Do not run as root and restrict file access (rhbz#2302204)
This commit is contained in:
parent
b9a900d642
commit
a132f48c7f
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,5 +1,4 @@
|
|||||||
/.*.swp
|
/.*.swp
|
||||||
/*.src.rpm
|
|
||||||
/kea-*.tar.gz
|
/kea-*.tar.gz
|
||||||
/kea-*.tar.gz.asc
|
/kea-*.tar.gz.asc
|
||||||
/keama-*.tar.gz
|
/keama-*.tar.gz
|
||||||
|
@ -6,8 +6,11 @@ After=network-online.target
|
|||||||
After=time-sync.target
|
After=time-sync.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
User=kea
|
||||||
ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
|
ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf
|
||||||
Environment=KEA_PIDFILE_DIR=/var/run/kea
|
Environment=KEA_PIDFILE_DIR=/var/run/kea
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
Restart=on-failure
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
@ -6,8 +6,11 @@ After=network-online.target
|
|||||||
After=time-sync.target
|
After=time-sync.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
User=kea
|
||||||
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||||
ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
|
ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf
|
||||||
Environment=KEA_PIDFILE_DIR=/var/run/kea
|
Environment=KEA_PIDFILE_DIR=/var/run/kea
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
@ -6,8 +6,11 @@ After=network-online.target
|
|||||||
After=time-sync.target
|
After=time-sync.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
User=kea
|
||||||
|
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW
|
||||||
ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
|
ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf
|
||||||
Environment=KEA_PIDFILE_DIR=/var/run/kea
|
Environment=KEA_PIDFILE_DIR=/var/run/kea
|
||||||
|
ExecReload=kill -HUP $MAINPID
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
@ -6,8 +6,11 @@ After=network-online.target
|
|||||||
After=time-sync.target
|
After=time-sync.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
User=kea
|
||||||
|
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||||
ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
|
ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf
|
||||||
Environment=KEA_PIDFILE_DIR=/var/run/kea
|
Environment=KEA_PIDFILE_DIR=/var/run/kea
|
||||||
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
@ -1,5 +0,0 @@
|
|||||||
# kea needs existing /run/kea/ to create logger_lockfile there
|
|
||||||
# See tmpfiles.d(5) for details
|
|
||||||
|
|
||||||
d /run/kea 0755 root root -
|
|
||||||
|
|
22
kea.spec
22
kea.spec
@ -31,7 +31,8 @@ Source11: kea-dhcp4.service
|
|||||||
Source12: kea-dhcp6.service
|
Source12: kea-dhcp6.service
|
||||||
Source13: kea-dhcp-ddns.service
|
Source13: kea-dhcp-ddns.service
|
||||||
Source14: kea-ctrl-agent.service
|
Source14: kea-ctrl-agent.service
|
||||||
Source15: kea-tmpfiles.d.conf
|
Source15: systemd-tmpfiles.conf
|
||||||
|
Source16: systemd-sysusers.conf
|
||||||
|
|
||||||
Patch1: kea-openssl-version.patch
|
Patch1: kea-openssl-version.patch
|
||||||
Patch2: kea-gtest.patch
|
Patch2: kea-gtest.patch
|
||||||
@ -84,6 +85,7 @@ BuildRequires: python3-devel
|
|||||||
# in case you ever wanted to use %%configure --enable-generate-docs
|
# in case you ever wanted to use %%configure --enable-generate-docs
|
||||||
#BuildRequires: elinks asciidoc plantuml
|
#BuildRequires: elinks asciidoc plantuml
|
||||||
BuildRequires: systemd
|
BuildRequires: systemd
|
||||||
|
BuildRequires: systemd-rpm-macros
|
||||||
BuildRequires: python3-sphinx
|
BuildRequires: python3-sphinx
|
||||||
BuildRequires: python3-sphinx_rtd_theme
|
BuildRequires: python3-sphinx_rtd_theme
|
||||||
BuildRequires: make
|
BuildRequires: make
|
||||||
@ -92,9 +94,8 @@ BuildRequires: gnupg2
|
|||||||
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
Requires: %{name}-libs%{?_isa} = %{version}-%{release}
|
||||||
%upstream_name_compat %{upstream_name}
|
%upstream_name_compat %{upstream_name}
|
||||||
Requires: util-linux
|
Requires: util-linux
|
||||||
Requires(post): systemd
|
%{?systemd_requires}
|
||||||
Requires(preun): systemd
|
%{?sysusers_requires_compat}
|
||||||
Requires(postun): systemd
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
DHCP implementation from Internet Systems Consortium, Inc. that features fully
|
DHCP implementation from Internet Systems Consortium, Inc. that features fully
|
||||||
@ -239,6 +240,9 @@ install -Dpm 0644 %{S:12} %{buildroot}%{_unitdir}/kea-dhcp6.service
|
|||||||
install -Dpm 0644 %{S:13} %{buildroot}%{_unitdir}/kea-dhcp-ddns.service
|
install -Dpm 0644 %{S:13} %{buildroot}%{_unitdir}/kea-dhcp-ddns.service
|
||||||
install -Dpm 0644 %{S:14} %{buildroot}%{_unitdir}/kea-ctrl-agent.service
|
install -Dpm 0644 %{S:14} %{buildroot}%{_unitdir}/kea-ctrl-agent.service
|
||||||
|
|
||||||
|
# systemd-sysusers
|
||||||
|
install -p -D -m 0644 %{S:16} %{buildroot}%{_sysusersdir}/kea.conf
|
||||||
|
|
||||||
# Start empty lease databases
|
# Start empty lease databases
|
||||||
mkdir -p %{buildroot}%{_sharedstatedir}/kea/
|
mkdir -p %{buildroot}%{_sharedstatedir}/kea/
|
||||||
touch %{buildroot}%{_sharedstatedir}/kea/kea-leases4.csv
|
touch %{buildroot}%{_sharedstatedir}/kea/kea-leases4.csv
|
||||||
@ -253,6 +257,9 @@ install -dm 0755 %{buildroot}/run/kea/
|
|||||||
install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
|
install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
|
||||||
|
|
||||||
|
|
||||||
|
%pre
|
||||||
|
%sysusers_create_compat %{S:16}
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%systemd_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
|
%systemd_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service
|
||||||
|
|
||||||
@ -279,10 +286,10 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
|
|||||||
%{_sbindir}/perfdhcp
|
%{_sbindir}/perfdhcp
|
||||||
%{_unitdir}/kea*.service
|
%{_unitdir}/kea*.service
|
||||||
%dir %{_sysconfdir}/kea/
|
%dir %{_sysconfdir}/kea/
|
||||||
%config(noreplace) %{_sysconfdir}/kea/kea*.conf
|
%config(noreplace) %attr(640,root,kea) %{_sysconfdir}/kea/kea*.conf
|
||||||
%{_datarootdir}/kea
|
%{_datarootdir}/kea
|
||||||
%dir %{_sharedstatedir}/kea
|
%dir %attr(750,kea,kea) %{_sharedstatedir}/kea
|
||||||
%config(noreplace) %{_sharedstatedir}/kea/kea-leases*.csv
|
%config(noreplace) %attr(640,kea,kea) %{_sharedstatedir}/kea/kea-leases*.csv
|
||||||
%{python3_sitelib}/kea
|
%{python3_sitelib}/kea
|
||||||
%{_mandir}/man8/kea-admin.8*
|
%{_mandir}/man8/kea-admin.8*
|
||||||
%{_mandir}/man8/kea-ctrl-agent.8*
|
%{_mandir}/man8/kea-ctrl-agent.8*
|
||||||
@ -298,6 +305,7 @@ install -Dpm 0644 %{S:15} %{buildroot}%{_tmpfilesdir}/kea.conf
|
|||||||
%{_mandir}/man8/perfdhcp.8*
|
%{_mandir}/man8/perfdhcp.8*
|
||||||
%dir /run/kea/
|
%dir /run/kea/
|
||||||
%{_tmpfilesdir}/kea.conf
|
%{_tmpfilesdir}/kea.conf
|
||||||
|
%{_sysusersdir}/kea.conf
|
||||||
|
|
||||||
%files doc
|
%files doc
|
||||||
%dir %{_pkgdocdir}
|
%dir %{_pkgdocdir}
|
||||||
|
2
systemd-sysusers.conf
Normal file
2
systemd-sysusers.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
g kea -
|
||||||
|
u kea -:kea "Kea DHCP Server" /var/lib/kea
|
4
systemd-tmpfiles.conf
Normal file
4
systemd-tmpfiles.conf
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
# kea needs existing /run/kea/ to create logger_lockfile and pidfile there
|
||||||
|
# See tmpfiles.d(5) for details
|
||||||
|
|
||||||
|
d /run/kea 0755 kea kea -
|
Loading…
Reference in New Issue
Block a user