Hi, I've made & uploaded (to /incoming) pidentd-3.0.11-1mdk.src.rpm. I updated it from 3.0.10 to 3.0.11 and in the process had to drop pidentd-3.0.10-security.patch.bz2. I think it should be OK, since 3.0.11 fixes this see the diff between the patched 3.0.10 src/main.c and 3.0.11's version (of course, I'm not a programmer, so I can't judge this, but it looks OK). Please consider for updating in cooker. Thanks!! Stefan PS: It also compiles on alpha now ;-)
--- pidentd-3.0.10/src/main.c Mon Jun 12 14:48:52 2000 +++ pidentd-3.0.11/src/main.c Sun May 21 22:44:15 2000 @@ -90,6 +90,21 @@ __DATE__, __TIME__); } +void +drop_root_privs(void) +{ + if (server_uid == NO_UID) + { + if (str2uid("nobody", &server_uid, &server_gid) < 0) + server_uid = ROOT_UID; + } + + if (server_gid != ROOT_GID) + setgid(server_gid); + + if (server_uid != ROOT_UID) + setuid(server_uid); +} int main(int argc, char *argv[]) @@ -358,32 +373,6 @@ } } -/* On Linux, threads do not share UIDs, so we must drop privileges before - spawing threads. Fortunately we do not need to be root or even kmem to - read /proc and find open tcp connections - [EMAIL PROTECTED] */ - - if (server_uid == NO_UID) - { - if (str2uid("nobody", &server_uid, &server_gid) < 0) - server_uid = ROOT_UID; - } - - if (server_gid != ROOT_GID) { - setgroups(0, NULL); - setgid(server_gid); - } - - if (server_uid != ROOT_UID) - setuid(server_uid); - - if (kernel_init() < 0) - { - if (debug) - fprintf(stderr, "%s: failed opening kernel devices\n", - argv[0]); - goto Exit; - } - #ifdef HAVE_LIBDES if (encrypt_flag) { @@ -401,6 +390,26 @@ } #endif +/* Sigh - stupid Linux handles threads like... Anyway, we'll have to + add this kludge to work around the fact that threads in Linux can + have different uid's... Luckily Linux doesn't need root to get at + the needed information anyway. */ +#ifdef __linux__ + drop_root_privs(); +#endif + + if (kernel_init() < 0) + { + if (debug) + fprintf(stderr, "%s: failed opening kernel devices\n", + argv[0]); + goto Exit; + } + +#ifndef __linux__ + drop_root_privs(); +#endif + timeout_init(); request_init();
%define name pidentd %define version 3.0.11 %define release 1mdk Summary: An implementation of the RFC1413 identification server. Name: %{name} Version: %{version} Release: %{release} Copyright: Public domain/GPL Group: System/Servers Source: ftp://ftp.lysator.liu.se/pub/unix/ident/servers/%{name}-%{version}.tar.bz2 Patch0: pidentd-3.0.8-dummy.patch.bz2 #Patch1: pidentd-3.0.10-security.patch.bz2 Patch2: pidentd-3.0.10-install.patch.bz2 BuildRoot: %{_tmppath}/%{name}-buildroot Prefix: %{_prefix} Requires: /sbin/chkconfig /usr/bin/perl fileutils %description The pidentd package contains identd, which implements the RFC1413 identification server. Identd looks up specific TCP/IP connections and returns either the user name or other information about the process that owns the connection. %prep %setup -q %patch0 -p1 -b .dummy #%patch1 -p1 -b .dropprivs %patch2 -p1 -b .inst %build %configure --sysconfdir=/etc --with-threads=yes if [ x"$SMP" != x"" ]; then (make MAKE="make -j $SMP -k" ; exit 0) make else make fi %install rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/usr/{sbin,man/man8} make prefix=${RPM_BUILD_ROOT}%{_prefix} install ln -s identd ${RPM_BUILD_ROOT}%{_prefix}/sbin/in.identd ln -s identd.8 ${RPM_BUILD_ROOT}%{_prefix}/sbin/in.identd.8 mkdir -p ${RPM_BUILD_ROOT}/etc/rc.d/{init,rc0,rc1,rc2,rc3,rc4,rc5,rc6}.d install -m 0644 etc/identd.conf $RPM_BUILD_ROOT/etc/identd.conf install -m 0644 etc/identd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/identd %clean rm -rf $RPM_BUILD_ROOT %post /sbin/chkconfig --add identd /usr/bin/perl -i -pe 's/^(\s*auth\s.*)/#$1/' /etc/inetd.conf %preun if [ "$1" = 0 ]; then /sbin/chkconfig --del identd fi %files %defattr(-,root,root) %doc BUGS ChangeLog FAQ INSTALL README Y2K doc/rfc1413.txt doc/sgi_irix.txt %{_prefix}/sbin/* %attr(0644,root,root) %config /etc/identd.conf %attr(0755,root,root) %config /etc/rc.d/init.d/identd %{_prefix}/man/man8/* %changelog * Mon Jun 12 2000 Stefan van der Eijk <[EMAIL PROTECTED]> 3.0.11-1mdk - updated to 3.0.11 - removed 3.0.10 security patch (fixed in 3.0.11) * Mon Apr 03 2000 François Pons <[EMAIL PROTECTED]> 3.0.10-1mdk - spec file update. - updated with 3.0.10 and rh patches. * Sat Apr 01 2000 François Pons <[EMAIL PROTECTED]> 2.8.5-8mdk - updated Group. * Sun Oct 31 1999 Axalon Bloodstone <[EMAIL PROTECTED]> - SMp check/build * Fri Jul 09 1999 Axalon Bloodstone <[EMAIL PROTECTED]> - add example cfg - refixed dangling BuildRoot in man page - add to cooker * Wed Jun 02 1999 Axalon Bloodstone <[EMAIL PROTECTED]> - Added pidentd+fm-1.1 patch for masq support * Wed May 05 1999 Bernhard Rosenkraenzer <[EMAIL PROTECTED]> - Mandrake adaptions * Sun Mar 21 1999 Cristian Gafton <[EMAIL PROTECTED]> - auto rebuild in the new build environment (release 3) * Fri Mar 19 1999 Jeff Johnson <[EMAIL PROTECTED]> - strip binaries. * Fri Mar 12 1999 Jeff Johnson <[EMAIL PROTECTED]> - update to 2.8.5. - fix dangling BuildRoot in man page (#1458). * Thu Nov 12 1998 Jeff Johnson <[EMAIL PROTECTED]> - update to 2.8.4. * Mon Aug 17 1998 Jeff Johnson <[EMAIL PROTECTED]> - build root * Mon Apr 27 1998 Prospector System <[EMAIL PROTECTED]> - translations modified for de, fr, tr * Thu Oct 21 1997 Cristian Gafton <[EMAIL PROTECTED]> - updated to 2.7 * Fri Jul 18 1997 Erik Troan <[EMAIL PROTECTED]> - built against glibc
2c2 < %define version 3.0.10 --- > %define version 3.0.11 13c13 < Patch1: pidentd-3.0.10-security.patch.bz2 --- > #Patch1: pidentd-3.0.10-security.patch.bz2 28c28 < %patch1 -p1 -b .dropprivs --- > #%patch1 -p1 -b .dropprivs 75a76,79 > * Mon Jun 12 2000 Stefan van der Eijk <[EMAIL PROTECTED]> 3.0.11-1mdk > - updated to 3.0.11 > - removed 3.0.10 security patch (fixed in 3.0.11) >