OpenSDE Packages Database (without history before r20070)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

228 lines
6.1 KiB

  1. # --- SDE-COPYRIGHT-NOTE-BEGIN ---
  2. # This copyright note is auto-generated by ./scripts/Create-CopyPatch.
  3. #
  4. # Filename: package/.../dhcp/dhcp-3.0+paranoia.patch
  5. # Copyright (C) 2004 - 2006 The T2 SDE Project
  6. # Copyright (C) 1998 - 2003 Clifford Wolf
  7. #
  8. # More information can be found in the files COPYING and README.
  9. #
  10. # This patch file is dual-licensed. It is available under the license the
  11. # patched project is licensed under, as long as it is an OpenSource license
  12. # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
  13. # of the GNU General Public License as published by the Free Software
  14. # Foundation; either version 2 of the License, or (at your option) any later
  15. # version.
  16. # --- SDE-COPYRIGHT-NOTE-END ---
  17. borrowed from ari edelkind's site
  18. http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch
  19. ---
  20. paranoia (non-root/chroot) patch for ISC dhcp 3.0
  21. file to patch: dhcp-3.0/server/dhcpd.c
  22. update from paranoia patch for ISC dhcp 2.0
  23. Adds 3 options:
  24. -user <user>
  25. -group <group>
  26. -chroot <chroot_dir>
  27. Notes:
  28. -DPARANOIA must be passed as an argument to the --copts option
  29. of configure. Otherwise, the paranoia code will not be compiled
  30. in. Example: ./configure --copts -DPARANOIA
  31. The chroot() call has been delayed in order to allow /dev/log to
  32. be reopened after the configuration file has been read. This is
  33. beneficial for systems on which /dev/log is a unix domain socket.
  34. The main side effect is that dhcpd.conf should be placed in /etc,
  35. instead of <chroot_dir>/etc.
  36. If dhcpd is to be run on a sysV-style architecture (or, more
  37. generally, if /dev/log is a character device), one may opt to
  38. create the <chroot_dir>/dev/log character device and add
  39. -DEARLY_CHROOT to the --copts option of configure (in addition to
  40. -DPARANOIA). This will perform the chroot() call at the earliest
  41. convenience (before reading the configuration file).
  42. If the -user option is used, the lease and pid file directories
  43. should be writable to the server process after it drops
  44. privileges.
  45. ari edelkind (12/10/2001)
  46. last modified 12/10/2001
  47. --- dhcp-3.0/server/dhcpd.c Thu Jun 21 22:12:58 2001
  48. +++ dhcp-3.0+paranoia/server/dhcpd.c Wed Oct 17 08:23:00 2001
  49. @@ -56,6 +56,16 @@
  50. #include "version.h"
  51. #include <omapip/omapip_p.h>
  52. +#if defined (PARANOIA)
  53. +# include <sys/types.h>
  54. +# include <unistd.h>
  55. +# include <pwd.h>
  56. +/* get around the ISC declaration of group */
  57. +# define group real_group
  58. +# include <grp.h>
  59. +# undef group
  60. +#endif /* PARANOIA */
  61. +
  62. static void usage PROTO ((void));
  63. TIME cur_time;
  64. @@ -204,6 +214,22 @@
  65. omapi_object_dereference (&listener, MDL);
  66. }
  67. +#if defined (PARANOIA)
  68. +/* to be used in one of two possible scenarios */
  69. +static void setup_chroot (char *chroot_dir) {
  70. + if (geteuid())
  71. + log_fatal ("you must be root to use chroot");
  72. +
  73. + if (chroot(chroot_dir)) {
  74. + log_fatal ("chroot(\"%s\"): %m", chroot_dir);
  75. + }
  76. + if (chdir ("/")) {
  77. + /* probably permission denied */
  78. + log_fatal ("chdir(\"/\"): %m");
  79. + }
  80. +}
  81. +#endif /* PARANOIA */
  82. +
  83. int main (argc, argv, envp)
  84. int argc;
  85. char **argv, **envp;
  86. @@ -236,6 +262,14 @@
  87. char *traceinfile = (char *)0;
  88. char *traceoutfile = (char *)0;
  89. #endif
  90. +#if defined (PARANOIA)
  91. + char *set_user = 0;
  92. + char *set_group = 0;
  93. + char *set_chroot = 0;
  94. +
  95. + uid_t set_uid = 0;
  96. + gid_t set_gid = 0;
  97. +#endif /* PARANOIA */
  98. /* Make sure we have stdin, stdout and stderr. */
  99. status = open ("/dev/null", O_RDWR);
  100. @@ -298,6 +332,20 @@
  101. if (++i == argc)
  102. usage ();
  103. server = argv [i];
  104. +#if defined (PARANOIA)
  105. + } else if (!strcmp (argv [i], "-user")) {
  106. + if (++i == argc)
  107. + usage ();
  108. + set_user = argv [i];
  109. + } else if (!strcmp (argv [i], "-group")) {
  110. + if (++i == argc)
  111. + usage ();
  112. + set_group = argv [i];
  113. + } else if (!strcmp (argv [i], "-chroot")) {
  114. + if (++i == argc)
  115. + usage ();
  116. + set_chroot = argv [i];
  117. +#endif /* PARANOIA */
  118. } else if (!strcmp (argv [i], "-cf")) {
  119. if (++i == argc)
  120. usage ();
  121. @@ -397,6 +445,44 @@
  122. trace_seed_stop, MDL);
  123. #endif
  124. +#if defined (PARANOIA)
  125. + /* get user and group info if those options were given */
  126. + if (set_user) {
  127. + struct passwd *tmp_pwd;
  128. +
  129. + if (geteuid())
  130. + log_fatal ("you must be root to set user");
  131. +
  132. + if (!(tmp_pwd = getpwnam(set_user)))
  133. + log_fatal ("no such user: %s", set_user);
  134. +
  135. + set_uid = tmp_pwd->pw_uid;
  136. +
  137. + /* use the user's group as the default gid */
  138. + if (!set_group)
  139. + set_gid = tmp_pwd->pw_gid;
  140. + }
  141. +
  142. + if (set_group) {
  143. +/* get around the ISC declaration of group */
  144. +#define group real_group
  145. + struct group *tmp_grp;
  146. +
  147. + if (geteuid())
  148. + log_fatal ("you must be root to set group");
  149. +
  150. + if (!(tmp_grp = getgrnam(set_group)))
  151. + log_fatal ("no such group: %s", set_group);
  152. +
  153. + set_gid = tmp_grp->gr_gid;
  154. +#undef group
  155. + }
  156. +
  157. +# if defined (EARLY_CHROOT)
  158. + if (set_chroot) setup_chroot (set_chroot);
  159. +# endif /* EARLY_CHROOT */
  160. +#endif /* PARANOIA */
  161. +
  162. /* Default to the DHCP/BOOTP port. */
  163. if (!local_port)
  164. {
  165. @@ -500,6 +586,10 @@
  166. postconf_initialization (quiet);
  167. +#if defined (PARANOIA) && !defined (EARLY_CHROOT)
  168. + if (set_chroot) setup_chroot (set_chroot);
  169. +#endif /* PARANOIA && !EARLY_CHROOT */
  170. +
  171. /* test option should cause an early exit */
  172. if (cftest && !lftest)
  173. exit(0);
  174. @@ -543,6 +633,22 @@
  175. exit (0);
  176. }
  177. +#if defined (PARANOIA)
  178. + /* change uid to the specified one */
  179. +
  180. + if (set_gid) {
  181. + if (setgroups (0, (void *)0))
  182. + log_fatal ("setgroups: %m");
  183. + if (setgid (set_gid))
  184. + log_fatal ("setgid(%d): %m", (int) set_gid);
  185. + }
  186. +
  187. + if (set_uid) {
  188. + if (setuid (set_uid))
  189. + log_fatal ("setuid(%d): %m", (int) set_uid);
  190. + }
  191. +#endif /* PARANOIA */
  192. +
  193. /* Read previous pid file. */
  194. if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) {
  195. status = read (i, pbuf, (sizeof pbuf) - 1);
  196. @@ -888,6 +994,10 @@
  197. log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s",
  198. "\n [-cf config-file] [-lf lease-file]",
  199. +#if defined (PARANOIA)
  200. + /* meld into the following string */
  201. + "\n [-user user] [-group group] [-chroot dir]"
  202. +#endif /* PARANOIA */
  203. #if defined (TRACING)
  204. "\n [-tf trace-output-file]",
  205. "\n [-play trace-input-file]",