[bind10] Run BIND10 as named user (use setcap for dhcp servers for now)

Tomas Hozza thozza at fedoraproject.org
Mon Nov 18 12:08:49 UTC 2013 

commit 4eed5bb3168e6066c66674dbd35a223829bae13d
Author: Tomas Hozza <thozza at redhat.com>
Date:   Fri Nov 15 10:04:56 2013 +0100

    Run BIND10 as named user (use setcap for dhcp servers for now)
    
    Resolves: #1017025
    Signed-off-by: Tomas Hozza <thozza at redhat.com>

 bind10.service |    4 +---
 bind10.spec    |   55 +++++++++++++++++++++++++++++++++++++------------------
 2 files changed, 38 insertions(+), 21 deletions(-)
---
diff --git a/bind10.service b/bind10.service
index 8ff5310..830f01d 100644
--- a/bind10.service
+++ b/bind10.service
@@ -8,9 +8,7 @@ After=network.target
 Type=simple
 PIDFile=/run/bind10/bind10.pid
 
-# Don't run BIND10 as user 'named' because of DHCP server
-#ExecStart=/usr/sbin/bind10 -u named --pid-file /run/bind10/bind10.pid
-ExecStart=/usr/sbin/bind10 --pid-file /run/bind10/bind10.pid
+ExecStart=/usr/sbin/bind10 -u named --pid-file /run/bind10/bind10.pid
 
 [Install]
 WantedBy=multi-user.target
diff --git a/bind10.spec b/bind10.spec
index e042452..5413154 100644
--- a/bind10.spec
+++ b/bind10.spec
@@ -9,7 +9,7 @@
 
 Name: bind10
 Version: 1.1.0
-Release: 10%{?dist}
+Release: 11%{?dist}
 Summary: The Berkeley Internet Name Domain 10 (BIND10) DNS and DHCP suite
 
 License: ISC
@@ -98,27 +98,28 @@ done
 
 # don't distribute b10-resolver as it is not ready for use
 # https://bind10.isc.org/ticket/3058#comment:7
-rm -f $RPM_BUILD_ROOT/%{b10libexecdir}/b10-resolver
-rm -f $RPM_BUILD_ROOT/%{_mandir}/man8/b10-resolver*
-rm -f $RPM_BUILD_ROOT/%{b10datadir}/resolver.spec
+rm -f $RPM_BUILD_ROOT%{b10libexecdir}/b10-resolver
+rm -f $RPM_BUILD_ROOT%{_mandir}/man8/b10-resolver*
+rm -f $RPM_BUILD_ROOT%{b10datadir}/resolver.spec
 
 # don't distrubute upstream private key and certificate for b10-cmdctl
-rm -f $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-keyfile.pem
-rm -f $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-certfile.pem
-touch $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-keyfile.pem
-touch $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-certfile.pem
+rm -f $RPM_BUILD_ROOT%{b10sysconfdir}/cmdctl-keyfile.pem
+rm -f $RPM_BUILD_ROOT%{b10sysconfdir}/cmdctl-certfile.pem
+touch $RPM_BUILD_ROOT%{b10sysconfdir}/cmdctl-keyfile.pem
+touch $RPM_BUILD_ROOT%{b10sysconfdir}/cmdctl-certfile.pem
 
 # claim ownership of files created when configuring or running bind10
-touch $RPM_BUILD_ROOT/%{b10sysconfdir}/cmdctl-accounts.csv
-touch $RPM_BUILD_ROOT/%{b10localstatedir}/b10-config.db
-touch $RPM_BUILD_ROOT/%{b10localstatedir}/logger_lockfile
+touch $RPM_BUILD_ROOT%{b10sysconfdir}/cmdctl-accounts.csv
+touch $RPM_BUILD_ROOT%{b10localstatedir}/b10-config.db
+touch $RPM_BUILD_ROOT%{b10localstatedir}/logger_lockfile
+touch $RPM_BUILD_ROOT%{b10localstatedir}/msgq_socket
 
 # Package those files via %%doc
-rm -f $RPM_BUILD_ROOT/%{_docdir}/bind10/{AUTHORS,COPYING,ChangeLog,README}
-rm -f $RPM_BUILD_ROOT/%{_docdir}/bind10/bind10*
+rm -f $RPM_BUILD_ROOT%{_docdir}/bind10/{AUTHORS,COPYING,ChangeLog,README}
+rm -f $RPM_BUILD_ROOT%{_docdir}/bind10/bind10*
 
-mkdir -p $RPM_BUILD_ROOT/%{b10localstatedir}
-chmod g+s $RPM_BUILD_ROOT/%{b10localstatedir}
+mkdir -p $RPM_BUILD_ROOT%{b10localstatedir}
+chmod g+s $RPM_BUILD_ROOT%{b10localstatedir}
 
 mkdir -p ${RPM_BUILD_ROOT}%{_unitdir}
 install -m 644 %{SOURCE1} ${RPM_BUILD_ROOT}%{_unitdir}/bind10.service
@@ -140,7 +141,7 @@ fi;
 %systemd_post bind10.service
 
 # if installing the package
-if [ "$1" = 1 ]; then
+if [ "$1" -eq 1 ]; then
     # generate private RSA key and create certificate for b10-cmdctl if there is none
     if [ ! -s %{b10sysconfdir}/cmdctl-keyfile.pem ] || [ ! -s %{b10sysconfdir}/cmdctl-certfile.pem ]; then
         openssl genpkey -algorithm RSA -out %{b10sysconfdir}/cmdctl-keyfile.pem -pkeyopt rsa_keygen_bits:2048 &> /dev/null
@@ -172,13 +173,27 @@ fi
 /sbin/ldconfig
 %systemd_postun_with_restart bind10.service
 
+%triggerun -- bind10 < 1.1.0-11
+# updating
+if [ "$1" -gt 0 ]; then
+    if [ -a %{b10localstatedir}/b10-config.db ]; then
+        chown named %{b10localstatedir}/b10-config.db
+    fi
+fi
+
 %post libs -p /sbin/ldconfig
 %postun libs -p /sbin/ldconfig
  
 %post dns -p /sbin/ldconfig
 %postun dns -p /sbin/ldconfig
 
-%post dhcp -p /sbin/ldconfig
+%post dhcp
+/sbin/ldconfig
+# set necessary capabilities for DHCP4 and DHCP6 server
+# !!! this need to be removed once DHCP server are ported to use b10-sockcreator !!!
+setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE=ep %{b10libexecdir}/b10-dhcp4
+setcap CAP_NET_RAW,CAP_NET_BIND_SERVICE=ep %{b10libexecdir}/b10-dhcp6
+
 %postun dhcp -p /sbin/ldconfig
 
 %files
@@ -209,8 +224,9 @@ fi
 %attr(0640, root, named) %config(noreplace) %ghost %{b10sysconfdir}/cmdctl-keyfile.pem
 %attr(0640, root, named) %config(noreplace) %ghost %{b10sysconfdir}/cmdctl-certfile.pem
 %config(noreplace) %ghost %{b10sysconfdir}/cmdctl-accounts.csv
-%config(noreplace) %ghost %{b10localstatedir}/b10-config.db
+%attr(-, named, named) %config(noreplace) %ghost %{b10localstatedir}/b10-config.db
 %ghost %{b10localstatedir}/logger_lockfile
+%attr(-, named, named) %ghost %{b10localstatedir}/msgq_socket
 %{_sbindir}/bind10
 %{_mandir}/man8/bind10*
 %{_bindir}/b10-certgen
@@ -390,6 +406,9 @@ fi
 %{_libdir}/libb10-dhcpsrv.so.*
 
 %changelog
+* Mon Nov 18 2013 Tomas Hozza <thozza at redhat.com> - 1.1.0-11
+- Run BIND10 as named user (use setcap for dhcp servers for now) (#1017025)
+
 * Thu Oct 24 2013 Tomas Hozza <thozza at redhat.com> - 1.1.0-10
 - rebuild against new log4cplus

More information about the scm-commits mailing list