg->username && cfg->username[0]) { ++#ifdef HAVE_INITGROUPS ++ if(initgroups(cfg->username, gid) != 0) ++ log_warn("unable to initgroups %s: %s", ++ cfg->username, strerror(errno)); ++#endif + #ifdef HAVE_SETRESGID + if(setresgid(gid,gid,gid) != 0) + #elif defined(HAVE_SETREGID) && !defined(DARWIN_BROKEN_SETREUID) diff --git a/unbound.spec b/unbound.spec index 13630f6..c0e9c55 100644 --- a/unbound.spec +++ b/unbound.spec @@ -9,6 +9,7 @@ Source1: unbound.init Source2: unbound.conf Source3: unbound.munin Patch0: unbound-iterator.patch +Patch1: unbound-initgroups-r1453.patch Group: System Environment/Daemons BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRequires: flex, openssl-devel >= 0.9.8g-12, ldns-devel >= 1.5.0, @@ -64,6 +65,7 @@ Contains libraries used by the unbound server and client applications %prep %setup -q %patch0 +%patch1 -p1 %build %configure --with-ldns= --with-libevent --with-pthreads --with-ssl \