Re: patch: isc dhcp with privdrop

Peter Valchev Thu, 21 Sep 2006 21:29:35 -0700
Come on people - why did this get dropped???

> Date: Thu, 23 Mar 2006 09:28:27 -0600 (CST)
> From: Jakob Schlyter <[EMAIL PROTECTED]>
> To: ports@openbsd.org
> Subject: patch: isc dhcp with privdrop
> Message-ID: <[EMAIL PROTECTED]>
> 
> could users of the isc dhcp please test this patch.
> 
> thanks,
> 
>       jakob
> 
> 
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/isc-dhcp/Makefile,v
> retrieving revision 1.11
> diff -u -u -r1.11 Makefile
> --- Makefile  16 Aug 2005 18:28:55 -0000      1.11
> +++ Makefile  23 Mar 2006 15:27:55 -0000
> @@ -6,6 +6,7 @@
> 
>  VERSION=     3.0.3
>  DISTNAME=    isc-dhcp-${VERSION}
> +PKGNAME=     isc-dhcp-${VERSION}p0
>  CATEGORIES=  net
> 
>  DISTFILES=   dhcp-${VERSION}.tar.gz
> @@ -37,9 +38,12 @@
> 
>  EXAMPLEDIR=          share/examples/isc-dhcp
> 
> +do-configure:
> +     cd ${WRKSRC} && ./configure \
> +     --copts "${CONFIGURE_ARGS} -DPARANOIA -DEARLY_CHROOT ${CFLAGS}"
> +
>  post-extract:
>       @sed s,y0y0y0,${PREFIX}, < ${FILESDIR}/site.conf > 
>       ${WRKSRC}/site.conf
> -
> 
>  post-install:
>       ${INSTALL_DATA_DIR} ${PREFIX}/${EXAMPLEDIR}
> Index: patches/patch-paranoia
> ===================================================================
> RCS file: patches/patch-paranoia
> diff -N patches/patch-paranoia
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-paranoia    23 Mar 2006 15:27:55 -0000
> @@ -0,0 +1,168 @@
> +--- server/dhcpd.c   Thu Jun 21 22:12:58 2001
> ++++ server/dhcpd.c   Wed Oct 17 08:23:00 2001
> +@@ -56,6 +56,16 @@
> + #include "version.h"
> + #include <omapip/omapip_p.h>
> +
> ++#if defined (PARANOIA)
> ++#  include <sys/types.h>
> ++#  include <unistd.h>
> ++#  include <pwd.h>
> ++/* get around the ISC declaration of group */
> ++#  define group real_group
> ++#    include <grp.h>
> ++#  undef group
> ++#endif /* PARANOIA */
> ++
> + static void usage PROTO ((void));
> +
> + TIME cur_time;
> +@@ -204,6 +214,22 @@
> +     omapi_object_dereference (&listener, MDL);
> + }
> +
> ++#if defined (PARANOIA)
> ++/* to be used in one of two possible scenarios */
> ++static void setup_chroot (char *chroot_dir) {
> ++    if (geteuid())
> ++            log_fatal ("you must be root to use chroot");
> ++
> ++    if (chroot(chroot_dir)) {
> ++            log_fatal ("chroot(\"%s\"): %m", chroot_dir);
> ++    }
> ++    if (chdir ("/")) {
> ++            /* probably permission denied */
> ++            log_fatal ("chdir(\"/\"): %m");
> ++    }
> ++}
> ++#endif /* PARANOIA */
> ++
> + int main (argc, argv, envp)
> +     int argc;
> +     char **argv, **envp;
> +@@ -236,6 +262,14 @@
> +     char *traceinfile = (char *)0;
> +     char *traceoutfile = (char *)0;
> + #endif
> ++#if defined (PARANOIA)
> ++    char *set_user   = 0;
> ++    char *set_group  = 0;
> ++    char *set_chroot = 0;
> ++
> ++    uid_t set_uid = 0;
> ++    gid_t set_gid = 0;
> ++#endif /* PARANOIA */
> +
> +     /* Make sure we have stdin, stdout and stderr. */
> +     status = open ("/dev/null", O_RDWR);
> +@@ -298,6 +332,20 @@
> +                     if (++i == argc)
> +                             usage ();
> +                     server = argv [i];
> ++#if defined (PARANOIA)
> ++            } else if (!strcmp (argv [i], "-user")) {
> ++                    if (++i == argc)
> ++                            usage ();
> ++                    set_user = argv [i];
> ++            } else if (!strcmp (argv [i], "-group")) {
> ++                    if (++i == argc)
> ++                            usage ();
> ++                    set_group = argv [i];
> ++            } else if (!strcmp (argv [i], "-chroot")) {
> ++                    if (++i == argc)
> ++                            usage ();
> ++                    set_chroot = argv [i];
> ++#endif /* PARANOIA */
> +             } else if (!strcmp (argv [i], "-cf")) {
> +                     if (++i == argc)
> +                             usage ();
> +@@ -397,6 +445,44 @@
> +                                          trace_seed_stop, MDL);
> + #endif
> +
> ++#if defined (PARANOIA)
> ++    /* get user and group info if those options were given */
> ++    if (set_user) {
> ++            struct passwd *tmp_pwd;
> ++
> ++            if (geteuid())
> ++                    log_fatal ("you must be root to set user");
> ++
> ++            if (!(tmp_pwd = getpwnam(set_user)))
> ++                    log_fatal ("no such user: %s", set_user);
> ++
> ++            set_uid = tmp_pwd->pw_uid;
> ++
> ++            /* use the user's group as the default gid */
> ++            if (!set_group)
> ++                    set_gid = tmp_pwd->pw_gid;
> ++    }
> ++
> ++    if (set_group) {
> ++/* get around the ISC declaration of group */
> ++#define group real_group
> ++            struct group *tmp_grp;
> ++
> ++            if (geteuid())
> ++                    log_fatal ("you must be root to set group");
> ++
> ++            if (!(tmp_grp = getgrnam(set_group)))
> ++                    log_fatal ("no such group: %s", set_group);
> ++
> ++            set_gid = tmp_grp->gr_gid;
> ++#undef group
> ++    }
> ++
> ++#  if defined (EARLY_CHROOT)
> ++    if (set_chroot) setup_chroot (set_chroot);
> ++#  endif /* EARLY_CHROOT */
> ++#endif /* PARANOIA */
> ++
> +     /* Default to the DHCP/BOOTP port. */
> +     if (!local_port)
> +     {
> +@@ -500,6 +586,10 @@
> +
> +     postconf_initialization (quiet);
> +
> ++#if defined (PARANOIA) && !defined (EARLY_CHROOT)
> ++    if (set_chroot) setup_chroot (set_chroot);
> ++#endif /* PARANOIA && !EARLY_CHROOT */
> ++
> +         /* test option should cause an early exit */
> +     if (cftest && !lftest)
> +             exit(0);
> +@@ -543,6 +633,22 @@
> +                     exit (0);
> +     }
> +
> ++#if defined (PARANOIA)
> ++    /* change uid to the specified one */
> ++
> ++    if (set_gid) {
> ++            if (setgroups (0, (void *)0))
> ++                    log_fatal ("setgroups: %m");
> ++            if (setgid (set_gid))
> ++                    log_fatal ("setgid(%d): %m", (int) set_gid);
> ++    }
> ++
> ++    if (set_uid) {
> ++            if (setuid (set_uid))
> ++                    log_fatal ("setuid(%d): %m", (int) set_uid);
> ++    }
> ++#endif /* PARANOIA */
> ++
> +     /* Read previous pid file. */
> +     if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) {
> +             status = read (i, pbuf, (sizeof pbuf) - 1);
> +@@ -888,6 +994,10 @@
> +
> +     log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s",
> +                "\n             [-cf config-file] [-lf lease-file]",
> ++#if defined (PARANOIA)
> ++               /* meld into the following string */
> ++               "\n             [-user user] [-group group] [-chroot dir]"
> ++#endif /* PARANOIA */
> + #if defined (TRACING)
> +                "\n             [-tf trace-output-file]",
> +                "\n             [-play trace-input-file]",
> Index: patches/patch-paranoia_perms
> ===================================================================
> RCS file: patches/patch-paranoia_perms
> diff -N patches/patch-paranoia_perms
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-paranoia_perms      23 Mar 2006 15:27:55 -0000
> @@ -0,0 +1,15 @@
> +--- server/dhcpd.c   2003-11-05 14:08:09.000000000 -0800
> ++++ server/dhcpd.c   2003-11-05 14:15:32.000000000 -0800
> +@@ -602,6 +602,12 @@
> +     if (lftest)
> +             exit (0);
> +
> ++#if defined (PARANOIA)
> ++    /* Set proper permissions... */
> ++    if (lchown (path_dhcpd_db, set_uid, set_gid))
> ++            log_fatal ("lchown(%s, %d, %d): %m", path_dhcpd_db, (int) 
> set_uid, (int) set_gid);
> ++#endif /* PARANOIA */
> ++
> +     /* Discover all the network interfaces and initialize them. */
> +     discover_interfaces (DISCOVER_SERVER);
> +
Re: patch: isc dhcp with privdrop

Reply via email to
