Attachment #43407 for bug #67407

View | Details | Raw Unified | Return to bug 67407
Collapse All | Expand All




--- server/dhcpd.c.orig	Wed Jan 15 00:15:24 2003
+++ server/dhcpd.c	Sun May 30 23:14:42 2004
@@ -56,6 +56,22 @@
 #include "version.h"
 #include <omapip/omapip_p.h>
 
+#if defined (PARANOIA)
+#include <sys/types.h>
+#include <unistd.h>
+#include <pwd.h>
+/* get around the ISC declaration of group */
+#define group real_group 
+#include <grp.h>
+#undef group
+#endif /* PARANOIA */
+#if defined (JAIL)
+#include <sys/param.h>
+#include <sys/jail.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#endif /* JAIL */
+
 static void usage PROTO ((void));
 
 TIME cur_time;
@@ -204,6 +220,35 @@
 	omapi_object_dereference (&listener, MDL);
 }
 
+#if defined (PARANOIA)
+/* to be used in one of two possible scenarios */
+static void setup_chroot (char *chroot_dir)
+{
+	if (geteuid ())
+		log_fatal ("you must be root to use chroot");
+	if (chroot (chroot_dir))
+		log_fatal ("chroot(\"%s\"): %m", chroot_dir);
+	if (chdir ("/"))
+		/* probably permission denied */
+		log_fatal ("chdir(\"/\"): %m");
+}
+#endif /* PARANOIA */
+
+#if defined (JAIL)
+static void setup_jail (char *chroot_dir, char *hostname, u_int32_t ip_number)
+{
+      struct jail j;
+
+      j.version = 0;
+      j.path = chroot_dir;
+      j.hostname = hostname;
+      j.ip_number = ip_number;
+
+      if (jail (&j) < 0)
+              log_fatal ("jail(%s, %s): %m", chroot_dir, hostname);
+}
+#endif /* JAIL */
+
 int main (argc, argv, envp)
 	int argc;
 	char **argv, **envp;
@@ -236,6 +281,20 @@
 	char *traceinfile = (char *)0;
 	char *traceoutfile = (char *)0;
 #endif
+#if defined (PARANOIA)
+	char *set_user   = 0;
+	char *set_group  = 0;
+	uid_t set_uid = 0;
+	gid_t set_gid = 0;
+	int early_chroot = 0;
+#endif /* PARANOIA */
+#if defined (PARANOIA) || defined (JAIL)
+	char *set_chroot = 0;
+#endif /* PARANOIA || JAIL */
+#if defined (JAIL)
+	char *set_jail = 0;
+	u_int32_t jail_ip_address = 0; /* Good as long as it's IPv4 ... */
+#endif /* JAIL */
 
 	/* Make sure we have stdin, stdout and stderr. */
 	status = open ("/dev/null", O_RDWR);
@@ -298,6 +357,35 @@
 			if (++i == argc)
 				usage ();
 			server = argv [i];
+#if defined (PARANOIA)
+		} else if (!strcmp (argv [i], "-user")) {
+			if (++i == argc)
+				usage ();
+			set_user = argv [i];
+		} else if (!strcmp (argv [i], "-group")) {
+			if (++i == argc)
+				usage ();
+			set_group = argv [i];
+		} else if (!strcmp (argv [i], "-early_chroot")) {
+			early_chroot = 1;
+#endif /* PARANOIA */
+#if defined (PARANOIA) || defined (JAIL)
+		} else if (!strcmp (argv [i], "-chroot")) {
+			if (++i == argc)
+				usage ();
+			set_chroot = argv [i];
+#endif /* PARANOIA || JAIL */
+#if defined (JAIL)
+		} else if (!strcmp (argv [i], "-jail")) {
+			if (++i == argc)
+				usage ();
+			set_jail = argv [i];
+			if (++i == argc)
+				usage ();
+			if (ascii2addr (AF_INET, argv[i], &jail_ip_address) < 0)
+				usage();
+			jail_ip_address = ntohl (jail_ip_address);
+#endif /* JAIL */
 		} else if (!strcmp (argv [i], "-cf")) {
 			if (++i == argc)
 				usage ();
@@ -397,6 +485,57 @@
 					     trace_seed_stop, MDL);
 #endif
 
+#if defined (PARANOIA)
+	/* get user and group info if those options were given */
+	if (set_user) {
+		struct passwd *tmp_pwd;
+
+		if (geteuid ())
+			log_fatal ("you must be root to set user");
+
+		if (!(tmp_pwd = getpwnam (set_user)))
+			log_fatal ("no such user: %s", set_user);
+
+		set_uid = tmp_pwd->pw_uid;
+
+		/* use the user's group as the default gid */
+		if (!set_group)
+			set_gid = tmp_pwd->pw_gid;
+	}
+
+	if (set_group) {
+/* get around the ISC declaration of group */
+#define group real_group
+		struct group *tmp_grp;
+
+		if (geteuid ())
+			log_fatal ("you must be root to set group");
+
+		if (!(tmp_grp = getgrnam (set_group)))
+			log_fatal ("no such group: %s", set_group);
+
+		set_gid = tmp_grp->gr_gid;
+#undef group
+	}
+#endif /* PARANOIA */
+#if defined (JAIL)
+	if (set_jail) {
+		/* Initialize icmp support... */
+		if (!cftest && !lftest)
+			icmp_startup (1, lease_pinged);
+		if(!set_chroot)
+			set_chroot = "/";
+		setup_jail (set_chroot, set_jail, jail_ip_address);
+	}
+#endif /* JAIL */
+#if defined (PARANOIA) && defined (JAIL)
+	else
+#endif /* PARANOIA && JAIL */
+#if defined (PARANOIA)
+	if (early_chroot && set_chroot)
+		setup_chroot (set_chroot);
+#endif /* PARANOIA */
+
 	/* Default to the DHCP/BOOTP port. */
 	if (!local_port)
 	{
@@ -471,6 +610,9 @@
 #endif
 
 	/* Initialize icmp support... */
+#if defined (JAIL)
+	if (!set_jail)
+#endif /* JAIL */
 	if (!cftest && !lftest)
 		icmp_startup (1, lease_pinged);
 
@@ -500,6 +642,14 @@
 
 	postconf_initialization (quiet);
 
+#if defined (PARANOIA)
+#if defined (JAIL)
+	if (!set_jail)
+#endif /* JAIL */
+	if (!early_chroot && set_chroot)
+		setup_chroot (set_chroot);
+#endif /* PARANOIA */
+
         /* test option should cause an early exit */
  	if (cftest && !lftest) 
  		exit(0);
@@ -542,7 +692,22 @@
 		else if (pid)
 			exit (0);
 	}
+  
+#if defined (PARANOIA)
+	/* change uid to the specified one */
+	if (set_gid) {
+		if (setgroups (0, (void *)0))
+			log_fatal ("setgroups: %m");
+		if (setgid (set_gid))
+			log_fatal ("setgid(%d): %m", (int) set_gid);
+	}
 
+	if (set_uid) {
+		if (setuid (set_uid))
+			log_fatal ("setuid(%d): %m", (int) set_uid);
+	}
+#endif /* PARANOIA */
+  
 	/* Read previous pid file. */
 	if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) {
 		status = read (i, pbuf, (sizeof pbuf) - 1);
@@ -886,8 +1051,24 @@
 	log_info (copyright);
 	log_info (arr);
 
-	log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s",
+	log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s%s%s%s",
 		   "\n             [-cf config-file] [-lf lease-file]",
+
+#if defined (PARANOIA)
+		   /* meld into the following string */
+		   "\n             [-user user] [-group group]",
+		   "\n             [-chroot dir] [-early_chroot]",
+#else /* PARANOIA */
+		   "", "",
+#endif /* PARANOIA */
+
+#if defined (JAIL)
+		   /* then also these ones */
+		   "\n             [-jail name ip]",
+#else /* JAIL */
+		   "",
+#endif /* JAIL */
+
 #if defined (TRACING)
 		   "\n		   [-tf trace-output-file]",
 		   "\n		   [-play trace-input-file]",





PORTNAME=	dhcp
PORTVERSION=	3.0.1.r12
PORTREVISION=	3
CATEGORIES=	net
MASTER_SITES=	${MASTER_SITE_ISC}
MASTER_SITE_SUBDIR=	dhcp dhcp/dhcp-3.0-history

RCSCRIPTS_SUB=	PREFIX=${PREFIX} RC_SUBR=${RC_SUBR}
PKGMESSAGE_SUB=	PREFIX=${PREFIX} MAN1PREFIX=${MAN1PREFIX}

.if ${SUBSYS} == client
OPTIONS=	INTERFACE_POLLING "interface polling support" on
.endif
.if ${SUBSYS} == server
OPTIONS=	DHCP_PARANOIA "add -user, -group and -chroot options" on \
		DHCP_JAIL "add -chroot and -jail options" on
	@${ECHO_MSG} "If you want to compile without interface polling support."
	@${ECHO_MSG} "hit Ctrl-C right now and use \"make WITHOUT_INTERFACE_POLLING=yes\""
	@${ECHO_MSG}
.endif

# Post-extract

.if ${SUBSYS} == client && !defined(WITHOUT_INTERFACE_POLLING)
	@${ECHO_CMD} CFLAGS += -DENABLE_POLLING_MODE >> ${WRKSRC}/site.conf
.endif
.if ${SUBSYS} == server
.if !defined(WITHOUT_DHCP_PARANOIA)
	@${ECHO_CMD} CFLAGS += -DPARANOIA >> ${WRKSRC}/site.conf
.endif
.if !defined(WITHOUT_DHCP_JAIL)
	@${ECHO_CMD} CFLAGS += -DJAIL >> ${WRKSRC}/site.conf
.endif
.endif

patch-makefile-conf:
	@${REINPLACE_CMD} -e 's|^DEBUG[ 	]*=|# DEBUG ?=|g' \




	    dhcpd_conf="%%PREFIX%%/etc/dhcpd.conf"	# configuration file
	    dhcpd_ifaces=""				# ethernet interface(s)

****  For instance, rc.conf like variables are still read from %%PREFIX%%\
      /etc/rc.isc-dhcpd.conf. They should be move into /etc/rc.conf.  Also,
      the dhcpd_options variable must be renamed dhcpd_flags.

****  If compiled with paranoia support (the default), the following options
      are also supported:

            [-user user] [-group group] [-chroot dir] [-early_chroot]

****  If compiled with jail support (the default), the following options are
      also supported:

            [-chroot dir] [-jail hostname ip_address]	# implies -early_chroot

Return to bug 67407

Lines 8-14 Link Here

(-)Makefile (-10 / +15 lines)
8		8
9	PORTNAME= dhcp	9	PORTNAME= dhcp
10	PORTVERSION= 3.0.1.r12	10	PORTVERSION= 3.0.1.r12
11	PORTREVISION= 2	11	PORTREVISION= 3
12	CATEGORIES= net	12	CATEGORIES= net
13	MASTER_SITES= ${MASTER_SITE_ISC}	13	MASTER_SITES= ${MASTER_SITE_ISC}
14	MASTER_SITE_SUBDIR= dhcp dhcp/dhcp-3.0-history	14	MASTER_SITE_SUBDIR= dhcp dhcp/dhcp-3.0-history
Lines 117-131 Link Here
117	RCSCRIPTS_SUB= PREFIX=${PREFIX} RC_SUBR=${RC_SUBR}	117	RCSCRIPTS_SUB= PREFIX=${PREFIX} RC_SUBR=${RC_SUBR}
118	PKGMESSAGE_SUB= PREFIX=${PREFIX} MAN1PREFIX=${MAN1PREFIX}	118	PKGMESSAGE_SUB= PREFIX=${PREFIX} MAN1PREFIX=${MAN1PREFIX}
119		119
120	# Pre-everything	120	.if ${SUBSYS} == client
121	#	121	OPTIONS= INTERFACE_POLLING "interface polling support" on
122		122	.endif
123	.if ${SUBSYS} == client && !defined(WITHOUT_INTERFACE_POLLING)	123	.if ${SUBSYS} == server
124	pre-everything::	124	OPTIONS= DHCP_PARANOIA "add -user, -group and -chroot options" on \
125	@${ECHO_MSG}	125	DHCP_JAIL "add -chroot and -jail options" on
126	@${ECHO_MSG} "If you want to compile without interface polling support."
127	@${ECHO_MSG} "hit Ctrl-C right now and use \"make WITHOUT_INTERFACE_POLLING=yes\""
128	@${ECHO_MSG}
129	.endif	126	.endif
130		127
131	# Post-extract	128	# Post-extract
Lines 156-161 Link Here
156	.if ${SUBSYS} == client && !defined(WITHOUT_INTERFACE_POLLING)	153	.if ${SUBSYS} == client && !defined(WITHOUT_INTERFACE_POLLING)
157	@${ECHO_CMD} CFLAGS += -DENABLE_POLLING_MODE >> ${WRKSRC}/site.conf	154	@${ECHO_CMD} CFLAGS += -DENABLE_POLLING_MODE >> ${WRKSRC}/site.conf
158	.endif	155	.endif
		156	.if ${SUBSYS} == server
		157	.if !defined(WITHOUT_DHCP_PARANOIA)
		158	@${ECHO_CMD} CFLAGS += -DPARANOIA >> ${WRKSRC}/site.conf
		159	.endif
		160	.if !defined(WITHOUT_DHCP_JAIL)
		161	@${ECHO_CMD} CFLAGS += -DJAIL >> ${WRKSRC}/site.conf
		162	.endif
		163	.endif
159		164
160	patch-makefile-conf:	165	patch-makefile-conf:
161	@${REINPLACE_CMD} -e 's\|^DEBUG[ ]*=\|# DEBUG ?=\|g' \	166	@${REINPLACE_CMD} -e 's\|^DEBUG[ ]*=\|# DEBUG ?=\|g' \

Added Link Here

(-)files/patch-server::dhcpd.c (+250 lines)
1	--- server/dhcpd.c.orig Wed Jan 15 00:15:24 2003
2	+++ server/dhcpd.c Sun May 30 23:14:42 2004
3	@@ -56,6 +56,22 @@
4	#include "version.h"
5	#include <omapip/omapip_p.h>
6
7	+#if defined (PARANOIA)
8	+#include <sys/types.h>
9	+#include <unistd.h>
10	+#include <pwd.h>
11	+/* get around the ISC declaration of group */
12	+#define group real_group
13	+#include <grp.h>
14	+#undef group
15	+#endif /* PARANOIA */
16	+#if defined (JAIL)
17	+#include <sys/param.h>
18	+#include <sys/jail.h>
19	+#include <netinet/in.h>
20	+#include <arpa/inet.h>
21	+#endif /* JAIL */
22	+
23	static void usage PROTO ((void));
24
25	TIME cur_time;
26	@@ -204,6 +220,35 @@
27	omapi_object_dereference (&listener, MDL);
28	}
29
30	+#if defined (PARANOIA)
31	+/* to be used in one of two possible scenarios */
32	+static void setup_chroot (char *chroot_dir)
33	+{
34	+ if (geteuid ())
35	+ log_fatal ("you must be root to use chroot");
36	+ if (chroot (chroot_dir))
37	+ log_fatal ("chroot(\"%s\"): %m", chroot_dir);
38	+ if (chdir ("/"))
39	+ /* probably permission denied */
40	+ log_fatal ("chdir(\"/\"): %m");
41	+}
42	+#endif /* PARANOIA */
43	+
44	+#if defined (JAIL)
45	+static void setup_jail (char chroot_dir, char hostname, u_int32_t ip_number)
46	+{
47	+ struct jail j;
48	+
49	+ j.version = 0;
50	+ j.path = chroot_dir;
51	+ j.hostname = hostname;
52	+ j.ip_number = ip_number;
53	+
54	+ if (jail (&j) < 0)
55	+ log_fatal ("jail(%s, %s): %m", chroot_dir, hostname);
56	+}
57	+#endif /* JAIL */
58	+
59	int main (argc, argv, envp)
60	int argc;
61	char argv, envp;
62	@@ -236,6 +281,20 @@
63	char traceinfile = (char )0;
64	char traceoutfile = (char )0;
65	#endif
66	+#if defined (PARANOIA)
67	+ char *set_user = 0;
68	+ char *set_group = 0;
69	+ uid_t set_uid = 0;
70	+ gid_t set_gid = 0;
71	+ int early_chroot = 0;
72	+#endif /* PARANOIA */
73	+#if defined (PARANOIA) \|\| defined (JAIL)
74	+ char *set_chroot = 0;
75	+#endif /* PARANOIA \|\| JAIL */
76	+#if defined (JAIL)
77	+ char *set_jail = 0;
78	+ u_int32_t jail_ip_address = 0; /* Good as long as it's IPv4 ... */
79	+#endif /* JAIL */
80
81	/* Make sure we have stdin, stdout and stderr. */
82	status = open ("/dev/null", O_RDWR);
83	@@ -298,6 +357,35 @@
84	if (++i == argc)
85	usage ();
86	server = argv [i];
87	+#if defined (PARANOIA)
88	+ } else if (!strcmp (argv [i], "-user")) {
89	+ if (++i == argc)
90	+ usage ();
91	+ set_user = argv [i];
92	+ } else if (!strcmp (argv [i], "-group")) {
93	+ if (++i == argc)
94	+ usage ();
95	+ set_group = argv [i];
96	+ } else if (!strcmp (argv [i], "-early_chroot")) {
97	+ early_chroot = 1;
98	+#endif /* PARANOIA */
99	+#if defined (PARANOIA) \|\| defined (JAIL)
100	+ } else if (!strcmp (argv [i], "-chroot")) {
101	+ if (++i == argc)
102	+ usage ();
103	+ set_chroot = argv [i];
104	+#endif /* PARANOIA \|\| JAIL */
105	+#if defined (JAIL)
106	+ } else if (!strcmp (argv [i], "-jail")) {
107	+ if (++i == argc)
108	+ usage ();
109	+ set_jail = argv [i];
110	+ if (++i == argc)
111	+ usage ();
112	+ if (ascii2addr (AF_INET, argv[i], &jail_ip_address) < 0)
113	+ usage();
114	+ jail_ip_address = ntohl (jail_ip_address);
115	+#endif /* JAIL */
116	} else if (!strcmp (argv [i], "-cf")) {
117	if (++i == argc)
118	usage ();
119	@@ -397,6 +485,57 @@
120	trace_seed_stop, MDL);
121	#endif
122
123	+#if defined (PARANOIA)
124	+ /* get user and group info if those options were given */
125	+ if (set_user) {
126	+ struct passwd *tmp_pwd;
127	+
128	+ if (geteuid ())
129	+ log_fatal ("you must be root to set user");
130	+
131	+ if (!(tmp_pwd = getpwnam (set_user)))
132	+ log_fatal ("no such user: %s", set_user);
133	+
134	+ set_uid = tmp_pwd->pw_uid;
135	+
136	+ /* use the user's group as the default gid */
137	+ if (!set_group)
138	+ set_gid = tmp_pwd->pw_gid;
139	+ }
140	+
141	+ if (set_group) {
142	+/* get around the ISC declaration of group */
143	+#define group real_group
144	+ struct group *tmp_grp;
145	+
146	+ if (geteuid ())
147	+ log_fatal ("you must be root to set group");
148	+
149	+ if (!(tmp_grp = getgrnam (set_group)))
150	+ log_fatal ("no such group: %s", set_group);
151	+
152	+ set_gid = tmp_grp->gr_gid;
153	+#undef group
154	+ }
155	+#endif /* PARANOIA */
156	+#if defined (JAIL)
157	+ if (set_jail) {
158	+ /* Initialize icmp support... */
159	+ if (!cftest && !lftest)
160	+ icmp_startup (1, lease_pinged);
161	+ if(!set_chroot)
162	+ set_chroot = "/";
163	+ setup_jail (set_chroot, set_jail, jail_ip_address);
164	+ }
165	+#endif /* JAIL */
166	+#if defined (PARANOIA) && defined (JAIL)
167	+ else
168	+#endif /* PARANOIA && JAIL */
169	+#if defined (PARANOIA)
170	+ if (early_chroot && set_chroot)
171	+ setup_chroot (set_chroot);
172	+#endif /* PARANOIA */
173	+
174	/* Default to the DHCP/BOOTP port. */
175	if (!local_port)
176	{
177	@@ -471,6 +610,9 @@
178	#endif
179
180	/* Initialize icmp support... */
181	+#if defined (JAIL)
182	+ if (!set_jail)
183	+#endif /* JAIL */
184	if (!cftest && !lftest)
185	icmp_startup (1, lease_pinged);
186
187	@@ -500,6 +642,14 @@
188
189	postconf_initialization (quiet);
190
191	+#if defined (PARANOIA)
192	+#if defined (JAIL)
193	+ if (!set_jail)
194	+#endif /* JAIL */
195	+ if (!early_chroot && set_chroot)
196	+ setup_chroot (set_chroot);
197	+#endif /* PARANOIA */
198	+
199	/* test option should cause an early exit */
200	if (cftest && !lftest)
201	exit(0);
202	@@ -542,7 +692,22 @@
203	else if (pid)
204	exit (0);
205	}
206	+
207	+#if defined (PARANOIA)
208	+ /* change uid to the specified one */
209	+ if (set_gid) {
210	+ if (setgroups (0, (void *)0))
211	+ log_fatal ("setgroups: %m");
212	+ if (setgid (set_gid))
213	+ log_fatal ("setgid(%d): %m", (int) set_gid);
214	+ }
215
216	+ if (set_uid) {
217	+ if (setuid (set_uid))
218	+ log_fatal ("setuid(%d): %m", (int) set_uid);
219	+ }
220	+#endif /* PARANOIA */
221	+
222	/* Read previous pid file. */
223	if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) {
224	status = read (i, pbuf, (sizeof pbuf) - 1);
225	@@ -886,8 +1051,24 @@
226	log_info (copyright);
227	log_info (arr);
228
229	- log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s",
230	+ log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s%s%s%s",
231	"\n [-cf config-file] [-lf lease-file]",
232	+
233	+#if defined (PARANOIA)
234	+ /* meld into the following string */
235	+ "\n [-user user] [-group group]",
236	+ "\n [-chroot dir] [-early_chroot]",
237	+#else /* PARANOIA */
238	+ "", "",
239	+#endif /* PARANOIA */
240	+
241	+#if defined (JAIL)
242	+ /* then also these ones */
243	+ "\n [-jail name ip]",
244	+#else /* JAIL */
245	+ "",
246	+#endif /* JAIL */
247	+
248	#if defined (TRACING)
249	"\n [-tf trace-output-file]",
250	"\n [-play trace-input-file]",

Lines 9-15 Link Here

(-)pkg-message (-4 / +13 lines)
9	dhcpd_conf="%%PREFIX%%/etc/dhcpd.conf" # configuration file	9	dhcpd_conf="%%PREFIX%%/etc/dhcpd.conf" # configuration file
10	dhcpd_ifaces="" # ethernet interface(s)	10	dhcpd_ifaces="" # ethernet interface(s)
11		11
12	**** For instance, rc.conf like variables are still read from	12	**** For instance, rc.conf like variables are still read from %%PREFIX%%\
13	%%PREFIX%%/etc/rc.isc-dhcpd.conf. They should be move into	13	/etc/rc.isc-dhcpd.conf. They should be move into /etc/rc.conf. Also,
14	/etc/rc.conf. Also, the dhcpd_options variable must be	14	the dhcpd_options variable must be renamed dhcpd_flags.
15	renamed dhcpd_flags.	15
		16	**** If compiled with paranoia support (the default), the following options
		17	are also supported:
		18
		19	[-user user] [-group group] [-chroot dir] [-early_chroot]
		20
		21	**** If compiled with jail support (the default), the following options are
		22	also supported:
		23
		24	[-chroot dir] [-jail hostname ip_address] # implies -early_chroot