[dhcp] Do not run dhcpd as root (BZ#699713)

[Jiří Popelka]

commit d7e74c83b387ead9d34110c68337c632f8b964e6
Author: Jiri Popelka <jpopelka at redhat.com>
Date:   Fri Aug 12 14:50:08 2011 +0200

    Do not run dhcpd as root (BZ#699713)
    
    Use '--enable-paranoia --enable-early-chroot' configure flags
    Create/delete dhcpd user in %post/%postun
    Run dhcpd/dhcpd6 services with '-user dhcpd -group dhcpd'

 dhcp.spec      |   20 ++++++++++++++++++--
 dhcpd.service  |    2 +-
 dhcpd6.service |    2 +-
 3 files changed, 20 insertions(+), 4 deletions(-)
---
diff --git a/dhcp.spec b/dhcp.spec
index 40d21f8..471bd5b 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -16,7 +16,7 @@
 Summary:  Dynamic host configuration protocol software
 Name:     dhcp
 Version:  4.2.2
-Release:  1%{?dist}
+Release:  2%{?dist}
 # NEVER CHANGE THE EPOCH on this package.  The previous maintainer (prior to
 # dcantrell maintaining the package) made incorrect use of the epoch and
 # that's why it is at 12 now.  It should have never been used, but it was.
@@ -366,7 +366,8 @@ CFLAGS="%{optflags} -fno-strict-aliasing -D_GNU_SOURCE" \
     --with-ldap \
     --with-ldapcrypto \
     --with-libbind=%{_includedir} --with-libbind-libs=%{_libdir} \
-    --disable-static
+    --disable-static \
+    --enable-paranoia --enable-early-chroot
 %{__make} %{?_smp_mflags}
 
 %install
@@ -488,6 +489,9 @@ fi
 
 # Initial installation 
 if [ $1 -eq 1 ] ; then 
+#   create system user/group dhcpd
+    useradd --system dhcpd
+
     /bin/systemctl daemon-reload >/dev/null 2>&1 || :
 fi
 
@@ -530,6 +534,12 @@ if [ $1 -ge 1 ]; then
     /bin/systemctl try-restart dhcrelay.service >/dev/null 2>&1 || :
 fi
 
+# uninstall
+if [ $1 -eq 0 ]; then
+#   delete user/group dhcpd
+    userdel dhcpd
+fi
+
 
 %post libs -p /sbin/ldconfig
 
@@ -629,6 +639,12 @@ fi
 %{_initddir}/dhcrelay
 
 %changelog
+* Fri Aug 12 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.2-2
+- #699713:
+  - Use '--enable-paranoia --enable-early-chroot' configure flags
+  - Create/delete dhcpd user in %%post/%%postun
+  - Run dhcpd/dhcpd6 services with '-user dhcpd -group dhcpd'
+
 * Thu Aug 11 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.2-1
 - 4.2.2: fix for CVE-2011-2748, CVE-2011-2749 (#729850)
 
diff --git a/dhcpd.service b/dhcpd.service
index 3e36c25..c9a73a1 100644
--- a/dhcpd.service
+++ b/dhcpd.service
@@ -4,7 +4,7 @@ After=syslog.target network.target
 
 [Service]
 EnvironmentFile=/etc/sysconfig/dhcpd
-ExecStart=/usr/sbin/dhcpd -d --no-pid $DHCPDARGS
+ExecStart=/usr/sbin/dhcpd -d -user dhcpd -group dhcpd --no-pid $DHCPDARGS
 
 [Install]
 WantedBy=multi-user.target
diff --git a/dhcpd6.service b/dhcpd6.service
index 0e38429..33f145a 100644
--- a/dhcpd6.service
+++ b/dhcpd6.service
@@ -4,7 +4,7 @@ After=syslog.target network.target
 
 [Service]
 EnvironmentFile=/etc/sysconfig/dhcpd6
-ExecStart=/usr/sbin/dhcpd -6 -d --no-pid $DHCPDARGS
+ExecStart=/usr/sbin/dhcpd -d -6 -user dhcpd -group dhcpd --no-pid $DHCPDARGS
 
 [Install]
 WantedBy=multi-user.target