[dhcp/f16] Do not run dhcpd as root (BZ#699713)
Jiří Popelka
jpopelka at fedoraproject.org
Fri Aug 12 13:24:55 UTC 2011
commit 5e88c7bbd079229953eceb8ccbc00f0c3a91586f
Author: Jiri Popelka <jpopelka at redhat.com>
Date: Fri Aug 12 14:50:08 2011 +0200
Do not run dhcpd as root (BZ#699713)
Use '--enable-paranoia --enable-early-chroot' configure flags
Create/delete dhcpd user in %post/%postun
Run dhcpd/dhcpd6 services with '-user dhcpd -group dhcpd'
dhcp.spec | 20 ++++++++++++++++++--
dhcpd.service | 2 +-
dhcpd6.service | 2 +-
3 files changed, 20 insertions(+), 4 deletions(-)
---
diff --git a/dhcp.spec b/dhcp.spec
index 5954127..bb4d53b 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -16,7 +16,7 @@
Summary: Dynamic host configuration protocol software
Name: dhcp
Version: 4.2.2
-Release: 1%{?dist}
+Release: 2%{?dist}
# NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to
# dcantrell maintaining the package) made incorrect use of the epoch and
# that's why it is at 12 now. It should have never been used, but it was.
@@ -366,7 +366,8 @@ CFLAGS="%{optflags} -fno-strict-aliasing -D_GNU_SOURCE" \
--with-ldap \
--with-ldapcrypto \
--with-libbind=%{_includedir} --with-libbind-libs=%{_libdir} \
- --disable-static
+ --disable-static \
+ --enable-paranoia --enable-early-chroot
%{__make} %{?_smp_mflags}
%install
@@ -488,6 +489,9 @@ fi
# Initial installation
if [ $1 -eq 1 ] ; then
+# create system user/group dhcpd
+ useradd --system dhcpd
+
/bin/systemctl daemon-reload >/dev/null 2>&1 || :
fi
@@ -530,6 +534,12 @@ if [ $1 -ge 1 ]; then
/bin/systemctl try-restart dhcrelay.service >/dev/null 2>&1 || :
fi
+# uninstall
+if [ $1 -eq 0 ]; then
+# delete user/group dhcpd
+ userdel dhcpd
+fi
+
%post libs -p /sbin/ldconfig
@@ -629,6 +639,12 @@ fi
%{_initddir}/dhcrelay
%changelog
+* Fri Aug 12 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.2-2
+- #699713:
+ - Use '--enable-paranoia --enable-early-chroot' configure flags
+ - Create/delete dhcpd user in %%post/%%postun
+ - Run dhcpd/dhcpd6 services with '-user dhcpd -group dhcpd'
+
* Thu Aug 11 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.2-1
- 4.2.2: fix for CVE-2011-2748, CVE-2011-2749 (#729850)
diff --git a/dhcpd.service b/dhcpd.service
index 3e36c25..c9a73a1 100644
--- a/dhcpd.service
+++ b/dhcpd.service
@@ -4,7 +4,7 @@ After=syslog.target network.target
[Service]
EnvironmentFile=/etc/sysconfig/dhcpd
-ExecStart=/usr/sbin/dhcpd -d --no-pid $DHCPDARGS
+ExecStart=/usr/sbin/dhcpd -d -user dhcpd -group dhcpd --no-pid $DHCPDARGS
[Install]
WantedBy=multi-user.target
diff --git a/dhcpd6.service b/dhcpd6.service
index 0e38429..33f145a 100644
--- a/dhcpd6.service
+++ b/dhcpd6.service
@@ -4,7 +4,7 @@ After=syslog.target network.target
[Service]
EnvironmentFile=/etc/sysconfig/dhcpd6
-ExecStart=/usr/sbin/dhcpd -6 -d --no-pid $DHCPDARGS
+ExecStart=/usr/sbin/dhcpd -d -6 -user dhcpd -group dhcpd --no-pid $DHCPDARGS
[Install]
WantedBy=multi-user.target
More information about the scm-commits
mailing list