You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
228 lines
6.1 KiB
228 lines
6.1 KiB
# --- SDE-COPYRIGHT-NOTE-BEGIN --- |
|
# This copyright note is auto-generated by ./scripts/Create-CopyPatch. |
|
# |
|
# Filename: package/.../dhcp/dhcp-3.0+paranoia.patch |
|
# Copyright (C) 2004 - 2006 The T2 SDE Project |
|
# Copyright (C) 1998 - 2003 Clifford Wolf |
|
# |
|
# More information can be found in the files COPYING and README. |
|
# |
|
# This patch file is dual-licensed. It is available under the license the |
|
# patched project is licensed under, as long as it is an OpenSource license |
|
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms |
|
# of the GNU General Public License as published by the Free Software |
|
# Foundation; either version 2 of the License, or (at your option) any later |
|
# version. |
|
# --- SDE-COPYRIGHT-NOTE-END --- |
|
|
|
borrowed from ari edelkind's site |
|
http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch |
|
|
|
--- |
|
|
|
paranoia (non-root/chroot) patch for ISC dhcp 3.0 |
|
file to patch: dhcp-3.0/server/dhcpd.c |
|
|
|
update from paranoia patch for ISC dhcp 2.0 |
|
|
|
Adds 3 options: |
|
|
|
-user <user> |
|
-group <group> |
|
-chroot <chroot_dir> |
|
|
|
Notes: |
|
-DPARANOIA must be passed as an argument to the --copts option |
|
of configure. Otherwise, the paranoia code will not be compiled |
|
in. Example: ./configure --copts -DPARANOIA |
|
|
|
The chroot() call has been delayed in order to allow /dev/log to |
|
be reopened after the configuration file has been read. This is |
|
beneficial for systems on which /dev/log is a unix domain socket. |
|
The main side effect is that dhcpd.conf should be placed in /etc, |
|
instead of <chroot_dir>/etc. |
|
|
|
If dhcpd is to be run on a sysV-style architecture (or, more |
|
generally, if /dev/log is a character device), one may opt to |
|
create the <chroot_dir>/dev/log character device and add |
|
-DEARLY_CHROOT to the --copts option of configure (in addition to |
|
-DPARANOIA). This will perform the chroot() call at the earliest |
|
convenience (before reading the configuration file). |
|
|
|
If the -user option is used, the lease and pid file directories |
|
should be writable to the server process after it drops |
|
privileges. |
|
|
|
|
|
ari edelkind (12/10/2001) |
|
last modified 12/10/2001 |
|
|
|
|
|
--- dhcp-3.0/server/dhcpd.c Thu Jun 21 22:12:58 2001 |
|
+++ dhcp-3.0+paranoia/server/dhcpd.c Wed Oct 17 08:23:00 2001 |
|
@@ -56,6 +56,16 @@ |
|
#include "version.h" |
|
#include <omapip/omapip_p.h> |
|
|
|
+#if defined (PARANOIA) |
|
+# include <sys/types.h> |
|
+# include <unistd.h> |
|
+# include <pwd.h> |
|
+/* get around the ISC declaration of group */ |
|
+# define group real_group |
|
+# include <grp.h> |
|
+# undef group |
|
+#endif /* PARANOIA */ |
|
+ |
|
static void usage PROTO ((void)); |
|
|
|
TIME cur_time; |
|
@@ -204,6 +214,22 @@ |
|
omapi_object_dereference (&listener, MDL); |
|
} |
|
|
|
+#if defined (PARANOIA) |
|
+/* to be used in one of two possible scenarios */ |
|
+static void setup_chroot (char *chroot_dir) { |
|
+ if (geteuid()) |
|
+ log_fatal ("you must be root to use chroot"); |
|
+ |
|
+ if (chroot(chroot_dir)) { |
|
+ log_fatal ("chroot(\"%s\"): %m", chroot_dir); |
|
+ } |
|
+ if (chdir ("/")) { |
|
+ /* probably permission denied */ |
|
+ log_fatal ("chdir(\"/\"): %m"); |
|
+ } |
|
+} |
|
+#endif /* PARANOIA */ |
|
+ |
|
int main (argc, argv, envp) |
|
int argc; |
|
char **argv, **envp; |
|
@@ -236,6 +262,14 @@ |
|
char *traceinfile = (char *)0; |
|
char *traceoutfile = (char *)0; |
|
#endif |
|
+#if defined (PARANOIA) |
|
+ char *set_user = 0; |
|
+ char *set_group = 0; |
|
+ char *set_chroot = 0; |
|
+ |
|
+ uid_t set_uid = 0; |
|
+ gid_t set_gid = 0; |
|
+#endif /* PARANOIA */ |
|
|
|
/* Make sure we have stdin, stdout and stderr. */ |
|
status = open ("/dev/null", O_RDWR); |
|
@@ -298,6 +332,20 @@ |
|
if (++i == argc) |
|
usage (); |
|
server = argv [i]; |
|
+#if defined (PARANOIA) |
|
+ } else if (!strcmp (argv [i], "-user")) { |
|
+ if (++i == argc) |
|
+ usage (); |
|
+ set_user = argv [i]; |
|
+ } else if (!strcmp (argv [i], "-group")) { |
|
+ if (++i == argc) |
|
+ usage (); |
|
+ set_group = argv [i]; |
|
+ } else if (!strcmp (argv [i], "-chroot")) { |
|
+ if (++i == argc) |
|
+ usage (); |
|
+ set_chroot = argv [i]; |
|
+#endif /* PARANOIA */ |
|
} else if (!strcmp (argv [i], "-cf")) { |
|
if (++i == argc) |
|
usage (); |
|
@@ -397,6 +445,44 @@ |
|
trace_seed_stop, MDL); |
|
#endif |
|
|
|
+#if defined (PARANOIA) |
|
+ /* get user and group info if those options were given */ |
|
+ if (set_user) { |
|
+ struct passwd *tmp_pwd; |
|
+ |
|
+ if (geteuid()) |
|
+ log_fatal ("you must be root to set user"); |
|
+ |
|
+ if (!(tmp_pwd = getpwnam(set_user))) |
|
+ log_fatal ("no such user: %s", set_user); |
|
+ |
|
+ set_uid = tmp_pwd->pw_uid; |
|
+ |
|
+ /* use the user's group as the default gid */ |
|
+ if (!set_group) |
|
+ set_gid = tmp_pwd->pw_gid; |
|
+ } |
|
+ |
|
+ if (set_group) { |
|
+/* get around the ISC declaration of group */ |
|
+#define group real_group |
|
+ struct group *tmp_grp; |
|
+ |
|
+ if (geteuid()) |
|
+ log_fatal ("you must be root to set group"); |
|
+ |
|
+ if (!(tmp_grp = getgrnam(set_group))) |
|
+ log_fatal ("no such group: %s", set_group); |
|
+ |
|
+ set_gid = tmp_grp->gr_gid; |
|
+#undef group |
|
+ } |
|
+ |
|
+# if defined (EARLY_CHROOT) |
|
+ if (set_chroot) setup_chroot (set_chroot); |
|
+# endif /* EARLY_CHROOT */ |
|
+#endif /* PARANOIA */ |
|
+ |
|
/* Default to the DHCP/BOOTP port. */ |
|
if (!local_port) |
|
{ |
|
@@ -500,6 +586,10 @@ |
|
|
|
postconf_initialization (quiet); |
|
|
|
+#if defined (PARANOIA) && !defined (EARLY_CHROOT) |
|
+ if (set_chroot) setup_chroot (set_chroot); |
|
+#endif /* PARANOIA && !EARLY_CHROOT */ |
|
+ |
|
/* test option should cause an early exit */ |
|
if (cftest && !lftest) |
|
exit(0); |
|
@@ -543,6 +633,22 @@ |
|
exit (0); |
|
} |
|
|
|
+#if defined (PARANOIA) |
|
+ /* change uid to the specified one */ |
|
+ |
|
+ if (set_gid) { |
|
+ if (setgroups (0, (void *)0)) |
|
+ log_fatal ("setgroups: %m"); |
|
+ if (setgid (set_gid)) |
|
+ log_fatal ("setgid(%d): %m", (int) set_gid); |
|
+ } |
|
+ |
|
+ if (set_uid) { |
|
+ if (setuid (set_uid)) |
|
+ log_fatal ("setuid(%d): %m", (int) set_uid); |
|
+ } |
|
+#endif /* PARANOIA */ |
|
+ |
|
/* Read previous pid file. */ |
|
if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) { |
|
status = read (i, pbuf, (sizeof pbuf) - 1); |
|
@@ -888,6 +994,10 @@ |
|
|
|
log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s", |
|
"\n [-cf config-file] [-lf lease-file]", |
|
+#if defined (PARANOIA) |
|
+ /* meld into the following string */ |
|
+ "\n [-user user] [-group group] [-chroot dir]" |
|
+#endif /* PARANOIA */ |
|
#if defined (TRACING) |
|
"\n [-tf trace-output-file]", |
|
"\n [-play trace-input-file]",
|
|
|