diff options
author | Pav Lucistnik <pav@FreeBSD.org> | 2004-06-01 13:34:27 +0000 |
---|---|---|
committer | Pav Lucistnik <pav@FreeBSD.org> | 2004-06-01 13:34:27 +0000 |
commit | bfef58c1429e04a1e34423d58bc6f1d130a1290a (patch) | |
tree | a9cea76816f6a00346ea46d36ab166f572195aa2 /net/isc-dhcp40-server | |
parent | 3c0bf3b7c0090c757bc4dab0cee1cfcc6e3c78db (diff) |
- Integrate paranoia and jail patches to allow running in chroot and jail
- Employ OPTIONS
PR: ports/67407
Submitted by: Cyrille Lefevre <cyrille.lefevre@laposte.net> (maintainer)
Notes
Notes:
svn path=/head/; revision=110606
Diffstat (limited to 'net/isc-dhcp40-server')
-rw-r--r-- | net/isc-dhcp40-server/Makefile | 33 | ||||
-rw-r--r-- | net/isc-dhcp40-server/files/patch-server::dhcpd.c | 250 | ||||
-rw-r--r-- | net/isc-dhcp40-server/pkg-message | 17 |
3 files changed, 282 insertions, 18 deletions
diff --git a/net/isc-dhcp40-server/Makefile b/net/isc-dhcp40-server/Makefile index 291e831481f3..7e503b671f2b 100644 --- a/net/isc-dhcp40-server/Makefile +++ b/net/isc-dhcp40-server/Makefile @@ -8,7 +8,7 @@ PORTNAME= dhcp PORTVERSION= 3.0.1.r12 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_ISC} MASTER_SITE_SUBDIR= dhcp dhcp/dhcp-3.0-history @@ -22,6 +22,16 @@ COMMENT?= The ISC Dynamic Host Configuration Protocol server USE_REINPLACE= yes USE_RC_SUBR= yes +SUBSYS?= server + +.if ${SUBSYS} == client +OPTIONS= INTERFACE_POLLING "interface polling support" on +.endif +.if ${SUBSYS} == server +OPTIONS= DHCP_PARANOIA "add -user, -group and -chroot options" on \ + DHCP_JAIL "add -chroot and -jail options" on +.endif + .include <bsd.port.pre.mk> # Global variables @@ -32,8 +42,6 @@ CONFIGURE_ARGS= --subsys ${SUBSYS} ALL_TARGET= all.${SUBSYS} INSTALL_TARGET= install.${SUBSYS} -SUBSYS?= server - .if ${SUBSYS} == client MAN5= dhclient.conf.5 dhclient.leases.5 MAN8= dhclient.8 dhclient-script.8 @@ -117,17 +125,6 @@ REINPLACE_SUB= PREFIX=${PREFIX} RCSCRIPTS_SUB= PREFIX=${PREFIX} RC_SUBR=${RC_SUBR} PKGMESSAGE_SUB= PREFIX=${PREFIX} MAN1PREFIX=${MAN1PREFIX} -# Pre-everything -# - -.if ${SUBSYS} == client && !defined(WITHOUT_INTERFACE_POLLING) -pre-everything:: - @${ECHO_MSG} - @${ECHO_MSG} "If you want to compile without interface polling support." - @${ECHO_MSG} "hit Ctrl-C right now and use \"make WITHOUT_INTERFACE_POLLING=yes\"" - @${ECHO_MSG} -.endif - # Post-extract # @@ -156,6 +153,14 @@ patch-site-conf: .if ${SUBSYS} == client && !defined(WITHOUT_INTERFACE_POLLING) @${ECHO_CMD} CFLAGS += -DENABLE_POLLING_MODE >> ${WRKSRC}/site.conf .endif +.if ${SUBSYS} == server +.if !defined(WITHOUT_DHCP_PARANOIA) + @${ECHO_CMD} CFLAGS += -DPARANOIA >> ${WRKSRC}/site.conf +.endif +.if !defined(WITHOUT_DHCP_JAIL) + @${ECHO_CMD} CFLAGS += -DJAIL >> ${WRKSRC}/site.conf +.endif +.endif patch-makefile-conf: @${REINPLACE_CMD} -e 's|^DEBUG[ ]*=|# DEBUG ?=|g' \ diff --git a/net/isc-dhcp40-server/files/patch-server::dhcpd.c b/net/isc-dhcp40-server/files/patch-server::dhcpd.c new file mode 100644 index 000000000000..d77330b32ea8 --- /dev/null +++ b/net/isc-dhcp40-server/files/patch-server::dhcpd.c @@ -0,0 +1,250 @@ +--- server/dhcpd.c.orig Wed Jan 15 00:15:24 2003 ++++ server/dhcpd.c Sun May 30 23:14:42 2004 +@@ -56,6 +56,22 @@ + #include "version.h" + #include <omapip/omapip_p.h> + ++#if defined (PARANOIA) ++#include <sys/types.h> ++#include <unistd.h> ++#include <pwd.h> ++/* get around the ISC declaration of group */ ++#define group real_group ++#include <grp.h> ++#undef group ++#endif /* PARANOIA */ ++#if defined (JAIL) ++#include <sys/param.h> ++#include <sys/jail.h> ++#include <netinet/in.h> ++#include <arpa/inet.h> ++#endif /* JAIL */ ++ + static void usage PROTO ((void)); + + TIME cur_time; +@@ -204,6 +220,35 @@ + omapi_object_dereference (&listener, MDL); + } + ++#if defined (PARANOIA) ++/* to be used in one of two possible scenarios */ ++static void setup_chroot (char *chroot_dir) ++{ ++ if (geteuid ()) ++ log_fatal ("you must be root to use chroot"); ++ if (chroot (chroot_dir)) ++ log_fatal ("chroot(\"%s\"): %m", chroot_dir); ++ if (chdir ("/")) ++ /* probably permission denied */ ++ log_fatal ("chdir(\"/\"): %m"); ++} ++#endif /* PARANOIA */ ++ ++#if defined (JAIL) ++static void setup_jail (char *chroot_dir, char *hostname, u_int32_t ip_number) ++{ ++ struct jail j; ++ ++ j.version = 0; ++ j.path = chroot_dir; ++ j.hostname = hostname; ++ j.ip_number = ip_number; ++ ++ if (jail (&j) < 0) ++ log_fatal ("jail(%s, %s): %m", chroot_dir, hostname); ++} ++#endif /* JAIL */ ++ + int main (argc, argv, envp) + int argc; + char **argv, **envp; +@@ -236,6 +281,20 @@ + char *traceinfile = (char *)0; + char *traceoutfile = (char *)0; + #endif ++#if defined (PARANOIA) ++ char *set_user = 0; ++ char *set_group = 0; ++ uid_t set_uid = 0; ++ gid_t set_gid = 0; ++ int early_chroot = 0; ++#endif /* PARANOIA */ ++#if defined (PARANOIA) || defined (JAIL) ++ char *set_chroot = 0; ++#endif /* PARANOIA || JAIL */ ++#if defined (JAIL) ++ char *set_jail = 0; ++ u_int32_t jail_ip_address = 0; /* Good as long as it's IPv4 ... */ ++#endif /* JAIL */ + + /* Make sure we have stdin, stdout and stderr. */ + status = open ("/dev/null", O_RDWR); +@@ -298,6 +357,35 @@ + if (++i == argc) + usage (); + server = argv [i]; ++#if defined (PARANOIA) ++ } else if (!strcmp (argv [i], "-user")) { ++ if (++i == argc) ++ usage (); ++ set_user = argv [i]; ++ } else if (!strcmp (argv [i], "-group")) { ++ if (++i == argc) ++ usage (); ++ set_group = argv [i]; ++ } else if (!strcmp (argv [i], "-early_chroot")) { ++ early_chroot = 1; ++#endif /* PARANOIA */ ++#if defined (PARANOIA) || defined (JAIL) ++ } else if (!strcmp (argv [i], "-chroot")) { ++ if (++i == argc) ++ usage (); ++ set_chroot = argv [i]; ++#endif /* PARANOIA || JAIL */ ++#if defined (JAIL) ++ } else if (!strcmp (argv [i], "-jail")) { ++ if (++i == argc) ++ usage (); ++ set_jail = argv [i]; ++ if (++i == argc) ++ usage (); ++ if (ascii2addr (AF_INET, argv[i], &jail_ip_address) < 0) ++ usage(); ++ jail_ip_address = ntohl (jail_ip_address); ++#endif /* JAIL */ + } else if (!strcmp (argv [i], "-cf")) { + if (++i == argc) + usage (); +@@ -397,6 +485,57 @@ + trace_seed_stop, MDL); + #endif + ++#if defined (PARANOIA) ++ /* get user and group info if those options were given */ ++ if (set_user) { ++ struct passwd *tmp_pwd; ++ ++ if (geteuid ()) ++ log_fatal ("you must be root to set user"); ++ ++ if (!(tmp_pwd = getpwnam (set_user))) ++ log_fatal ("no such user: %s", set_user); ++ ++ set_uid = tmp_pwd->pw_uid; ++ ++ /* use the user's group as the default gid */ ++ if (!set_group) ++ set_gid = tmp_pwd->pw_gid; ++ } ++ ++ if (set_group) { ++/* get around the ISC declaration of group */ ++#define group real_group ++ struct group *tmp_grp; ++ ++ if (geteuid ()) ++ log_fatal ("you must be root to set group"); ++ ++ if (!(tmp_grp = getgrnam (set_group))) ++ log_fatal ("no such group: %s", set_group); ++ ++ set_gid = tmp_grp->gr_gid; ++#undef group ++ } ++#endif /* PARANOIA */ ++#if defined (JAIL) ++ if (set_jail) { ++ /* Initialize icmp support... */ ++ if (!cftest && !lftest) ++ icmp_startup (1, lease_pinged); ++ if(!set_chroot) ++ set_chroot = "/"; ++ setup_jail (set_chroot, set_jail, jail_ip_address); ++ } ++#endif /* JAIL */ ++#if defined (PARANOIA) && defined (JAIL) ++ else ++#endif /* PARANOIA && JAIL */ ++#if defined (PARANOIA) ++ if (early_chroot && set_chroot) ++ setup_chroot (set_chroot); ++#endif /* PARANOIA */ ++ + /* Default to the DHCP/BOOTP port. */ + if (!local_port) + { +@@ -471,6 +610,9 @@ + #endif + + /* Initialize icmp support... */ ++#if defined (JAIL) ++ if (!set_jail) ++#endif /* JAIL */ + if (!cftest && !lftest) + icmp_startup (1, lease_pinged); + +@@ -500,6 +642,14 @@ + + postconf_initialization (quiet); + ++#if defined (PARANOIA) ++#if defined (JAIL) ++ if (!set_jail) ++#endif /* JAIL */ ++ if (!early_chroot && set_chroot) ++ setup_chroot (set_chroot); ++#endif /* PARANOIA */ ++ + /* test option should cause an early exit */ + if (cftest && !lftest) + exit(0); +@@ -542,7 +692,22 @@ + else if (pid) + exit (0); + } ++ ++#if defined (PARANOIA) ++ /* change uid to the specified one */ ++ if (set_gid) { ++ if (setgroups (0, (void *)0)) ++ log_fatal ("setgroups: %m"); ++ if (setgid (set_gid)) ++ log_fatal ("setgid(%d): %m", (int) set_gid); ++ } + ++ if (set_uid) { ++ if (setuid (set_uid)) ++ log_fatal ("setuid(%d): %m", (int) set_uid); ++ } ++#endif /* PARANOIA */ ++ + /* Read previous pid file. */ + if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) { + status = read (i, pbuf, (sizeof pbuf) - 1); +@@ -886,8 +1051,24 @@ + log_info (copyright); + log_info (arr); + +- log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s", ++ log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s%s%s%s", + "\n [-cf config-file] [-lf lease-file]", ++ ++#if defined (PARANOIA) ++ /* meld into the following string */ ++ "\n [-user user] [-group group]", ++ "\n [-chroot dir] [-early_chroot]", ++#else /* PARANOIA */ ++ "", "", ++#endif /* PARANOIA */ ++ ++#if defined (JAIL) ++ /* then also these ones */ ++ "\n [-jail name ip]", ++#else /* JAIL */ ++ "", ++#endif /* JAIL */ ++ + #if defined (TRACING) + "\n [-tf trace-output-file]", + "\n [-play trace-input-file]", diff --git a/net/isc-dhcp40-server/pkg-message b/net/isc-dhcp40-server/pkg-message index 02c3fad98765..749a5d69ea4a 100644 --- a/net/isc-dhcp40-server/pkg-message +++ b/net/isc-dhcp40-server/pkg-message @@ -9,7 +9,16 @@ dhcpd_conf="%%PREFIX%%/etc/dhcpd.conf" # configuration file dhcpd_ifaces="" # ethernet interface(s) -**** For instance, rc.conf like variables are still read from - %%PREFIX%%/etc/rc.isc-dhcpd.conf. They should be move into - /etc/rc.conf. Also, the dhcpd_options variable must be - renamed dhcpd_flags. +**** For instance, rc.conf like variables are still read from %%PREFIX%%\ + /etc/rc.isc-dhcpd.conf. They should be move into /etc/rc.conf. Also, + the dhcpd_options variable must be renamed dhcpd_flags. + +**** If compiled with paranoia support (the default), the following options + are also supported: + + [-user user] [-group group] [-chroot dir] [-early_chroot] + +**** If compiled with jail support (the default), the following options are + also supported: + + [-chroot dir] [-jail hostname ip_address] # implies -early_chroot |