Hi,
I've made & uploaded (to /incoming) pidentd-3.0.11-1mdk.src.rpm.
I updated it from 3.0.10 to 3.0.11 and in the process had to drop
pidentd-3.0.10-security.patch.bz2.
I think it should be OK, since 3.0.11 fixes this see the diff
between the patched 3.0.10 src/main.c and 3.0.11's version (of
course, I'm not a programmer, so I can't judge this, but it looks
OK).
Please consider for updating in cooker. Thanks!!
Stefan
PS: It also compiles on alpha now ;-)
--- pidentd-3.0.10/src/main.c Mon Jun 12 14:48:52 2000
+++ pidentd-3.0.11/src/main.c Sun May 21 22:44:15 2000
@@ -90,6 +90,21 @@
__DATE__, __TIME__);
}
+void
+drop_root_privs(void)
+{
+ if (server_uid == NO_UID)
+ {
+ if (str2uid("nobody", &server_uid, &server_gid) < 0)
+ server_uid = ROOT_UID;
+ }
+
+ if (server_gid != ROOT_GID)
+ setgid(server_gid);
+
+ if (server_uid != ROOT_UID)
+ setuid(server_uid);
+}
int
main(int argc, char *argv[])
@@ -358,32 +373,6 @@
}
}
-/* On Linux, threads do not share UIDs, so we must drop privileges before
- spawing threads. Fortunately we do not need to be root or even kmem to
- read /proc and find open tcp connections - [EMAIL PROTECTED] */
-
- if (server_uid == NO_UID)
- {
- if (str2uid("nobody", &server_uid, &server_gid) < 0)
- server_uid = ROOT_UID;
- }
-
- if (server_gid != ROOT_GID) {
- setgroups(0, NULL);
- setgid(server_gid);
- }
-
- if (server_uid != ROOT_UID)
- setuid(server_uid);
-
- if (kernel_init() < 0)
- {
- if (debug)
- fprintf(stderr, "%s: failed opening kernel devices\n",
- argv[0]);
- goto Exit;
- }
-
#ifdef HAVE_LIBDES
if (encrypt_flag)
{
@@ -401,6 +390,26 @@
}
#endif
+/* Sigh - stupid Linux handles threads like... Anyway, we'll have to
+ add this kludge to work around the fact that threads in Linux can
+ have different uid's... Luckily Linux doesn't need root to get at
+ the needed information anyway. */
+#ifdef __linux__
+ drop_root_privs();
+#endif
+
+ if (kernel_init() < 0)
+ {
+ if (debug)
+ fprintf(stderr, "%s: failed opening kernel devices\n",
+ argv[0]);
+ goto Exit;
+ }
+
+#ifndef __linux__
+ drop_root_privs();
+#endif
+
timeout_init();
request_init();
%define name pidentd
%define version 3.0.11
%define release 1mdk
Summary: An implementation of the RFC1413 identification server.
Name: %{name}
Version: %{version}
Release: %{release}
Copyright: Public domain/GPL
Group: System/Servers
Source: ftp://ftp.lysator.liu.se/pub/unix/ident/servers/%{name}-%{version}.tar.bz2
Patch0: pidentd-3.0.8-dummy.patch.bz2
#Patch1: pidentd-3.0.10-security.patch.bz2
Patch2: pidentd-3.0.10-install.patch.bz2
BuildRoot: %{_tmppath}/%{name}-buildroot
Prefix: %{_prefix}
Requires: /sbin/chkconfig /usr/bin/perl fileutils
%description
The pidentd package contains identd, which implements the RFC1413
identification server. Identd looks up specific TCP/IP connections
and returns either the user name or other information about the
process that owns the connection.
%prep
%setup -q
%patch0 -p1 -b .dummy
#%patch1 -p1 -b .dropprivs
%patch2 -p1 -b .inst
%build
%configure --sysconfdir=/etc --with-threads=yes
if [ x"$SMP" != x"" ]; then
(make MAKE="make -j $SMP -k" ; exit 0)
make
else
make
fi
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/usr/{sbin,man/man8}
make prefix=${RPM_BUILD_ROOT}%{_prefix} install
ln -s identd ${RPM_BUILD_ROOT}%{_prefix}/sbin/in.identd
ln -s identd.8 ${RPM_BUILD_ROOT}%{_prefix}/sbin/in.identd.8
mkdir -p ${RPM_BUILD_ROOT}/etc/rc.d/{init,rc0,rc1,rc2,rc3,rc4,rc5,rc6}.d
install -m 0644 etc/identd.conf $RPM_BUILD_ROOT/etc/identd.conf
install -m 0644 etc/identd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/identd
%clean
rm -rf $RPM_BUILD_ROOT
%post
/sbin/chkconfig --add identd
/usr/bin/perl -i -pe 's/^(\s*auth\s.*)/#$1/' /etc/inetd.conf
%preun
if [ "$1" = 0 ]; then
/sbin/chkconfig --del identd
fi
%files
%defattr(-,root,root)
%doc BUGS ChangeLog FAQ INSTALL README Y2K doc/rfc1413.txt doc/sgi_irix.txt
%{_prefix}/sbin/*
%attr(0644,root,root) %config /etc/identd.conf
%attr(0755,root,root) %config /etc/rc.d/init.d/identd
%{_prefix}/man/man8/*
%changelog
* Mon Jun 12 2000 Stefan van der Eijk <[EMAIL PROTECTED]> 3.0.11-1mdk
- updated to 3.0.11
- removed 3.0.10 security patch (fixed in 3.0.11)
* Mon Apr 03 2000 François Pons <[EMAIL PROTECTED]> 3.0.10-1mdk
- spec file update.
- updated with 3.0.10 and rh patches.
* Sat Apr 01 2000 François Pons <[EMAIL PROTECTED]> 2.8.5-8mdk
- updated Group.
* Sun Oct 31 1999 Axalon Bloodstone <[EMAIL PROTECTED]>
- SMp check/build
* Fri Jul 09 1999 Axalon Bloodstone <[EMAIL PROTECTED]>
- add example cfg
- refixed dangling BuildRoot in man page
- add to cooker
* Wed Jun 02 1999 Axalon Bloodstone <[EMAIL PROTECTED]>
- Added pidentd+fm-1.1 patch for masq support
* Wed May 05 1999 Bernhard Rosenkraenzer <[EMAIL PROTECTED]>
- Mandrake adaptions
* Sun Mar 21 1999 Cristian Gafton <[EMAIL PROTECTED]>
- auto rebuild in the new build environment (release 3)
* Fri Mar 19 1999 Jeff Johnson <[EMAIL PROTECTED]>
- strip binaries.
* Fri Mar 12 1999 Jeff Johnson <[EMAIL PROTECTED]>
- update to 2.8.5.
- fix dangling BuildRoot in man page (#1458).
* Thu Nov 12 1998 Jeff Johnson <[EMAIL PROTECTED]>
- update to 2.8.4.
* Mon Aug 17 1998 Jeff Johnson <[EMAIL PROTECTED]>
- build root
* Mon Apr 27 1998 Prospector System <[EMAIL PROTECTED]>
- translations modified for de, fr, tr
* Thu Oct 21 1997 Cristian Gafton <[EMAIL PROTECTED]>
- updated to 2.7
* Fri Jul 18 1997 Erik Troan <[EMAIL PROTECTED]>
- built against glibc
2c2
< %define version 3.0.10
---
> %define version 3.0.11
13c13
< Patch1: pidentd-3.0.10-security.patch.bz2
---
> #Patch1: pidentd-3.0.10-security.patch.bz2
28c28
< %patch1 -p1 -b .dropprivs
---
> #%patch1 -p1 -b .dropprivs
75a76,79
> * Mon Jun 12 2000 Stefan van der Eijk <[EMAIL PROTECTED]> 3.0.11-1mdk
> - updated to 3.0.11
> - removed 3.0.10 security patch (fixed in 3.0.11)
>
