Date: Mon, 31 May 2004 04:17:59 +0200 From: Cyrille Lefevre <cyrille.lefevre@laposte.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Andrea Cocito <andrea.cocito@ieo-research.it> Subject: ports/67407: Maintainer update: net/isc-dhcp3-server (paranoia and jail patch) Message-ID: <20040531021759.GA49177@gits.dyndns.org> Resent-Message-ID: <200405310320.i4V3KXI7018663@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 67407
>Category: ports
>Synopsis: Maintainer update: net/isc-dhcp3-server (paranoia and jail patch)
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Sun May 30 20:20:32 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Cyrille Lefevre
>Release: FreeBSD 5.2-CURRENT i386
>Organization:
ACME
>Environment:
System: FreeBSD gits 5.2-CURRENT FreeBSD 5.2-CURRENT #28: Thu May 13 00:19:50 CEST 2004 root@gits:/disk3/freebsd/current/obj/disk3/freebsd/current/src/sys/CUSTOM i386
>Description:
to the auhors patches (CC'ed), if you have no objection, I
dissociated the paranoia patch from the jail one. you can
now choose between both -DPARANOIA -DJAIL, -DPARANOIA only
or -DJAIL only.
Makefile
PORTREVISION bumped
WITHOUT_DHCP_PARANOIA and WITHOUT_DHCP_JAIL added.
pkg-message
updated to inform about the new options.
files/patch-server::dhcpd.c
new file
>How-To-Repeat:
n/a
>Fix:
take care, this patch is in two parts, the first
one againt /dev/null and the second one a cvs diff.
--- /dev/null Sun May 30 23:25:55 2004
+++ files/patch-server::dhcpd.c Sun May 30 23:14:45 2004
@@ -0,0 +1,250 @@
+--- server/dhcpd.c.orig Wed Jan 15 00:15:24 2003
++++ server/dhcpd.c Sun May 30 23:14:42 2004
+@@ -56,6 +56,22 @@
+ #include "version.h"
+ #include <omapip/omapip_p.h>
+
++#if defined (PARANOIA)
++#include <sys/types.h>
++#include <unistd.h>
++#include <pwd.h>
++/* get around the ISC declaration of group */
++#define group real_group
++#include <grp.h>
++#undef group
++#endif /* PARANOIA */
++#if defined (JAIL)
++#include <sys/param.h>
++#include <sys/jail.h>
++#include <netinet/in.h>
++#include <arpa/inet.h>
++#endif /* JAIL */
++
+ static void usage PROTO ((void));
+
+ TIME cur_time;
+@@ -204,6 +220,35 @@
+ omapi_object_dereference (&listener, MDL);
+ }
+
++#if defined (PARANOIA)
++/* to be used in one of two possible scenarios */
++static void setup_chroot (char *chroot_dir)
++{
++ if (geteuid ())
++ log_fatal ("you must be root to use chroot");
++ if (chroot (chroot_dir))
++ log_fatal ("chroot(\"%s\"): %m", chroot_dir);
++ if (chdir ("/"))
++ /* probably permission denied */
++ log_fatal ("chdir(\"/\"): %m");
++}
++#endif /* PARANOIA */
++
++#if defined (JAIL)
++static void setup_jail (char *chroot_dir, char *hostname, u_int32_t ip_number)
++{
++ struct jail j;
++
++ j.version = 0;
++ j.path = chroot_dir;
++ j.hostname = hostname;
++ j.ip_number = ip_number;
++
++ if (jail (&j) < 0)
++ log_fatal ("jail(%s, %s): %m", chroot_dir, hostname);
++}
++#endif /* JAIL */
++
+ int main (argc, argv, envp)
+ int argc;
+ char **argv, **envp;
+@@ -236,6 +281,20 @@
+ char *traceinfile = (char *)0;
+ char *traceoutfile = (char *)0;
+ #endif
++#if defined (PARANOIA)
++ char *set_user = 0;
++ char *set_group = 0;
++ uid_t set_uid = 0;
++ gid_t set_gid = 0;
++ int early_chroot = 0;
++#endif /* PARANOIA */
++#if defined (PARANOIA) || defined (JAIL)
++ char *set_chroot = 0;
++#endif /* PARANOIA || JAIL */
++#if defined (JAIL)
++ char *set_jail = 0;
++ u_int32_t jail_ip_address = 0; /* Good as long as it's IPv4 ... */
++#endif /* JAIL */
+
+ /* Make sure we have stdin, stdout and stderr. */
+ status = open ("/dev/null", O_RDWR);
+@@ -298,6 +357,35 @@
+ if (++i == argc)
+ usage ();
+ server = argv [i];
++#if defined (PARANOIA)
++ } else if (!strcmp (argv [i], "-user")) {
++ if (++i == argc)
++ usage ();
++ set_user = argv [i];
++ } else if (!strcmp (argv [i], "-group")) {
++ if (++i == argc)
++ usage ();
++ set_group = argv [i];
++ } else if (!strcmp (argv [i], "-early_chroot")) {
++ early_chroot = 1;
++#endif /* PARANOIA */
++#if defined (PARANOIA) || defined (JAIL)
++ } else if (!strcmp (argv [i], "-chroot")) {
++ if (++i == argc)
++ usage ();
++ set_chroot = argv [i];
++#endif /* PARANOIA || JAIL */
++#if defined (JAIL)
++ } else if (!strcmp (argv [i], "-jail")) {
++ if (++i == argc)
++ usage ();
++ set_jail = argv [i];
++ if (++i == argc)
++ usage ();
++ if (ascii2addr (AF_INET, argv[i], &jail_ip_address) < 0)
++ usage();
++ jail_ip_address = ntohl (jail_ip_address);
++#endif /* JAIL */
+ } else if (!strcmp (argv [i], "-cf")) {
+ if (++i == argc)
+ usage ();
+@@ -397,6 +485,57 @@
+ trace_seed_stop, MDL);
+ #endif
+
++#if defined (PARANOIA)
++ /* get user and group info if those options were given */
++ if (set_user) {
++ struct passwd *tmp_pwd;
++
++ if (geteuid ())
++ log_fatal ("you must be root to set user");
++
++ if (!(tmp_pwd = getpwnam (set_user)))
++ log_fatal ("no such user: %s", set_user);
++
++ set_uid = tmp_pwd->pw_uid;
++
++ /* use the user's group as the default gid */
++ if (!set_group)
++ set_gid = tmp_pwd->pw_gid;
++ }
++
++ if (set_group) {
++/* get around the ISC declaration of group */
++#define group real_group
++ struct group *tmp_grp;
++
++ if (geteuid ())
++ log_fatal ("you must be root to set group");
++
++ if (!(tmp_grp = getgrnam (set_group)))
++ log_fatal ("no such group: %s", set_group);
++
++ set_gid = tmp_grp->gr_gid;
++#undef group
++ }
++#endif /* PARANOIA */
++#if defined (JAIL)
++ if (set_jail) {
++ /* Initialize icmp support... */
++ if (!cftest && !lftest)
++ icmp_startup (1, lease_pinged);
++ if(!set_chroot)
++ set_chroot = "/";
++ setup_jail (set_chroot, set_jail, jail_ip_address);
++ }
++#endif /* JAIL */
++#if defined (PARANOIA) && defined (JAIL)
++ else
++#endif /* PARANOIA && JAIL */
++#if defined (PARANOIA)
++ if (early_chroot && set_chroot)
++ setup_chroot (set_chroot);
++#endif /* PARANOIA */
++
+ /* Default to the DHCP/BOOTP port. */
+ if (!local_port)
+ {
+@@ -471,6 +610,9 @@
+ #endif
+
+ /* Initialize icmp support... */
++#if defined (JAIL)
++ if (!set_jail)
++#endif /* JAIL */
+ if (!cftest && !lftest)
+ icmp_startup (1, lease_pinged);
+
+@@ -500,6 +642,14 @@
+
+ postconf_initialization (quiet);
+
++#if defined (PARANOIA)
++#if defined (JAIL)
++ if (!set_jail)
++#endif /* JAIL */
++ if (!early_chroot && set_chroot)
++ setup_chroot (set_chroot);
++#endif /* PARANOIA */
++
+ /* test option should cause an early exit */
+ if (cftest && !lftest)
+ exit(0);
+@@ -542,7 +692,22 @@
+ else if (pid)
+ exit (0);
+ }
++
++#if defined (PARANOIA)
++ /* change uid to the specified one */
++ if (set_gid) {
++ if (setgroups (0, (void *)0))
++ log_fatal ("setgroups: %m");
++ if (setgid (set_gid))
++ log_fatal ("setgid(%d): %m", (int) set_gid);
++ }
+
++ if (set_uid) {
++ if (setuid (set_uid))
++ log_fatal ("setuid(%d): %m", (int) set_uid);
++ }
++#endif /* PARANOIA */
++
+ /* Read previous pid file. */
+ if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) {
+ status = read (i, pbuf, (sizeof pbuf) - 1);
+@@ -886,8 +1051,24 @@
+ log_info (copyright);
+ log_info (arr);
+
+- log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s",
++ log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s%s%s%s",
+ "\n [-cf config-file] [-lf lease-file]",
++
++#if defined (PARANOIA)
++ /* meld into the following string */
++ "\n [-user user] [-group group]",
++ "\n [-chroot dir] [-early_chroot]",
++#else /* PARANOIA */
++ "", "",
++#endif /* PARANOIA */
++
++#if defined (JAIL)
++ /* then also these ones */
++ "\n [-jail name ip]",
++#else /* JAIL */
++ "",
++#endif /* JAIL */
++
+ #if defined (TRACING)
+ "\n [-tf trace-output-file]",
+ "\n [-play trace-input-file]",
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/net/isc-dhcp3-server/Makefile,v
retrieving revision 1.94
diff -u -I$Id.*$ -I$.+BSD.*$ -r1.94 Makefile
--- Makefile 22 Mar 2004 23:33:08 -0000 1.94
+++ Makefile 31 May 2004 00:37:55 -0000
@@ -8,7 +8,7 @@
PORTNAME= dhcp
PORTVERSION= 3.0.1.r12
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= net
MASTER_SITES= ${MASTER_SITE_ISC}
MASTER_SITE_SUBDIR= dhcp dhcp/dhcp-3.0-history
@@ -117,15 +117,12 @@
RCSCRIPTS_SUB= PREFIX=${PREFIX} RC_SUBR=${RC_SUBR}
PKGMESSAGE_SUB= PREFIX=${PREFIX} MAN1PREFIX=${MAN1PREFIX}
-# Pre-everything
-#
-
-.if ${SUBSYS} == client && !defined(WITHOUT_INTERFACE_POLLING)
-pre-everything::
- @${ECHO_MSG}
- @${ECHO_MSG} "If you want to compile without interface polling support."
- @${ECHO_MSG} "hit Ctrl-C right now and use \"make WITHOUT_INTERFACE_POLLING=yes\""
- @${ECHO_MSG}
+.if ${SUBSYS} == client
+OPTIONS= INTERFACE_POLLING "interface polling support" on
+.endif
+.if ${SUBSYS} == server
+OPTIONS= DHCP_PARANOIA "add -user, -group and -chroot options" on \
+ DHCP_JAIL "add -chroot and -jail options" on
.endif
# Post-extract
@@ -156,6 +153,14 @@
.if ${SUBSYS} == client && !defined(WITHOUT_INTERFACE_POLLING)
@${ECHO_CMD} CFLAGS += -DENABLE_POLLING_MODE >> ${WRKSRC}/site.conf
.endif
+.if ${SUBSYS} == server
+.if !defined(WITHOUT_DHCP_PARANOIA)
+ @${ECHO_CMD} CFLAGS += -DPARANOIA >> ${WRKSRC}/site.conf
+.endif
+.if !defined(WITHOUT_DHCP_JAIL)
+ @${ECHO_CMD} CFLAGS += -DJAIL >> ${WRKSRC}/site.conf
+.endif
+.endif
patch-makefile-conf:
@${REINPLACE_CMD} -e 's|^DEBUG[ ]*=|# DEBUG ?=|g' \
Index: pkg-message
===================================================================
RCS file: /home/ncvs/ports/net/isc-dhcp3-server/pkg-message,v
retrieving revision 1.4
diff -u -I$Id.*$ -I$.+BSD.*$ -r1.4 pkg-message
--- pkg-message 16 Mar 2004 20:31:15 -0000 1.4
+++ pkg-message 30 May 2004 21:16:10 -0000
@@ -9,7 +9,16 @@
dhcpd_conf="%%PREFIX%%/etc/dhcpd.conf" # configuration file
dhcpd_ifaces="" # ethernet interface(s)
-**** For instance, rc.conf like variables are still read from
- %%PREFIX%%/etc/rc.isc-dhcpd.conf. They should be move into
- /etc/rc.conf. Also, the dhcpd_options variable must be
- renamed dhcpd_flags.
+**** For instance, rc.conf like variables are still read from %%PREFIX%%\
+ /etc/rc.isc-dhcpd.conf. They should be move into /etc/rc.conf. Also,
+ the dhcpd_options variable must be renamed dhcpd_flags.
+
+**** If compiled with paranoia support (the default), the following options
+ are also supported:
+
+ [-user user] [-group group] [-chroot dir] [-early_chroot]
+
+**** If compiled with jail support (the default), the following options are
+ also supported:
+
+ [-chroot dir] [-jail hostname ip_address] # implies -early_chroot
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040531021759.GA49177>