Come on people - why did this get dropped???
> Date: Thu, 23 Mar 2006 09:28:27 -0600 (CST)
> From: Jakob Schlyter <[EMAIL PROTECTED]>
> To: ports@openbsd.org
> Subject: patch: isc dhcp with privdrop
> Message-ID: <[EMAIL PROTECTED]>
>
> could users of the isc dhcp please test this patch.
>
> thanks,
>
> jakob
>
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/net/isc-dhcp/Makefile,v
> retrieving revision 1.11
> diff -u -u -r1.11 Makefile
> --- Makefile 16 Aug 2005 18:28:55 -0000 1.11
> +++ Makefile 23 Mar 2006 15:27:55 -0000
> @@ -6,6 +6,7 @@
>
> VERSION= 3.0.3
> DISTNAME= isc-dhcp-${VERSION}
> +PKGNAME= isc-dhcp-${VERSION}p0
> CATEGORIES= net
>
> DISTFILES= dhcp-${VERSION}.tar.gz
> @@ -37,9 +38,12 @@
>
> EXAMPLEDIR= share/examples/isc-dhcp
>
> +do-configure:
> + cd ${WRKSRC} && ./configure \
> + --copts "${CONFIGURE_ARGS} -DPARANOIA -DEARLY_CHROOT ${CFLAGS}"
> +
> post-extract:
> @sed s,y0y0y0,${PREFIX}, < ${FILESDIR}/site.conf >
> ${WRKSRC}/site.conf
> -
>
> post-install:
> ${INSTALL_DATA_DIR} ${PREFIX}/${EXAMPLEDIR}
> Index: patches/patch-paranoia
> ===================================================================
> RCS file: patches/patch-paranoia
> diff -N patches/patch-paranoia
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-paranoia 23 Mar 2006 15:27:55 -0000
> @@ -0,0 +1,168 @@
> +--- server/dhcpd.c Thu Jun 21 22:12:58 2001
> ++++ server/dhcpd.c Wed Oct 17 08:23:00 2001
> +@@ -56,6 +56,16 @@
> + #include "version.h"
> + #include <omapip/omapip_p.h>
> +
> ++#if defined (PARANOIA)
> ++# include <sys/types.h>
> ++# include <unistd.h>
> ++# include <pwd.h>
> ++/* get around the ISC declaration of group */
> ++# define group real_group
> ++# include <grp.h>
> ++# undef group
> ++#endif /* PARANOIA */
> ++
> + static void usage PROTO ((void));
> +
> + TIME cur_time;
> +@@ -204,6 +214,22 @@
> + omapi_object_dereference (&listener, MDL);
> + }
> +
> ++#if defined (PARANOIA)
> ++/* to be used in one of two possible scenarios */
> ++static void setup_chroot (char *chroot_dir) {
> ++ if (geteuid())
> ++ log_fatal ("you must be root to use chroot");
> ++
> ++ if (chroot(chroot_dir)) {
> ++ log_fatal ("chroot(\"%s\"): %m", chroot_dir);
> ++ }
> ++ if (chdir ("/")) {
> ++ /* probably permission denied */
> ++ log_fatal ("chdir(\"/\"): %m");
> ++ }
> ++}
> ++#endif /* PARANOIA */
> ++
> + int main (argc, argv, envp)
> + int argc;
> + char **argv, **envp;
> +@@ -236,6 +262,14 @@
> + char *traceinfile = (char *)0;
> + char *traceoutfile = (char *)0;
> + #endif
> ++#if defined (PARANOIA)
> ++ char *set_user = 0;
> ++ char *set_group = 0;
> ++ char *set_chroot = 0;
> ++
> ++ uid_t set_uid = 0;
> ++ gid_t set_gid = 0;
> ++#endif /* PARANOIA */
> +
> + /* Make sure we have stdin, stdout and stderr. */
> + status = open ("/dev/null", O_RDWR);
> +@@ -298,6 +332,20 @@
> + if (++i == argc)
> + usage ();
> + server = argv [i];
> ++#if defined (PARANOIA)
> ++ } else if (!strcmp (argv [i], "-user")) {
> ++ if (++i == argc)
> ++ usage ();
> ++ set_user = argv [i];
> ++ } else if (!strcmp (argv [i], "-group")) {
> ++ if (++i == argc)
> ++ usage ();
> ++ set_group = argv [i];
> ++ } else if (!strcmp (argv [i], "-chroot")) {
> ++ if (++i == argc)
> ++ usage ();
> ++ set_chroot = argv [i];
> ++#endif /* PARANOIA */
> + } else if (!strcmp (argv [i], "-cf")) {
> + if (++i == argc)
> + usage ();
> +@@ -397,6 +445,44 @@
> + trace_seed_stop, MDL);
> + #endif
> +
> ++#if defined (PARANOIA)
> ++ /* get user and group info if those options were given */
> ++ if (set_user) {
> ++ struct passwd *tmp_pwd;
> ++
> ++ if (geteuid())
> ++ log_fatal ("you must be root to set user");
> ++
> ++ if (!(tmp_pwd = getpwnam(set_user)))
> ++ log_fatal ("no such user: %s", set_user);
> ++
> ++ set_uid = tmp_pwd->pw_uid;
> ++
> ++ /* use the user's group as the default gid */
> ++ if (!set_group)
> ++ set_gid = tmp_pwd->pw_gid;
> ++ }
> ++
> ++ if (set_group) {
> ++/* get around the ISC declaration of group */
> ++#define group real_group
> ++ struct group *tmp_grp;
> ++
> ++ if (geteuid())
> ++ log_fatal ("you must be root to set group");
> ++
> ++ if (!(tmp_grp = getgrnam(set_group)))
> ++ log_fatal ("no such group: %s", set_group);
> ++
> ++ set_gid = tmp_grp->gr_gid;
> ++#undef group
> ++ }
> ++
> ++# if defined (EARLY_CHROOT)
> ++ if (set_chroot) setup_chroot (set_chroot);
> ++# endif /* EARLY_CHROOT */
> ++#endif /* PARANOIA */
> ++
> + /* Default to the DHCP/BOOTP port. */
> + if (!local_port)
> + {
> +@@ -500,6 +586,10 @@
> +
> + postconf_initialization (quiet);
> +
> ++#if defined (PARANOIA) && !defined (EARLY_CHROOT)
> ++ if (set_chroot) setup_chroot (set_chroot);
> ++#endif /* PARANOIA && !EARLY_CHROOT */
> ++
> + /* test option should cause an early exit */
> + if (cftest && !lftest)
> + exit(0);
> +@@ -543,6 +633,22 @@
> + exit (0);
> + }
> +
> ++#if defined (PARANOIA)
> ++ /* change uid to the specified one */
> ++
> ++ if (set_gid) {
> ++ if (setgroups (0, (void *)0))
> ++ log_fatal ("setgroups: %m");
> ++ if (setgid (set_gid))
> ++ log_fatal ("setgid(%d): %m", (int) set_gid);
> ++ }
> ++
> ++ if (set_uid) {
> ++ if (setuid (set_uid))
> ++ log_fatal ("setuid(%d): %m", (int) set_uid);
> ++ }
> ++#endif /* PARANOIA */
> ++
> + /* Read previous pid file. */
> + if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) {
> + status = read (i, pbuf, (sizeof pbuf) - 1);
> +@@ -888,6 +994,10 @@
> +
> + log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s",
> + "\n [-cf config-file] [-lf lease-file]",
> ++#if defined (PARANOIA)
> ++ /* meld into the following string */
> ++ "\n [-user user] [-group group] [-chroot dir]"
> ++#endif /* PARANOIA */
> + #if defined (TRACING)
> + "\n [-tf trace-output-file]",
> + "\n [-play trace-input-file]",
> Index: patches/patch-paranoia_perms
> ===================================================================
> RCS file: patches/patch-paranoia_perms
> diff -N patches/patch-paranoia_perms
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-paranoia_perms 23 Mar 2006 15:27:55 -0000
> @@ -0,0 +1,15 @@
> +--- server/dhcpd.c 2003-11-05 14:08:09.000000000 -0800
> ++++ server/dhcpd.c 2003-11-05 14:15:32.000000000 -0800
> +@@ -602,6 +602,12 @@
> + if (lftest)
> + exit (0);
> +
> ++#if defined (PARANOIA)
> ++ /* Set proper permissions... */
> ++ if (lchown (path_dhcpd_db, set_uid, set_gid))
> ++ log_fatal ("lchown(%s, %d, %d): %m", path_dhcpd_db, (int)
> set_uid, (int) set_gid);
> ++#endif /* PARANOIA */
> ++
> + /* Discover all the network interfaces and initialize them. */
> + discover_interfaces (DISCOVER_SERVER);
> +