[bind10] Run BIND10 as named user (use setcap for dhcp servers for now)
Tomas Hozza
thozza at fedoraproject.org
Mon Nov 18 12:08:49 UTC 2013
commit 4eed5bb3168e6066c66674dbd35a223829bae13d
Author: Tomas Hozza <thozza at redhat.com>
Date: Fri Nov 15 10:04:56 2013 +0100
Run BIND10 as named user (use setcap for dhcp servers for now)
Resolves: #1017025
Signed-off-by: Tomas Hozza <thozza at redhat.com>
bind10.service | 4 +---
bind10.spec | 55 +++++++++++++++++++++++++++++++++++++------------------
2 files changed, 38 insertions(+), 21 deletions(-)
---
diff --git a/bind10.service b/bind10.service
index 8ff5310..830f01d 100644
--- a/bind10.service
+++ b/bind10.service
@@ -8,9 +8,7 @@ After=network.target
Type=simple
PIDFile=/run/bind10/bind10.pid
-# Don't run BIND10 as user 'named' because of DHCP server
-#ExecStart=/usr/sbin/bind10 -u named --pid-file /run/bind10/bind10.pid
-ExecStart=/usr/sbin/bind10 --pid-file /run/bind10/bind10.pid
+ExecStart=/usr/sbin/bind10 -u named --pid-file /run/bind10/bind10.pid
[Install]
WantedBy=multi-user.target
diff --git a/bind10.spec b/bind10.spec
index e042452..5413154 100644
--- a/bind10.spec
+++ b/bind10.spec
@@ -9,7 +9,7 @@
Name: bind10
Version: 1.1.0
-Release: 10%{?dist}
+Release: 11%{?dist}
Summary: The Berkeley Internet Name Domain 10 (BIND10) DNS and DHCP suite
License: ISC
@@ -98,27 +98,28 @@ done
# don't distribute b10-resolver as it is not ready for use
# https://bind10.isc.org/ticket/3058#comment:7
-rm -f $RPM_BUILD_ROOT/%{b10libexecdir}/b10-resolver
-rm -f $RPM_BUILD_ROOT/%{_mandir}/man8/b10-resolver*
-rm -f $RPM_BUILD_ROOT/%{b10datadir}/resolver.spec
+rm -f $RPM_BUILD_ROOT%{b10libexecdir}/b10-resolver
+rm -f $RPM_BUILD_ROOT%{_mandir}/man8/b10-resolver*
+rm -f $RPM_BUILD_ROOT%{b10datadir}/resolver.spec
# don't distrubute upstream private key and certificate for b10-cmdctl
-rm -f $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-keyfile.pem
-rm -f $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-certfile.pem
-touch $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-keyfile.pem
-touch $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-certfile.pem
+rm -f $RPM_BUILD_ROOT%{b10sysconfdir}/cmdctl-keyfile.pem
+rm -f $RPM_BUILD_ROOT%{b10sysconfdir}/cmdctl-certfile.pem
+touch $RPM_BUILD_ROOT%{b10sysconfdir}/cmdctl-keyfile.pem
+touch $RPM_BUILD_ROOT%{b10sysconfdir}/cmdctl-certfile.pem
# claim ownership of files created when configuring or running bind10
-touch $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-accounts.csv
-touch $RPM_BUILD_ROOT/%{b10localstatedir}/b10-config.db
-touch $RPM_BUILD_ROOT/%{b10localstatedir}/logger_lockfile
+touch $RPM_BUILD_ROOT%{b10sysconfdir}/cmdctl-accounts.csv
+touch $RPM_BUILD_ROOT%{b10localstatedir}/b10-config.db
+touch $RPM_BUILD_ROOT%{b10localstatedir}/logger_lockfile
+touch $RPM_BUILD_ROOT%{b10localstatedir}/msgq_socket
# Package those files via %%doc
-rm -f $RPM_BUILD_ROOT/%{_docdir}/bind10/{AUTHORS,COPYING,ChangeLog,README}
-rm -f $RPM_BUILD_ROOT/%{_docdir}/bind10/bind10*
+rm -f $RPM_BUILD_ROOT%{_docdir}/bind10/{AUTHORS,COPYING,ChangeLog,README}
+rm -f $RPM_BUILD_ROOT%{_docdir}/bind10/bind10*
-mkdir -p $RPM_BUILD_ROOT/%{b10localstatedir}
-chmod g+s $RPM_BUILD_ROOT/%{b10localstatedir}
+mkdir -p $RPM_BUILD_ROOT%{b10localstatedir}
+chmod g+s $RPM_BUILD_ROOT%{b10localstatedir}
mkdir -p ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_unitdir}/bind10.service
@@ -140,7 +141,7 @@ fi;
%systemd_post bind10.service
# if installing the package
-if [ "$1" = 1 ]; then
+if [ "$1" -eq 1 ]; then
# generate private RSA key and create certificate for b10-cmdctl if there is none
if [ ! -s %{b10sysconfdir}/cmdctl-keyfile.pem ] || [ ! -s %{b10sysconfdir}/cmdctl-certfile.pem ]; then
openssl genpkey -algorithm RSA -out %{b10sysconfdir}/cmdctl-keyfile.pem -pkeyopt rsa_keygen_bits:2048 &> /dev/null
@@ -172,13 +173,27 @@ fi
/sbin/ldconfig
%systemd_postun_with_restart bind10.service
+%triggerun -- bind10 < 1.1.0-11
+# updating
+if [ "$1" -gt 0 ]; then
+ if [ -a %{b10localstatedir}/b10-config.db ]; then
+ chown named %{b10localstatedir}/b10-config.db
+ fi
+fi
+
%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
%post dns -p /sbin/ldconfig
%postun dns -p /sbin/ldconfig
-%post dhcp -p /sbin/ldconfig
+%post dhcp
+/sbin/ldconfig
+# set necessary capabilities for DHCP4 and DHCP6 server
+# !!! this need to be removed once DHCP server are ported to use b10-sockcreator !!!
+setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE=ep %{b10libexecdir}/b10-dhcp4
+setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE=ep %{b10libexecdir}/b10-dhcp6
+
%postun dhcp -p /sbin/ldconfig
%files
@@ -209,8 +224,9 @@ fi
%attr(0640, root, named) %config(noreplace) %ghost %{b10sysconfdir}/cmdctl-keyfile.pem
%attr(0640, root, named) %config(noreplace) %ghost %{b10sysconfdir}/cmdctl-certfile.pem
%config(noreplace) %ghost %{b10sysconfdir}/cmdctl-accounts.csv
-%config(noreplace) %ghost %{b10localstatedir}/b10-config.db
+%attr(-, named, named) %config(noreplace) %ghost %{b10localstatedir}/b10-config.db
%ghost %{b10localstatedir}/logger_lockfile
+%attr(-, named, named) %ghost %{b10localstatedir}/msgq_socket
%{_sbindir}/bind10
%{_mandir}/man8/bind10*
%{_bindir}/b10-certgen
@@ -390,6 +406,9 @@ fi
%{_libdir}/libb10-dhcpsrv.so.*
%changelog
+* Mon Nov 18 2013 Tomas Hozza <thozza at redhat.com> - 1.1.0-11
+- Run BIND10 as named user (use setcap for dhcp servers for now) (#1017025)
+
* Thu Oct 24 2013 Tomas Hozza <thozza at redhat.com> - 1.1.0-10
- rebuild against new log4cplus
More information about the scm-commits
mailing list