1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
|
paranoia (non-root/chroot) patch for ISC dhcp 3.0
file to patch: dhcp-3.0/server/dhcpd.c
update from paranoia patch for ISC dhcp 2.0
Adds 3 options:
-user <user>
-group <group>
-chroot <chroot_dir>
Notes:
-DPARANOIA must be passed as an argument to the --copts option
of configure. Otherwise, the paranoia code will not be compiled
in. Example: ./configure --copts -DPARANOIA
The chroot() call has been delayed in order to allow /dev/log to
be reopened after the configuration file has been read. This is
beneficial for systems on which /dev/log is a unix domain socket.
The main side effect is that dhcpd.conf should be placed in /etc,
instead of <chroot_dir>/etc.
If dhcpd is to be run on a sysV-style architecture (or, more
generally, if /dev/log is a character device), one may opt to
create the <chroot_dir>/dev/log character device and add
-DEARLY_CHROOT to the --copts option of configure (in addition to
-DPARANOIA). This will perform the chroot() call at the earliest
convenience (before reading the configuration file).
If the -user option is used, the lease and pid file directories
should be writable to the server process after it drops
privileges.
ari edelkind (12/10/2001)
last modified 12/10/2001
--- dhcp-3.0/server/dhcpd.c Thu Jun 21 22:12:58 2001
+++ dhcp-3.0+paranoia/server/dhcpd.c Wed Oct 17 08:23:00 2001
@@ -56,6 +56,16 @@
#include "version.h"
#include <omapip/omapip_p.h>
+#if defined (PARANOIA)
+# include <sys/types.h>
+# include <unistd.h>
+# include <pwd.h>
+/* get around the ISC declaration of group */
+# define group real_group
+# include <grp.h>
+# undef group
+#endif /* PARANOIA */
+
static void usage PROTO ((void));
TIME cur_time;
@@ -204,6 +214,22 @@
omapi_object_dereference (&listener, MDL);
}
+#if defined (PARANOIA)
+/* to be used in one of two possible scenarios */
+static void setup_chroot (char *chroot_dir) {
+ if (geteuid())
+ log_fatal ("you must be root to use chroot");
+
+ if (chroot(chroot_dir)) {
+ log_fatal ("chroot(\"%s\"): %m", chroot_dir);
+ }
+ if (chdir ("/")) {
+ /* probably permission denied */
+ log_fatal ("chdir(\"/\"): %m");
+ }
+}
+#endif /* PARANOIA */
+
int main (argc, argv, envp)
int argc;
char **argv, **envp;
@@ -236,6 +262,14 @@
char *traceinfile = (char *)0;
char *traceoutfile = (char *)0;
#endif
+#if defined (PARANOIA)
+ char *set_user = 0;
+ char *set_group = 0;
+ char *set_chroot = 0;
+
+ uid_t set_uid = 0;
+ gid_t set_gid = 0;
+#endif /* PARANOIA */
/* Make sure we have stdin, stdout and stderr. */
status = open ("/dev/null", O_RDWR);
@@ -298,6 +332,20 @@
if (++i == argc)
usage ();
server = argv [i];
+#if defined (PARANOIA)
+ } else if (!strcmp (argv [i], "-user")) {
+ if (++i == argc)
+ usage ();
+ set_user = argv [i];
+ } else if (!strcmp (argv [i], "-group")) {
+ if (++i == argc)
+ usage ();
+ set_group = argv [i];
+ } else if (!strcmp (argv [i], "-chroot")) {
+ if (++i == argc)
+ usage ();
+ set_chroot = argv [i];
+#endif /* PARANOIA */
} else if (!strcmp (argv [i], "-cf")) {
if (++i == argc)
usage ();
@@ -397,6 +445,44 @@
trace_seed_stop, MDL);
#endif
+#if defined (PARANOIA)
+ /* get user and group info if those options were given */
+ if (set_user) {
+ struct passwd *tmp_pwd;
+
+ if (geteuid())
+ log_fatal ("you must be root to set user");
+
+ if (!(tmp_pwd = getpwnam(set_user)))
+ log_fatal ("no such user: %s", set_user);
+
+ set_uid = tmp_pwd->pw_uid;
+
+ /* use the user's group as the default gid */
+ if (!set_group)
+ set_gid = tmp_pwd->pw_gid;
+ }
+
+ if (set_group) {
+/* get around the ISC declaration of group */
+#define group real_group
+ struct group *tmp_grp;
+
+ if (geteuid())
+ log_fatal ("you must be root to set group");
+
+ if (!(tmp_grp = getgrnam(set_group)))
+ log_fatal ("no such group: %s", set_group);
+
+ set_gid = tmp_grp->gr_gid;
+#undef group
+ }
+
+# if defined (EARLY_CHROOT)
+ if (set_chroot) setup_chroot (set_chroot);
+# endif /* EARLY_CHROOT */
+#endif /* PARANOIA */
+
/* Default to the DHCP/BOOTP port. */
if (!local_port)
{
@@ -500,6 +586,10 @@
postconf_initialization (quiet);
+#if defined (PARANOIA) && !defined (EARLY_CHROOT)
+ if (set_chroot) setup_chroot (set_chroot);
+#endif /* PARANOIA && !EARLY_CHROOT */
+
/* test option should cause an early exit */
if (cftest && !lftest)
exit(0);
@@ -543,6 +633,22 @@
exit (0);
}
+#if defined (PARANOIA)
+ /* change uid to the specified one */
+
+ if (set_gid) {
+ if (setgroups (0, (void *)0))
+ log_fatal ("setgroups: %m");
+ if (setgid (set_gid))
+ log_fatal ("setgid(%d): %m", (int) set_gid);
+ }
+
+ if (set_uid) {
+ if (setuid (set_uid))
+ log_fatal ("setuid(%d): %m", (int) set_uid);
+ }
+#endif /* PARANOIA */
+
/* Read previous pid file. */
if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) {
status = read (i, pbuf, (sizeof pbuf) - 1);
@@ -888,6 +994,10 @@
log_fatal ("Usage: dhcpd [-p <UDP port #>] [-d] [-f]%s%s%s%s",
"\n [-cf config-file] [-lf lease-file]",
+#if defined (PARANOIA)
+ /* meld into the following string */
+ "\n [-user user] [-group group] [-chroot dir]"
+#endif /* PARANOIA */
#if defined (TRACING)
"\n [-tf trace-output-file]",
"\n [-play trace-input-file]",
|