[dhcp] Move changing of the effective user/group ID after writing new PID file.
Jiří Popelka
jpopelka at fedoraproject.org
Thu Oct 20 12:39:50 UTC 2011
commit 278bc558755124a402fccfec7a88110d1fa1af07
Author: Jiri Popelka <jpopelka at redhat.com>
Date: Thu Oct 20 14:36:38 2011 +0200
Move changing of the effective user/group ID after writing new PID file.
dhcp-4.2.2-paranoia-pid.patch | 49 +++++++++++++++++++++++++++++++++++++++++
dhcp.spec | 30 +++++++++++++++++-------
2 files changed, 70 insertions(+), 9 deletions(-)
---
diff --git a/dhcp-4.2.2-paranoia-pid.patch b/dhcp-4.2.2-paranoia-pid.patch
new file mode 100644
index 0000000..c74f4e2
--- /dev/null
+++ b/dhcp-4.2.2-paranoia-pid.patch
@@ -0,0 +1,49 @@
+diff -up dhcp-4.2.2/server/dhcpd.c.paranoia-pid dhcp-4.2.2/server/dhcpd.c
+--- dhcp-4.2.2/server/dhcpd.c.paranoia-pid 2011-09-12 16:07:01.000000000 +0200
++++ dhcp-4.2.2/server/dhcpd.c 2011-09-12 16:08:55.680988466 +0200
+@@ -791,22 +791,6 @@ main(int argc, char **argv) {
+ exit (0);
+ }
+
+-#if defined (PARANOIA)
+- /* change uid to the specified one */
+-
+- if (set_gid) {
+- if (setgroups (0, (void *)0))
+- log_fatal ("setgroups: %m");
+- if (setgid (set_gid))
+- log_fatal ("setgid(%d): %m", (int) set_gid);
+- }
+-
+- if (set_uid) {
+- if (setuid (set_uid))
+- log_fatal ("setuid(%d): %m", (int) set_uid);
+- }
+-#endif /* PARANOIA */
+-
+ /*
+ * Deal with pid files. If the user told us
+ * not to write a file we don't read one either
+@@ -843,6 +827,22 @@ main(int argc, char **argv) {
+ }
+ }
+
++#if defined (PARANOIA)
++ /* change uid to the specified one */
++
++ if (set_gid) {
++ if (setgroups (0, (void *)0))
++ log_fatal ("setgroups: %m");
++ if (setgid (set_gid))
++ log_fatal ("setgid(%d): %m", (int) set_gid);
++ }
++
++ if (set_uid) {
++ if (setuid (set_uid))
++ log_fatal ("setuid(%d): %m", (int) set_uid);
++ }
++#endif /* PARANOIA */
++
+ /* If we were requested to log to stdout on the command line,
+ keep doing so; otherwise, stop. */
+ if (log_perror == -1)
diff --git a/dhcp.spec b/dhcp.spec
index ddce17d..23f97f7 100644
--- a/dhcp.spec
+++ b/dhcp.spec
@@ -4,6 +4,9 @@
# vendor string (e.g., Fedora, EL)
%global vvendor Fedora
+#http://lists.fedoraproject.org/pipermail/devel/2011-August/155358.html
+%global _hardened_build 1
+
# Where dhcp configuration files are stored
%global dhcpconfdir %{_sysconfdir}/dhcp
@@ -19,7 +22,7 @@
Summary: Dynamic host configuration protocol software
Name: dhcp
Version: 4.2.3
-Release: 1%{?dist}
+Release: 2%{?dist}
# NEVER CHANGE THE EPOCH on this package. The previous maintainer (prior to
# dcantrell maintaining the package) made incorrect use of the epoch and
# that's why it is at 12 now. It should have never been used, but it was.
@@ -68,10 +71,11 @@ Patch28: dhcp-4.2.0-noprefixavail.patch
Patch29: dhcp-4.2.2-remove-bind.patch
Patch30: dhcp-4.2.2-sharedlib.patch
Patch31: dhcp-4.2.0-PPP.patch
-Patch32: dhcp-4.2.2-lpf-ib.patch
-Patch33: dhcp-4.2.2-improved-xid.patch
-Patch34: dhcp-4.2.2-gpxe-cid.patch
-Patch35: dhcp-4.2.2-systemtap.patch
+Patch32: dhcp-4.2.2-paranoia-pid.patch
+Patch33: dhcp-4.2.2-lpf-ib.patch
+Patch34: dhcp-4.2.2-improved-xid.patch
+Patch35: dhcp-4.2.2-gpxe-cid.patch
+Patch36: dhcp-4.2.2-systemtap.patch
BuildRequires: autoconf
BuildRequires: automake
@@ -311,14 +315,18 @@ rm bind/bind.tar.gz
# DHCPv6 over PPP support (#626514)
%patch31 -p1 -b .PPP
+# Move changing of the effective user/group ID after writing new PID file.
+# (Submitted to dhcp-bugs at isc.org - [ISC-Bugs #25806])
+%patch32 -p1 -b .paranoia-pid
+
# IPoIB support (#660681)
# (Submitted to dhcp-bugs at isc.org - [ISC-Bugs #24249])
-%patch32 -p1 -b .lpf-ib
-%patch33 -p1 -b .improved-xid
-%patch34 -p1 -b .gpxe-cid
+%patch33 -p1 -b .lpf-ib
+%patch34 -p1 -b .improved-xid
+%patch35 -p1 -b .gpxe-cid
# http://sourceware.org/systemtap/wiki/SystemTap
-%patch35 -p1 -b .systemtap
+%patch36 -p1 -b .systemtap
# Copy in the Fedora/RHEL dhclient script
%{__install} -p -m 0755 %{SOURCE4} client/scripts/linux
@@ -662,6 +670,10 @@ fi
%{_initddir}/dhcrelay
%changelog
+* Thu Oct 20 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.3-2
+- Move changing of the effective user/group ID after writing new PID file.
+- Really define _hardened_build this time
+
* Thu Oct 20 2011 Jiri Popelka <jpopelka at redhat.com> - 12:4.2.3-1
- 4.2.3
More information about the scm-commits
mailing list