cvs commit: patches/dhcp dhcp-3.0pl2-chroot-1.patch

jim at linuxfromscratch.org jim at linuxfromscratch.org
Sun Oct 5 14:45:46 PDT 2003


jim         03/10/05 15:45:46

  Added:       dhcp     dhcp-3.0pl2-chroot-1.patch
  Log:
  Added: dhcp-3.0pl2-chroot-1.patch
  
  Revision  Changes    Path
  1.1                  patches/dhcp/dhcp-3.0pl2-chroot-1.patch
  
  Index: dhcp-3.0pl2-chroot-1.patch
  ===================================================================
  Submitted By: Jim Gifford (patches at jg555 dot com)
  Date: 2003-09-14
  Initial Package Version: 3.0pl2
  Origin: http://www.episec.com/people/edelkind/patches
  Description: Adds CHROOT capability to dhcp
  
  Adds 3 options:
  
  	-user <user>
  	-group <group>
  	-chroot <chroot_dir>
  
  Notes:
  	-DPARANOIA must be passed as an argument to the --copts option
  	of configure.  Otherwise, the paranoia code will not be compiled
  	in.  Example:  ./configure --copts -DPARANOIA
  
  	The chroot() call has been delayed in order to allow /dev/log to
  	be reopened after the configuration file has been read.  This is
  	beneficial for systems on which /dev/log is a unix domain socket.
  	The main side effect is that dhcpd.conf should be placed in /etc,
  	instead of <chroot_dir>/etc.
  
  	If dhcpd is to be run on a sysV-style architecture (or, more
  	generally, if /dev/log is a character device), one may opt to
  	create the <chroot_dir>/dev/log character device and add
  	-DEARLY_CHROOT to the --copts option of configure (in addition to
  	-DPARANOIA).  This will perform the chroot() call at the earliest
  	convenience (before reading the configuration file).
  
  	If the -user option is used, the lease and pid file directories
  	should be writable to the server process after it drops
  	privileges.
  
  BLFS Instructions:
  	 
  	groupadd -g 201 dhcp
  	useradd -m -g dhcp -u 201 -s /bin/false dhcp
  	cd /home/dhcp
  	mkdir -p etc var/run var/state
  	
  	patch -Np1 -i /tmp/dhcpd-3.0p12-chroot-1.patch
  	./configure --copts "-DPARANOIA -DEARLY_CHROOT"
  	make
  	make install
  
  	Create dhcp as listed. Change the Start line to the
  	following:
  
          echo "Starting DHCP Server..."
          loadproc dhcpd -user dhcp -chroot /home/dhcp -cf /etc/dhcpd.conf -q eth1 \
                   -lf /var/state/dhcpd.leases
   
  	Create dhcpd.conf in /home/dhcp/etc
  
  	Create dhcpd.leases in /home/var/state/dhcpd.leases
  
  	Last step: chown dhcp.dhcp /home/dhcp -R
  	
  diff -Naur dhcp-3.0pl2.orig/server/dhcpd.c dhcp-3.0pl2/server/dhcpd.c
  --- dhcp-3.0pl2.orig/server/dhcpd.c	2003-01-14 23:02:33.000000000 +0000
  +++ dhcp-3.0pl2/server/dhcpd.c	2003-09-15 06:52:08.000000000 +0000
  @@ -56,6 +56,16 @@
   #include "version.h"
   #include <omapip/omapip_p.h>
   
  +#if defined (PARANOIA)
  +#  include <sys/types.h>
  +#  include <unistd.h>
  +#  include <pwd.h>
  +/* get around the ISC declaration of group */
  +#  define group real_group 
  +#    include <grp.h>
  +#  undef group
  +#endif /* PARANOIA */
  +
   static void usage PROTO ((void));
   
   TIME cur_time;
  @@ -204,6 +214,22 @@
   	omapi_object_dereference (&listener, MDL);
   }
   
  +#if defined (PARANOIA)
  +/* to be used in one of two possible scenarios */
  +static void setup_chroot (char *chroot_dir) {
  +	if (geteuid())
  +		log_fatal ("you must be root to use chroot");
  +
  +	if (chroot(chroot_dir)) {
  +		log_fatal ("chroot(\"%s\"): %m", chroot_dir);
  +	}
  +	if (chdir ("/")) {
  +		/* probably permission denied */
  +		log_fatal ("chdir(\"/\"): %m");
  +	}
  +}
  +#endif /* PARANOIA */
  +
   int main (argc, argv, envp)
   	int argc;
   	char **argv, **envp;
  @@ -236,6 +262,14 @@
   	char *traceinfile = (char *)0;
   	char *traceoutfile = (char *)0;
   #endif
  +#if defined (PARANOIA)
  +	char *set_user   = 0;
  +	char *set_group  = 0;
  +	char *set_chroot = 0;
  +
  +	uid_t set_uid = 0;
  +	gid_t set_gid = 0;
  +#endif /* PARANOIA */
   
   	/* Make sure we have stdin, stdout and stderr. */
   	status = open ("/dev/null", O_RDWR);
  @@ -298,6 +332,20 @@
   			if (++i == argc)
   				usage ();
   			server = argv [i];
  +#if defined (PARANOIA)
  +		} else if (!strcmp (argv [i], "-user")) {
  +			if (++i == argc)
  +				usage ();
  +			set_user = argv [i];
  +		} else if (!strcmp (argv [i], "-group")) {
  +			if (++i == argc)
  +				usage ();
  +			set_group = argv [i];
  +		} else if (!strcmp (argv [i], "-chroot")) {
  +			if (++i == argc)
  +				usage ();
  +			set_chroot = argv [i];
  +#endif /* PARANOIA */
   		} else if (!strcmp (argv [i], "-cf")) {
   			if (++i == argc)
   				usage ();
  @@ -397,6 +445,44 @@
   					     trace_seed_stop, MDL);
   #endif
   
  +#if defined (PARANOIA)
  +	/* get user and group info if those options were given */
  +	if (set_user) {
  +		struct passwd *tmp_pwd;
  +
  +		if (geteuid())
  +			log_fatal ("you must be root to set user");
  +
  +		if (!(tmp_pwd = getpwnam(set_user)))
  +			log_fatal ("no such user: %s", set_user);
  +
  +		set_uid = tmp_pwd->pw_uid;
  +
  +		/* use the user's group as the default gid */
  +		if (!set_group)
  +			set_gid = tmp_pwd->pw_gid;
  +	}
  +
  +	if (set_group) {
  +/* get around the ISC declaration of group */
  +#define group real_group
  +		struct group *tmp_grp;
  +
  +		if (geteuid())
  +			log_fatal ("you must be root to set group");
  +
  +		if (!(tmp_grp = getgrnam(set_group)))
  +			log_fatal ("no such group: %s", set_group);
  +
  +		set_gid = tmp_grp->gr_gid;
  +#undef group
  +	}
  +
  +#  if defined (EARLY_CHROOT)
  +	if (set_chroot) setup_chroot (set_chroot);
  +#  endif /* EARLY_CHROOT */
  +#endif /* PARANOIA */
  +
   	/* Default to the DHCP/BOOTP port. */
   	if (!local_port)
   	{
  @@ -500,6 +586,10 @@
   
   	postconf_initialization (quiet);
   
  +#if defined (PARANOIA) && !defined (EARLY_CHROOT)
  +	if (set_chroot) setup_chroot (set_chroot);
  +#endif /* PARANOIA && !EARLY_CHROOT */
  +
           /* test option should cause an early exit */
    	if (cftest && !lftest) 
    		exit(0);
  @@ -543,6 +633,22 @@
   			exit (0);
   	}
   
  +#if defined (PARANOIA)
  +	/* change uid to the specified one */
  +
  +	if (set_gid) {
  +		if (setgroups (0, (void *)0))
  +			log_fatal ("setgroups: %m");
  +		if (setgid (set_gid))
  +			log_fatal ("setgid(%d): %m", (int) set_gid);
  +	}	
  +
  +	if (set_uid) {
  +		if (setuid (set_uid))
  +			log_fatal ("setuid(%d): %m", (int) set_uid);
  +	}
  +#endif /* PARANOIA */
  +
   	/* Read previous pid file. */
   	if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) {
   		status = read (i, pbuf, (sizeof pbuf) - 1);
  @@ -888,6 +994,10 @@
   
   	log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s",
   		   "\n             [-cf config-file] [-lf lease-file]",
  +#if defined (PARANOIA)
  +		   /* meld into the following string */
  +		   "\n             [-user user] [-group group] [-chroot dir]"
  +#endif /* PARANOIA */
   #if defined (TRACING)
   		   "\n		   [-tf trace-output-file]",
   		   "\n		   [-play trace-input-file]",
  
  
  



More information about the patches mailing list