rpms/unbound
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Added unbound-initgroups-r1453.patch to properly drop group root

Browse Source
This commit is contained in:
Paul Wouters 2009-05-20 16:17:12 +00:00
parent 7a4cedca67
commit 17c9b5a493
2 changed files with 107 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

105
unbound-initgroups-r1453.patch Normal file
View File

@ -0,0 +1,105 @@
commit b1a2731277dd0939572901bf018afa7a0debdb54
Author: wouter <wouter@be551aaa-1e26-0410-a405-d3ace91eadb9>
Date: Thu Feb 5 11:12:01 2009 +0000
call initgroups.
git-svn-id: http://unbound.nlnetlabs.nl/svn/trunk@1453 be551aaa-1e26-0410-a405-d3ace91eadb9
diff --git a/config.h.in b/config.h.in
index 956224d..aa7ce2d 100644
--- a/config.h.in
+++ b/config.h.in
@@ -85,6 +85,9 @@
/* Define to 1 if you have the `gmtime_r' function. */
#undef HAVE_GMTIME_R
+/* Define to 1 if you have the <grp.h> header file. */
+#undef HAVE_GRP_H
+
/* If you have HMAC_CTX_init */
#undef HAVE_HMAC_CTX_INIT
@@ -97,6 +100,9 @@
/* Define to 1 if you have the `inet_pton' function. */
#undef HAVE_INET_PTON
+/* Define to 1 if you have the `initgroups' function. */
+#undef HAVE_INITGROUPS
+
/* Define to 1 if you have the <inttypes.h> header file. */
#undef HAVE_INTTYPES_H
diff --git a/configure b/configure
index a823b0b..0b1f96a 100755
--- a/configure
+++ b/configure
@@ -19961,7 +19961,8 @@ fi
-for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h
+
+for ac_header in stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h
do
as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_header" >&5
@@ -25282,7 +25283,8 @@ fi
-for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob
+
+for ac_func in tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob initgroups
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
{ echo "$as_me:$LINENO: checking for $ac_func" >&5
diff --git a/configure.ac b/configure.ac
index bd000bc..48a4385 100644
--- a/configure.ac
+++ b/configure.ac
@@ -480,7 +480,7 @@ AC_PROG_LIBTOOL
# Checks for header files.
AC_HEADER_STDC
-AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([stdarg.h stdbool.h netinet/in.h sys/param.h sys/socket.h sys/uio.h sys/resource.h arpa/inet.h syslog.h netdb.h sys/wait.h pwd.h glob.h grp.h],,, [AC_INCLUDES_DEFAULT])
# check for types
AC_CHECK_TYPE(int8_t, char)
@@ -854,7 +854,7 @@ AC_CHECK_GETADDRINFO_WITH_INCLUDES
if test $ac_cv_func_getaddrinfo = no; then
AC_LIBOBJ([fake-rfc2553])
fi
-AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob])
+AC_CHECK_FUNCS([tzset sigprocmask fcntl getpwnam getrlimit setsid sbrk chroot kill sleep usleep random srandom recvmsg sendmsg writev setresuid setreuid setresgid setregid glob initgroups])
# check if setreuid en setregid fail, on MacOSX10.4(darwin8).
if echo $build_os | grep darwin8 > /dev/null; then
diff --git a/daemon/unbound.c b/daemon/unbound.c
index 09767a4..6c5fb6f 100644
--- a/daemon/unbound.c
+++ b/daemon/unbound.c
@@ -56,6 +56,9 @@
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
+#ifdef HAVE_GRP_H
+#include <grp.h>
+#endif
#ifdef HAVE_SYS_RESOURCE_H
#include <sys/resource.h>
@@ -451,6 +454,11 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
/* drop permissions after chroot, getpwnam, pidfile, syslog done*/
#ifdef HAVE_GETPWNAM
if(cfg->username && cfg->username[0]) {
+#ifdef HAVE_INITGROUPS
+ if(initgroups(cfg->username, gid) != 0)
+ log_warn("unable to initgroups %s: %s",
+ cfg->username, strerror(errno));
+#endif
#ifdef HAVE_SETRESGID
if(setresgid(gid,gid,gid) != 0)
#elif defined(HAVE_SETREGID) && !defined(DARWIN_BROKEN_SETREUID)

2
unbound.spec
View File

@ -9,6 +9,7 @@ Source1: unbound.init
Source2: unbound.conf Source2: unbound.conf
Source3: unbound.munin Source3: unbound.munin
Patch0: unbound-iterator.patch Patch0: unbound-iterator.patch
Patch1: unbound-initgroups-r1453.patch
Group: System Environment/Daemons Group: System Environment/Daemons
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: flex, openssl-devel >= 0.9.8g-12, ldns-devel >= 1.5.0, BuildRequires: flex, openssl-devel >= 0.9.8g-12, ldns-devel >= 1.5.0,
@ -64,6 +65,7 @@ Contains libraries used by the unbound server and client applications
%prep %prep
%setup -q %setup -q
%patch0 %patch0
%patch1 -p1
%build %build
%configure --with-ldns= --with-libevent --with-pthreads --with-ssl \ %configure --with-ldns= --with-libevent --with-pthreads --with-ssl \