rpms/kea
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Do not run as root and restrict file access (rhbz#2302204)

Browse Source
This commit is contained in:
Martin Osvald 2024-08-01 12:40:13 +02:00
parent b9a900d642
commit a132f48c7f
9 changed files with 33 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,5 +1,4 @@
/.*.swp /.*.swp
/*.src.rpm
/kea-*.tar.gz /kea-*.tar.gz
/kea-*.tar.gz.asc /kea-*.tar.gz.asc
/keama-*.tar.gz /keama-*.tar.gz

3
kea-ctrl-agent.service
View File

@ -6,8 +6,11 @@ After=network-online.target
After=time-sync.target After=time-sync.target
[Service] [Service]
User=kea
ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
Environment=KEA_PIDFILE_DIR=/var/run/kea Environment=KEA_PIDFILE_DIR=/var/run/kea
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

3
kea-dhcp-ddns.service
View File

@ -6,8 +6,11 @@ After=network-online.target
After=time-sync.target After=time-sync.target
[Service] [Service]
User=kea
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
Environment=KEA_PIDFILE_DIR=/var/run/kea Environment=KEA_PIDFILE_DIR=/var/run/kea
ExecReload=/bin/kill -HUP $MAINPID
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

3
kea-dhcp4.service
View File

@ -6,8 +6,11 @@ After=network-online.target
After=time-sync.target After=time-sync.target
[Service] [Service]
User=kea
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
Environment=KEA_PIDFILE_DIR=/var/run/kea Environment=KEA_PIDFILE_DIR=/var/run/kea
ExecReload=kill -HUP $MAINPID
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

3
kea-dhcp6.service
View File

@ -6,8 +6,11 @@ After=network-online.target
After=time-sync.target After=time-sync.target
[Service] [Service]
User=kea
AmbientCapabilities=CAP_NET_BIND_SERVICE
ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
Environment=KEA_PIDFILE_DIR=/var/run/kea Environment=KEA_PIDFILE_DIR=/var/run/kea
ExecReload=/bin/kill -HUP $MAINPID
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

5
kea-tmpfiles.d.conf
View File

@ -1,5 +0,0 @@
# kea needs existing /run/kea/ to create logger_lockfile there
# See tmpfiles.d(5) for details
d /run/kea 0755 root root -

22
kea.spec
View File

@ -31,7 +31,8 @@ Source11: kea-dhcp4.service
Source12: kea-dhcp6.service Source12: kea-dhcp6.service
Source13: kea-dhcp-ddns.service Source13: kea-dhcp-ddns.service
Source14: kea-ctrl-agent.service Source14: kea-ctrl-agent.service
Source15: kea-tmpfiles.d.conf Source15: systemd-tmpfiles.conf
Source16: systemd-sysusers.conf
Patch1: kea-openssl-version.patch Patch1: kea-openssl-version.patch
Patch2: kea-gtest.patch Patch2: kea-gtest.patch
@ -84,6 +85,7 @@ BuildRequires: python3-devel
# in case you ever wanted to use %%configure --enable-generate-docs # in case you ever wanted to use %%configure --enable-generate-docs
#BuildRequires: elinks asciidoc plantuml #BuildRequires: elinks asciidoc plantuml
BuildRequires: systemd BuildRequires: systemd
BuildRequires: systemd-rpm-macros
BuildRequires: python3-sphinx BuildRequires: python3-sphinx
BuildRequires: python3-sphinx_rtd_theme BuildRequires: python3-sphinx_rtd_theme
BuildRequires: make BuildRequires: make
@ -92,9 +94,8 @@ BuildRequires: gnupg2
Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%upstream_name_compat %{upstream_name} %upstream_name_compat %{upstream_name}
Requires: util-linux Requires: util-linux
Requires(post): systemd %{?systemd_requires}
Requires(preun): systemd %{?sysusers_requires_compat}
Requires(postun): systemd
%description %description
DHCP implementation from Internet Systems Consortium, Inc. that features fully DHCP implementation from Internet Systems Consortium, Inc. that features fully
@ -239,6 +240,9 @@ install -Dpm 0644 %{S:12} %{buildroot}%{_unitdir}/kea-dhcp6.service
install -Dpm 0644 %{S:13} %{buildroot}%{_unitdir}/kea-dhcp-ddns.service install -Dpm 0644 %{S:13} %{buildroot}%{_unitdir}/kea-dhcp-ddns.service
install -Dpm 0644 %{S:14} %{buildroot}%{_unitdir}/kea-ctrl-agent.service install -Dpm 0644 %{S:14} %{buildroot}%{_unitdir}/kea-ctrl-agent.service
# systemd-sysusers
install -p -D -m 0644 %{S:16} %{buildroot}%{_sysusersdir}/kea.conf
# Start empty lease databases # Start empty lease databases
mkdir -p %{buildroot}%{_sharedstatedir}/kea/ mkdir -p %{buildroot}%{_sharedstatedir}/kea/
touch %{buildroot}%{_sharedstatedir}/kea/kea-leases4.csv touch %{buildroot}%{_sharedstatedir}/kea/kea-leases4.csv
@ -253,6 +257,9 @@ install -dm 0755 %{buildroot}/run/kea/
install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
%pre
%sysusers_create_compat %{S:16}
%post %post
%systemd_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service %systemd_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
@ -279,10 +286,10 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
%{_sbindir}/perfdhcp %{_sbindir}/perfdhcp
%{_unitdir}/kea*.service %{_unitdir}/kea*.service
%dir %{_sysconfdir}/kea/ %dir %{_sysconfdir}/kea/
%config(noreplace) %{_sysconfdir}/kea/kea*.conf %config(noreplace) %attr(640,root,kea) %{_sysconfdir}/kea/kea*.conf
%{_datarootdir}/kea %{_datarootdir}/kea
%dir %{_sharedstatedir}/kea %dir %attr(750,kea,kea) %{_sharedstatedir}/kea
%config(noreplace) %{_sharedstatedir}/kea/kea-leases*.csv %config(noreplace) %attr(640,kea,kea) %{_sharedstatedir}/kea/kea-leases*.csv
%{python3_sitelib}/kea %{python3_sitelib}/kea
%{_mandir}/man8/kea-admin.8* %{_mandir}/man8/kea-admin.8*
%{_mandir}/man8/kea-ctrl-agent.8* %{_mandir}/man8/kea-ctrl-agent.8*
@ -298,6 +305,7 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
%{_mandir}/man8/perfdhcp.8* %{_mandir}/man8/perfdhcp.8*
%dir /run/kea/ %dir /run/kea/
%{_tmpfilesdir}/kea.conf %{_tmpfilesdir}/kea.conf
%{_sysusersdir}/kea.conf
%files doc %files doc
%dir %{_pkgdocdir} %dir %{_pkgdocdir}

2
systemd-sysusers.conf Normal file
View File

@ -0,0 +1,2 @@
g kea -
u kea -:kea "Kea DHCP Server" /var/lib/kea

4
systemd-tmpfiles.conf Normal file
View File

@ -0,0 +1,4 @@
# kea needs existing /run/kea/ to create logger_lockfile and pidfile there
# See tmpfiles.d(5) for details
d /run/kea 0755 kea kea -