From bf45d386a18a7763fae716088e19c2c606f92a1c Mon Sep 17 00:00:00 2001 From: Oliver Eikemeier Date: Sat, 26 Jun 2004 14:32:41 +0000 Subject: new paranoia and jail options handled by rc variables to easy they use. PR: 68357 Submitted by: Cyrille Lefevre (maintainer) --- net/isc-dhcp3-server/Makefile | 13 + .../files/client::scripts::freebsd | 1 + net/isc-dhcp3-server/files/isc-dhcpd.sh.sample | 520 ++++++++++++++++++++- .../files/patch-client::dhclient.8 | 2 +- net/isc-dhcp3-server/pkg-install | 23 + net/isc-dhcp3-server/pkg-message | 39 +- net/isc-dhcp3-server/pkg-plist | 2 - 7 files changed, 575 insertions(+), 25 deletions(-) create mode 100644 net/isc-dhcp3-server/pkg-install (limited to 'net/isc-dhcp3-server') diff --git a/net/isc-dhcp3-server/Makefile b/net/isc-dhcp3-server/Makefile index d9644634a182..e31d9f68e0d5 100644 --- a/net/isc-dhcp3-server/Makefile +++ b/net/isc-dhcp3-server/Makefile @@ -8,6 +8,7 @@ PORTNAME= dhcp PORTVERSION= 3.0.1.r14 +PORTREVISION= 1 CATEGORIES= net MASTER_SITES= ${MASTER_SITE_ISC} MASTER_SITE_SUBDIR= dhcp dhcp/dhcp-3.0-history @@ -60,6 +61,8 @@ MAN5+= dhcp-eval.5 dhcp-options.5 MSG_FILE= ${.CURDIR}/pkg-message DESCR= ${.CURDIR}/pkg-descr +PKGINSTALL= ${.CURDIR}/pkg-install +PKGDEINSTALL= ${PKGINSTALL} PKGMESSAGE= ${WRKDIR}/pkg-message PLIST= ${.CURDIR}/pkg-plist @@ -125,6 +128,16 @@ DATADIR= /var/db REINPLACE_SUB= PREFIX=${PREFIX} RCSCRIPTS_SUB= PREFIX=${PREFIX} RC_SUBR=${RC_SUBR} +.if !defined(WITHOUT_DHCP_PARANOIA) +RCSCRIPTS_SUB+= PARANOIA=YES +.else +RCSCRIPTS_SUB+= PARANOIA=NO +.endif +.if !defined(WITHOUT_DHCP_JAIL) +RCSCRIPTS_SUB+= JAIL=YES +.else +RCSCRIPTS_SUB+= JAIL=NO +.endif PKGMESSAGE_SUB= PREFIX=${PREFIX} MAN1PREFIX=${MAN1PREFIX} # Post-extract diff --git a/net/isc-dhcp3-server/files/client::scripts::freebsd b/net/isc-dhcp3-server/files/client::scripts::freebsd index ceaeb950d2d5..9c4c3d3a6f24 100644 --- a/net/isc-dhcp3-server/files/client::scripts::freebsd +++ b/net/isc-dhcp3-server/files/client::scripts::freebsd @@ -35,6 +35,7 @@ ############################################################################# # $MindStep_Id: dhclient-script.sh,v 1.8 1999/12/07 22:11:08 patrick Exp $ # $MindStep_Tag: CONTRIB_19991207 $ +# from FreeBSD: src/sbin/dhclient/dhclient-script.sh,v 1.2 2002/02/01 18:46:58 alfred Exp # $FreeBSD$ ############################################################################# diff --git a/net/isc-dhcp3-server/files/isc-dhcpd.sh.sample b/net/isc-dhcp3-server/files/isc-dhcpd.sh.sample index 63bc57ba0f3d..876237f3d6c8 100644 --- a/net/isc-dhcp3-server/files/isc-dhcpd.sh.sample +++ b/net/isc-dhcp3-server/files/isc-dhcpd.sh.sample @@ -11,38 +11,536 @@ # dhcpd_enable="YES" # +. %%RC_SUBR%% + +name=dhcpd +paranoia=%%PARANOIA%% # compiled in paranoia? +jail=%%JAIL%% # compiled in jail? + # override these variables in /etc/rc.conf dhcpd_enable=NO -dhcpd_flags= # command option(s) -dhcpd_conf=%%PREFIX%%/etc/dhcpd.conf # configuration file +dhcpd_flags= # -q -early_chroot # command option(s) +dhcpd_conf=%%PREFIX%%/etc/${name}.conf # configuration file dhcpd_ifaces= # ethernet interface(s) +dhcpd_withumask=022 # file creation mask -dhcpd_precmd () +dhcpd_chuser_enable=YES # runs w/o privileges? +dhcpd_withuser=${name} # user name to run as +dhcpd_withgroup=${name} # group name to run as + +dhcpd_chroot_enable=NO # runs chrooted? +dhcpd_rootdir=/var/db/${name} # directory to run in + +# untested +dhcpd_jail_enable=NO # runs imprisoned? +dhcpd_hostname= # jail hostname +dhcpd_ipaddress= # jail ip address + +safe_run () # rc command [args...] +{ + local _rc + + _rc=$1 + shift + + if [ "${_rc}" -eq 0 ]; then + "$@" || _rc=1 + fi + return ${_rc} +} + +precious () # entry... +{ + local _entry _rc + + _rc=1 + for _entry; do + # do nothing if /var/run or /var/db + echo ${_entry} | egrep -q '^//*(var//*(run|db)/*)?$' && _rc=0 + done + return ${_rc} +} + +safe_chmog () # entry... +{ + local _entry _user _group _usergroup _rc + + _user=${dhcpd_withuser} + _group=${dhcpd_withgroup} + + _rc=0 + if [ -n "${_user}" -o -n "${_group}" ]; then + _usergroup=${_user}${_group:+:${_group}} + for _entry; do + if [ -e ${_entry} ] && + ! precious ${_entry} && + ! ls -ld ${_entry} 2> /dev/null | + awk -v u=${_user} -v g=${_group} '{ + exit ((u && $3 != u) || (g && $4 != g)) + }' && + ! safe_run ${_rc} chown ${_usergroup} ${_entry}; then + warn "unable to change permissions of ${_entry}" + _rc=1 + fi + done + fi + return ${_rc} +} + +safe_mkdir () # dir... +{ + local _dir _rc + + _rc=0 + for _dir; do + if [ ! -d ${_dir} ] && + ! precious ${_dir} && + ! safe_run ${_rc} mkdir -p ${_dir}; then + err 1 "unable to create directory ${_dir}" + _rc=1 + fi + done + safe_run ${_rc} safe_chmog "$@" || _rc=1 + return ${_rc} +} + +safe_rmdir () # dir... +{ + local _dir _rc + + _rc=0 + for _dir; do + if [ -d ${_dir} ] && + ! precious ${_dir}; then + if safe_run ${_rc} rmdir ${_dir}; then + safe_run ${_rc} safe_rmdir ${_dir%/*} || _rc=1 + else + warn "unable to remove directory ${_dir}" + rc=1 + fi + fi + done + return ${_rc} +} + +safe_touch () # file... +{ + local _file _rc + + _rc=0 + for _file; do + if [ ! -e ${_file} ] && + ! safe_run ${_rc} touch ${_file}; then + err 1 "unable to create file ${_file}" + _rc=1 + fi + done + safe_run ${_rc} safe_chmog "$@" || _rc=1 + return ${_rc} +} + +safe_remove () # file... +{ + local _file _rc + + _rc=0 + for _file; do + if [ -f ${_file} ] && + ! safe_run ${_rc} rm -f ${_file}; then + warn "unable to remove file ${_file}" + _rc=1 + fi + done + return ${_rc} +} + +safe_copy () # src dst +{ + local _src _dst _rc + + _src=$1 _dst=$2 + + _rc=0 + if ! safe_run ${_rc} safe_remove ${_dst} || + ! safe_run ${_rc} cp -p ${_src} ${_dst}; then + err 1 "unable to copy file ${_src} to ${_dst}" + _rc=1 + fi + safe_run ${_rc} safe_chmog ${_dst} || _rc=1 + return ${_rc} +} + +mounted () # dir... +{ + local _rc + + _rc=1 + mount -t devfs | awk ' + BEGIN { n = ARGC; ARGC = 2 } + { for (i = 2; i != n; i++) if ($3 == ARGV[i]) exit 1 } + ' - "$@" || _rc=0 + return ${_rc} +} + +safe_mount () # dir +{ + local _dir _rc + + _dir=$1 + + _rc=0 + if ! mounted ${_dir} && + ! safe_run ${_rc} mount -t devfs devfs ${_dir}; then + err 1 "unable to mount ${_dir}" + _rc=1 + fi + return ${_rc} +} + +safe_umount () # dir +{ + local _dir _rc + + _dir=$1 + + _rc=0 + if mounted ${_dir} && + ! safe_run ${_rc} umount ${_dir}; then + warn "unable to unmount ${_dir}" + _rc=1 + fi + return ${_rc} +} + +safe_useradd () { - dhcpd_rcconf=%%PREFIX%%/etc/rc.isc-dhcpd.conf + local _user _group _home _shell _gecos + + _user=$1 _group=$2 _gecos=${3:-"& daemon"} + _home=${4:-/nonexistent} _shell=${5:-/sbin/nologin} + + if [ -n "${_group}" ]; then + if pw group show ${_group} 2>/dev/null; then + echo "You already have a group \"${_group}\"," \ + "so I will use it." + elif pw groupadd ${_group} -h -; then + echo "Added group \"${_group}\"." + else + echo "Adding group \"${_group}\" failed..." + echo "Please create it, and try again." + exit 1 + fi + fi + if [ -n "${_user}" ]; then + if pw user show ${_user} 2>/dev/null; then + echo "You already have a user \"${_user}\"," \ + "so I will use it." + elif pw useradd ${_user} -g ${_group} -h - \ + -d ${_home} -s ${_shell} -c "${_gecos}"; then + echo "Added user \"${_user}\"." + else + echo "Adding user \"${_user}\" failed..." + echo "Please create it, and try again." + exit 1 + fi + fi +} + +check_chuser () +{ + if checkyesno paranoia; then + if checkyesno dhcpd_chuser_enable && + [ -z ${dhcpd_withuser} -a -z ${dhcpd_withgroup} ]; then + err 1 "one of dhcpd_withuser and dhcpd_withgroup" \ + "must be set if dhcpd_chuser_enable is enabled" + fi + else + if checkyesno dhcpd_chuser_enable; then + warn "dhcpd_chuser_enable disabled -- not compiled in" + dhcpd_chuser_enable=NO + fi + fi +} + +check_jail () +{ + if checkyesno paranoia && checkyesno jail; then + if checkyesno dhcpd_jail_enable && + ! checkyesno dhcpd_chroot_enable; then + warn "dhcpd_chroot_enable implied by dhcpd_jail_enable" + dhcpd_chroot_enable=YES + fi + if checkyesno dhcpd_jail_enable && + [ -n "${dhcpd_hostname}" -a -z "${dhcpd_ipaddress}" ] || + [ -z "${dhcpd_hostname}" -a -n "${dhcpd_ipaddress}" ]; then + err 1 "both dhcpd_hostname and dhcpd_ipaddress" \ + "must be set if dhcpd_jail_enable is enabled" + fi + else + if checkyesno dhcpd_jail_enable; then + warn "dhcpd_jail_enable disabled -- not compiled in" + dhcpd_jail_enable=NO + fi + fi +} + +check_chroot () +{ + if checkyesno paranoia; then + if checkyesno dhcpd_chroot_enable && + [ -z "${dhcpd_rootdir}" ]; then + err 1 "dhcpd_rootdir" \ + "must be set if dhcpd_chroot_enable is enabled" + fi + else + if checkyesno dhcpd_chroot_enable; then + warn "dhcpd_chroot_enable disabled -- not compiled in" + dhcpd_chroot_enable=NO + fi + fi +} + +rcvar_chuser () +{ + if checkyesno paranoia && checkyesno dhcpd_chuser_enable; then + dhcpd_piddir=${_dhcpd_piddir}/${name} + dhcpd_leasesdir=${_dhcpd_leasesdir}/${name} + else + dhcpd_withuser= dhcpd_withgroup= + fi +} + +rcvar_jail () +{ + if ! checkyesno paranoia || ! checkyesno jail || + ! checkyesno dhcpd_jail_enable; then + dhcpd_hostname= dhcpd_ipaddress= + fi +} + +rcvar_chroot () +{ + if ! checkyesno paranoia || ! checkyesno dhcpd_chroot_enable; then + dhcpd_rootdir= + fi +} + +rcvar_pidnleases () +{ + if ! checkyesno dhcpd_chuser_enable; then + dhcpd_piddir=${_dhcpd_piddir} + dhcpd_leasesdir=${_dhcpd_leasesdir} + fi + dhcpd_pidfile=${dhcpd_piddir}/${name}.pid + dhcpd_leasesfile=${dhcpd_leasesdir}/${name}.leases + dhcpd_conffile=${dhcpd_conf} # for convenience only + dhcpd_confdir=$(dirname ${dhcpd_conffile}) +} + +rcvar_rooted () +{ + _dhcpd_rootdir=${dhcpd_rootdir} + _dhcpd_devdir=${dhcpd_rootdir}/dev + _dhcpd_confdir=${dhcpd_rootdir}${dhcpd_confdir} + _dhcpd_piddir=${dhcpd_rootdir}${dhcpd_piddir} + _dhcpd_leasesdir=${dhcpd_rootdir}${dhcpd_leasesdir} + _dhcpd_conffile=${dhcpd_rootdir}${dhcpd_conffile} + _dhcpd_pidfile=${dhcpd_rootdir}${dhcpd_pidfile} + _dhcpd_leasesfile=${dhcpd_rootdir}${dhcpd_leasesfile} +} + +setup_compat () +{ + local dhcpd_rcconf + + # suck in old configuration file and variables + # + dhcpd_rcconf=${dhcpd_confdir}/rc.isc-dhcpd.conf if [ -f ${dhcpd_rcconf} ]; then - warn "${dhcpd_rcconf} is obsolete, use /etc/rc.conf instead." + warn "${dhcpd_rcconf} is obsolete, use /etc/rc.conf and/or" \ + "/etc/rc.conf.d/${name} instead." . ${dhcpd_rcconf} if [ -n "${dhcpd_options}" -a -z "${rc_flags}" ]; then - warn "dhcpd_options is obsolete, use dhcpd_flags instead." + warn "dhcpd_options is obsolete," \ + "use dhcpd_flags instead." rc_flags=${dhcpd_options} fi fi +} - rc_flags="${rc_flags} -cf ${dhcpd_conf} ${dhcpd_ifaces}" +setup_umask () +{ + if [ -n "${dhcpd_umask}" ]; then + umask ${dhcpd_umask} + fi } -. %%RC_SUBR%% +setup_chroot () +{ + if checkyesno paranoia && checkyesno dhcpd_chroot_enable; then + safe_mkdir ${_dhcpd_rootdir} ${_dhcpd_devdir} ${_dhcpd_confdir} + safe_mount ${_dhcpd_devdir} + safe_copy ${dhcpd_conffile} ${_dhcpd_conffile} + fi +} + +setup_chuser () +{ + if checkyesno paranoia && { + checkyesno dhcpd_chuser_enable || checkyesno dhcpd_chroot_enable + }; then + safe_mkdir ${_dhcpd_piddir} ${_dhcpd_leasesdir} + fi +} + +setup_leases () +{ + safe_touch ${_dhcpd_leasesfile} +} + +setup_flags () +{ + if [ -n "${dhcpd_conf}" ]; then + rc_flags="${rc_flags} -cf ${dhcpd_conf}" + fi + if [ -n "${dhcpd_leasesfile}" ]; then + rc_flags="${rc_flags} -lf ${dhcpd_leasesfile}" + fi + if [ -n "${dhcpd_pidfile}" ]; then + rc_flags="${rc_flags} -pf ${dhcpd_pidfile}" + fi + if [ -n "${dhcpd_withuser}" ]; then + rc_flags="${rc_flags} -user ${dhcpd_withuser}" + fi + if [ -n "${dhcpd_withgroup}" ]; then + rc_flags="${rc_flags} -group ${dhcpd_withgroup}" + fi + if [ -n "${dhcpd_rootdir}" ]; then + rc_flags="${rc_flags} -chroot ${dhcpd_rootdir}" + fi + if [ -n "${dhcpd_hostname}" -a -n "${dhcpd_ipaddress}" ]; then + rc_flags="${rc_flags} -jail ${dhcpd_hostname} ${dhcpd_ipaddress}" + fi + rc_flags="${rc_flags} ${dhcpd_ifaces}" +} + +cleanup_chroot () +{ + if checkyesno paranoia && checkyesno dhcpd_chroot_enable; then + safe_umount ${_dhcpd_devdir} + fi +} + +dhcpd_stop () +{ + if $0 status; then + $0 stop + fi +} + +remove_pid () +{ + if [ -e ${_dhcpd_pidfile} ]; then + warn "${_dhcpd_pidfile} still exists! -- removing anyway" + fi + safe_remove ${_dhcpd_pidfile} +} + +remove_leases () +{ + if [ -s ${_dhcpd_leasesfile} ]; then + warn "${_dhcpd_leasesfile} not empty -- not removed --" \ + "futher warning messages expected, don't care." + else + safe_remove ${_dhcpd_leasesfile} ${_dhcpd_leasesfile}~ + fi +} + +remove_chuser () +{ + if checkyesno paranoia && { + checkyesno dhcpd_chuser_enable || checkyesno dhcpd_chroot_enable + }; then + safe_rmdir ${_dhcpd_piddir} ${_dhcpd_leasesdir} + fi +} + +remove_chroot () +{ + if checkyesno paranoia && checkyesno dhcpd_chroot_enable; then + safe_remove ${_dhcpd_conffile} + safe_umount ${_dhcpd_devdir} + safe_rmdir ${_dhcpd_confdir} ${_dhcpd_devdir} ${_dhcpd_rootdir} + fi +} + +dhcpd_check () +{ + check_chuser + check_jail + check_chroot +} + +dhcpd_rcvar () +{ + rcvar_chuser + rcvar_jail + rcvar_chroot + rcvar_pidnleases + rcvar_rooted +} + +dhcpd_precmd () +{ + setup_compat + setup_umask + setup_chroot + setup_chuser + setup_leases + setup_flags +} + +dhcpd_postcmd () +{ + cleanup_chroot +} + +dhcpd_install () +{ + if checkyesno paranoia; then + safe_useradd "${dhcpd_withuser}" "${dhcpd_withgroup}" \ + "DHCP Daemon" + fi +} + +dhcpd_uninstall () +{ + dhcpd_stop + remove_pid + remove_leases + remove_chuser + remove_chroot +} -name=dhcpd rcvar=$(set_rcvar) +load_rc_config ${name} + +_dhcpd_piddir=/var/run # pid file directory +_dhcpd_leasesdir=/var/db # leases file directory +#_dhcpd_rootdir=/var/db/${name} # root directory + +dhcpd_check +dhcpd_rcvar command=%%PREFIX%%/sbin/${name} -pidfile=/var/run/${name}.pid +pidfile=${_dhcpd_pidfile} required_files=${dhcpd_conf} start_precmd=${name}_precmd +stop_postcmd=${name}_postcmd +install_cmd=dhcpd_install +uninstall_cmd=dhcpd_uninstall +extra_commands="install uninstall" -load_rc_config ${name} run_rc_command "$1" diff --git a/net/isc-dhcp3-server/files/patch-client::dhclient.8 b/net/isc-dhcp3-server/files/patch-client::dhclient.8 index a602907c31b6..4e6096f5aa86 100644 --- a/net/isc-dhcp3-server/files/patch-client::dhclient.8 +++ b/net/isc-dhcp3-server/files/patch-client::dhclient.8 @@ -2,7 +2,7 @@ +++ client/dhclient.8 Wed Mar 3 02:06:52 2004 @@ -18,6 +18,10 @@ .\" - .\" $Id: dhclient.8,v 1.12.2.7 2002/11/17 02:25:43 dhankins Exp $ + .\" from Id: dhclient.8,v 1.12.2.8 2004/06/10 17:59:12 dhankins Exp .\" +.\" Portions copyright (c) 2000 David E. O'Brien. +.\" All rights reserved. diff --git a/net/isc-dhcp3-server/pkg-install b/net/isc-dhcp3-server/pkg-install new file mode 100644 index 000000000000..8bafd2bed768 --- /dev/null +++ b/net/isc-dhcp3-server/pkg-install @@ -0,0 +1,23 @@ +#!/bin/sh +# +# $FreeBSD$ +# + +[ $# != 2 ] && exit 1 +[ -z "${PKG_PREFIX}" ] && exit 1 +[ -n "${BATCH}" ] && exit 0 + +case $2 in +POST-INSTALL) + ${PKG_PREFIX}/etc/rc.d/isc-dhcpd.sh forceinstall + ;; +DEINSTALL) + ${PKG_PREFIX}/etc/rc.d/isc-dhcpd.sh forceuninstall + ;; +POST-DEINSTALL|PRE-INSTALL) + ;; +*) + echo "usage: $0 {PRE-INSTALL|POST-INSTALL|DEINSTALL|POST-DEINSTALL}" >&2 + exit 1 + ;; +esac diff --git a/net/isc-dhcp3-server/pkg-message b/net/isc-dhcp3-server/pkg-message index 749a5d69ea4a..ec8c0bc5306c 100644 --- a/net/isc-dhcp3-server/pkg-message +++ b/net/isc-dhcp3-server/pkg-message @@ -4,21 +4,38 @@ **** This port installs dhcp daemon, but don't invokes dhcpd by default. If you want to invoke dhcpd at startup, put these lines into /etc/rc.conf. - dhcpd_enable="YES" - dhcpd_flags="" # command option(s) + dhcpd_enable="YES" # dhcpd enabled? + dhcpd_flags="-q" # command option(s) dhcpd_conf="%%PREFIX%%/etc/dhcpd.conf" # configuration file dhcpd_ifaces="" # ethernet interface(s) + dhcpd_umask="022" # file creation mask -**** For instance, rc.conf like variables are still read from %%PREFIX%%\ - /etc/rc.isc-dhcpd.conf. They should be move into /etc/rc.conf. Also, - the dhcpd_options variable must be renamed dhcpd_flags. - -**** If compiled with paranoia support (the default), the following options +**** If compiled with paranoia support (the default), the following lines are also supported: - [-user user] [-group group] [-chroot dir] [-early_chroot] + dhcpd_chuser_enable="YES" # runs w/o privileges? + dhcpd_withuser="dhcpd" # user name to run as + dhcpd_withgroup="dhcpd" # group name to run as + dhcpd_chroot_enable="YES" # runs chrooted? + dhcpd_rootdir="/var/db/dhcpd" # directory to run in + dhcpd_flags="-early_chroot" # needs full root + + WARNING: -early_chroot requires a jail(8) like environment to works. + +**** If compiled with jail support (the default), the following lines are + also supported (-early_chroot and dhcpd_chroot_enable=YES are implied): + + dhcpd_jail_enable="YES" # runs imprisoned? + dhcpd_hostname="" # jail hostname + dhcpd_ipaddress="" # jail ip address + + WARNING: dhcpd_rootdir needs to point to a full jail(8) environment. -**** If compiled with jail support (the default), the following options are - also supported: +**** WARNING: never edit the chrooted or jailed dhcpd.conf file but + %%PREFIX%%/etc/dhcpd.conf instead which is always copied where + needed upon startup. - [-chroot dir] [-jail hostname ip_address] # implies -early_chroot +**** WARNING: %%PREFIX%%/etc/rc.isc-dhcpd.conf is obsolete. rc.conf like + variables are still read there but should be moved /etc/rc.conf or + /etc/rc.conf.d/dhcpd instead. Also, the dhcpd_options variable must + be renamed dhcpd_flags if any. diff --git a/net/isc-dhcp3-server/pkg-plist b/net/isc-dhcp3-server/pkg-plist index 78107bb2a1a7..c8b584241dbf 100644 --- a/net/isc-dhcp3-server/pkg-plist +++ b/net/isc-dhcp3-server/pkg-plist @@ -3,5 +3,3 @@ bin/omshell etc/dhcpd.conf.sample etc/rc.d/isc-dhcpd.sh sbin/dhcpd -@exec [ -f /var/db/dhcpd.leases ] || touch /var/db/dhcpd.leases -@unexec [ -s /var/db/dhcpd.leases ] || rm -f /var/db/dhcpd.leases -- cgit v1.2.3