From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Feb 14 02:00:07 2009 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 175231065675 for ; Sat, 14 Feb 2009 02:00:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0413A8FC13 for ; Sat, 14 Feb 2009 02:00:07 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n1E206hu055507 for ; Sat, 14 Feb 2009 02:00:06 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n1E206H5055506; Sat, 14 Feb 2009 02:00:06 GMT (envelope-from gnats) Date: Sat, 14 Feb 2009 02:00:06 GMT Message-Id: <200902140200.n1E206H5055506@freefall.freebsd.org> To: freebsd-ports-bugs@FreeBSD.org From: Dimitry Andric Cc: Subject: Re: ports/131515: net/isc-dhcp30-server bulding fails on -STABLE X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Dimitry Andric List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Feb 2009 02:00:07 -0000 The following reply was made to PR ports/131515; it has been noted by GNATS. From: Dimitry Andric To: bug-followup@FreeBSD.org, rallenh@hotmail.com Cc: Subject: Re: ports/131515: net/isc-dhcp30-server bulding fails on -STABLE Date: Sat, 14 Feb 2009 02:52:08 +0100 This is a multi-part message in MIME format. --------------020100060605070302010206 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Here is a crude fix (compiles, NOT runtime tested) that enables the port to build, and use the newer jail API. It adapts the setup_jail() function to cope with the new struct jail format. An improvement would be to use the example code in usr.sbin/jail/jail.c to enable parsing multiple IPv4 and IPv6 addresses, but that is probably overkill in this case. Would anybody need that functionality? Replace net/isc-dhcp30-server/files/patch-server::dhcpd.c with the attached file, and the port should now be able to build with jail enabled. --------------020100060605070302010206 Content-Type: text/plain; name="patch-server__dhcpd.c" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="patch-server__dhcpd.c" --- server/dhcpd.c.orig 2008-05-14 22:54:24.000000000 +0200 +++ server/dhcpd.c 2009-02-14 02:46:37.000000000 +0100 @@ -47,6 +47,22 @@ #include "version.h" #include +#if defined (PARANOIA) +#include +#include +#include +/* get around the ISC declaration of group */ +#define group real_group +#include +#undef group +#endif /* PARANOIA */ +#if defined (JAIL) +#include +#include +#include +#include +#endif /* JAIL */ + static void usage PROTO ((void)); struct iaddr server_identifier; @@ -193,6 +209,39 @@ omapi_object_dereference (&listener, MDL); } +#if defined (PARANOIA) +/* to be used in one of two possible scenarios */ +static void setup_chroot (char *chroot_dir) +{ + if (geteuid ()) + log_fatal ("you must be root to use chroot"); + if (chroot (chroot_dir)) + log_fatal ("chroot(\"%s\"): %m", chroot_dir); + if (chdir ("/")) + /* probably permission denied */ + log_fatal ("chdir(\"/\"): %m"); +} +#endif /* PARANOIA */ + +#if defined (JAIL) +static void setup_jail (char *chroot_dir, char *hostname, u_int32_t ip_number) +{ + struct jail j; + struct in_addr ip4[1]; + + memset (&j, 0, sizeof j); + j.version = JAIL_API_VERSION; + j.path = chroot_dir; + j.hostname = hostname; + j.ip4s = 1; + ip4[0].s_addr = ip_number; + j.ip4 = ip4; + + if (jail (&j) < 0) + log_fatal ("jail(%s, %s): %m", chroot_dir, hostname); +} +#endif /* JAIL */ + int main (argc, argv, envp) int argc; char **argv, **envp; @@ -224,6 +273,25 @@ char *traceinfile = (char *)0; char *traceoutfile = (char *)0; #endif +#if defined (PARANOIA) + char *set_user = 0; + char *set_group = 0; + uid_t set_uid = 0; + gid_t set_gid = 0; + int early_chroot = 0; + int no_dhcpd_user = 0; + int no_dhcpd_group = 0; +#endif /* PARANOIA */ +#if defined (PARANOIA) || defined (JAIL) + char *set_chroot = 0; + int no_dhcpd_chroot = 0; +#endif /* PARANOIA || JAIL */ +#if defined (JAIL) + char *set_jail = 0; + u_int32_t jail_ip_address = 0; /* Good as long as it's IPv4 ... */ + int no_dhcpd_jail = 0; + char *s2; +#endif /* JAIL */ /* Make sure we have stdin, stdout and stderr. */ status = open ("/dev/null", O_RDWR); @@ -286,6 +354,39 @@ if (++i == argc) usage (); server = argv [i]; +#if defined (PARANOIA) + } else if (!strcmp (argv [i], "-user")) { + if (++i == argc) + usage (); + set_user = argv [i]; + no_dhcpd_user = 1; + } else if (!strcmp (argv [i], "-group")) { + if (++i == argc) + usage (); + set_group = argv [i]; + no_dhcpd_group = 1; + } else if (!strcmp (argv [i], "-early_chroot")) { + early_chroot = 1; +#endif /* PARANOIA */ +#if defined (PARANOIA) || defined (JAIL) + } else if (!strcmp (argv [i], "-chroot")) { + if (++i == argc) + usage (); + set_chroot = argv [i]; + no_dhcpd_chroot = 1; +#endif /* PARANOIA || JAIL */ +#if defined (JAIL) + } else if (!strcmp (argv [i], "-jail")) { + if (++i == argc) + usage (); + set_jail = argv [i]; + if (++i == argc) + usage (); + if (inet_pton (AF_INET, argv[i], &jail_ip_address) < 0) + log_fatal ("invalid ip address: %s", argv[i]); + jail_ip_address = ntohl (jail_ip_address); + no_dhcpd_jail = 1; +#endif /* JAIL */ } else if (!strcmp (argv [i], "-cf")) { if (++i == argc) usage (); @@ -363,6 +464,28 @@ if (!no_dhcpd_pid && (s = getenv ("PATH_DHCPD_PID"))) { path_dhcpd_pid = s; } +#if defined (PARANOIA) + if (!no_dhcpd_user && (s = getenv ("DHCPD_USER"))) { + set_user = s; + } + if (!no_dhcpd_group && (s = getenv ("DHCPD_GROUP"))) { + set_group = s; + } +#endif /* PARANOIA */ +#if defined (PARANOIA) || defined (JAIL) + if (!no_dhcpd_chroot && (s = getenv ("PATH_DHCPD_CHROOT"))) { + set_chroot = s; + } +#endif /* PARANOIA || JAIL */ +#if defined (JAIL) + if (!no_dhcpd_jail && (s = getenv ("DHCPD_JAIL_HOSTNAME")) && + (s2 = getenv ("DHCPD_JAIL_IPADDRESS"))) { + set_jail = s; + if (inet_pton (AF_INET, s2, &jail_ip_address) < 0) + log_fatal ("invalid ip address: %s", s2); + jail_ip_address = ntohl (jail_ip_address); + } +#endif /* JAIL */ if (!quiet) { log_info ("%s %s", message, DHCP_VERSION); @@ -389,6 +512,57 @@ trace_seed_stop, MDL); #endif +#if defined (PARANOIA) + /* get user and group info if those options were given */ + if (set_user) { + struct passwd *tmp_pwd; + + if (geteuid ()) + log_fatal ("you must be root to set user"); + + if (!(tmp_pwd = getpwnam (set_user))) + log_fatal ("no such user: %s", set_user); + + set_uid = tmp_pwd->pw_uid; + + /* use the user's group as the default gid */ + if (!set_group) + set_gid = tmp_pwd->pw_gid; + } + + if (set_group) { +/* get around the ISC declaration of group */ +#define group real_group + struct group *tmp_grp; + + if (geteuid ()) + log_fatal ("you must be root to set group"); + + if (!(tmp_grp = getgrnam (set_group))) + log_fatal ("no such group: %s", set_group); + + set_gid = tmp_grp->gr_gid; +#undef group + } +#endif /* PARANOIA */ +#if defined (JAIL) + if (set_jail) { + /* Initialize icmp support... */ + if (!cftest && !lftest) + icmp_startup (1, lease_pinged); + if(!set_chroot) + set_chroot = "/"; + setup_jail (set_chroot, set_jail, jail_ip_address); + } +#endif /* JAIL */ +#if defined (PARANOIA) && defined (JAIL) + else +#endif /* PARANOIA && JAIL */ +#if defined (PARANOIA) + if (early_chroot && set_chroot) + setup_chroot (set_chroot); +#endif /* PARANOIA */ + /* Default to the DHCP/BOOTP port. */ if (!local_port) { @@ -463,6 +637,9 @@ #endif /* Initialize icmp support... */ +#if defined (JAIL) + if (!set_jail) +#endif /* JAIL */ if (!cftest && !lftest) icmp_startup (1, lease_pinged); @@ -492,6 +669,14 @@ postconf_initialization (quiet); +#if defined (PARANOIA) +#if defined (JAIL) + if (!set_jail) +#endif /* JAIL */ + if (!early_chroot && set_chroot) + setup_chroot (set_chroot); +#endif /* PARANOIA */ + /* test option should cause an early exit */ if (cftest && !lftest) exit(0); @@ -534,7 +719,22 @@ else if (pid) exit (0); } + +#if defined (PARANOIA) + /* change uid to the specified one */ + if (set_gid) { + if (setgroups (0, (void *)0)) + log_fatal ("setgroups: %m"); + if (setgid (set_gid)) + log_fatal ("setgid(%d): %m", (int) set_gid); + } + if (set_uid) { + if (setuid (set_uid)) + log_fatal ("setuid(%d): %m", (int) set_uid); + } +#endif /* PARANOIA */ + /* Read previous pid file. */ if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) { status = read(i, pbuf, (sizeof pbuf) - 1); @@ -865,8 +1065,24 @@ log_info (copyright); log_info (arr); - log_fatal ("Usage: dhcpd [-p ] [-d] [-f]%s%s%s%s", + log_fatal ("Usage: dhcpd [-p ] [-d] [-f]%s%s%s%s%s%s%s", "\n [-cf config-file] [-lf lease-file]", + +#if defined (PARANOIA) + /* meld into the following string */ + "\n [-user user] [-group group]", + "\n [-chroot dir] [-early_chroot]", +#else /* PARANOIA */ + "", "", +#endif /* PARANOIA */ + +#if defined (JAIL) + /* then also these ones */ + "\n [-jail name ip]", +#else /* JAIL */ + "", +#endif /* JAIL */ + #if defined (TRACING) "\n [-tf trace-output-file]", "\n [-play trace-input-file]", --------------020100060605070302010206--