diff --git a/kea-ctrl-agent.service b/kea-ctrl-agent.service new file mode 100644 index 0000000..54ce496 --- /dev/null +++ b/kea-ctrl-agent.service @@ -0,0 +1,15 @@ +[Unit] +Description=ISC Kea Control Agent +Before=multi-user.target +After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service + +[Service] +User=kea +Environment=KEA_PIDFILE_DIR=/run/kea +RuntimeDirectory=kea +ExecStart=/usr/sbin/kea-ctrl-agent -c /etc/kea/kea-ctrl-agent.conf +ExecReload=kill -HUP $MAINPID +ProtectSystem=full + +[Install] +WantedBy=multi-user.target diff --git a/kea-dhcp-ddns.service b/kea-dhcp-ddns.service new file mode 100644 index 0000000..a578c5d --- /dev/null +++ b/kea-dhcp-ddns.service @@ -0,0 +1,16 @@ +[Unit] +Description=ISC Kea DHCP-DDNS server +Before=multi-user.target +After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service + +[Service] +User=kea +AmbientCapabilities=CAP_NET_BIND_SERVICE +Environment=KEA_PIDFILE_DIR=/run/kea +RuntimeDirectory=kea +ExecStart=/usr/sbin/kea-dhcp-ddns -c /etc/kea/kea-dhcp-ddns.conf +ExecReload=kill -HUP $MAINPID +ProtectSystem=full + +[Install] +WantedBy=multi-user.target diff --git a/kea-dhcp4.service b/kea-dhcp4.service new file mode 100644 index 0000000..6bd3ed6 --- /dev/null +++ b/kea-dhcp4.service @@ -0,0 +1,16 @@ +[Unit] +Description=ISC Kea DHCPv4 server +Before=multi-user.target +After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service + +[Service] +User=kea +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +Environment=KEA_PIDFILE_DIR=/run/kea +RuntimeDirectory=kea +ExecStart=/usr/sbin/kea-dhcp4 -c /etc/kea/kea-dhcp4.conf +ExecReload=kill -HUP $MAINPID +ProtectSystem=full + +[Install] +WantedBy=multi-user.target diff --git a/kea-dhcp6.service b/kea-dhcp6.service new file mode 100644 index 0000000..634306d --- /dev/null +++ b/kea-dhcp6.service @@ -0,0 +1,16 @@ +[Unit] +Description=ISC Kea DHCPv6 server +Before=multi-user.target +After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service + +[Service] +User=kea +AmbientCapabilities=CAP_NET_BIND_SERVICE +Environment=KEA_PIDFILE_DIR=/run/kea +RuntimeDirectory=kea +ExecStart=/usr/sbin/kea-dhcp6 -c /etc/kea/kea-dhcp6.conf +ExecReload=kill -HUP $MAINPID +ProtectSystem=full + +[Install] +WantedBy=multi-user.target diff --git a/kea-sysusers.conf b/kea-sysusers.conf new file mode 100644 index 0000000..51b2cd2 --- /dev/null +++ b/kea-sysusers.conf @@ -0,0 +1,3 @@ +#Type Name ID GECOS Home directory Shell +g kea - - - - +u kea -:kea "Kea DHCP Server" /var/lib/kea - diff --git a/kea-tmpfiles.conf b/kea-tmpfiles.conf new file mode 100644 index 0000000..121dd60 --- /dev/null +++ b/kea-tmpfiles.conf @@ -0,0 +1,2 @@ +#Type Path Mode User Group Age Argument +d /run/kea 0775 kea kea - - diff --git a/kea.changes b/kea.changes index ff5de88..49e7e87 100644 --- a/kea.changes +++ b/kea.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Apr 2 15:29:59 UTC 2025 - Jorik Cronenberg + +- Split off services into separate ones to allow more fine grained + control for e.g. capabilities. +- Add new kea user and group under which these services will run. +- Tighten access to state and log directories + ------------------------------------------------------------------- Wed Mar 26 16:01:54 UTC 2025 - Jorik Cronenberg diff --git a/kea.spec b/kea.spec index 70031ff..ae814b8 100644 --- a/kea.spec +++ b/kea.spec @@ -57,6 +57,12 @@ Source: https://ftp.isc.org/isc/kea/%version/kea-%version.tar.gz Source2: https://ftp.isc.org/isc/kea/%version/kea-%version.tar.gz.asc # https://www.isc.org/pgpkey/ Source3: kea.keyring +Source4: kea-dhcp4.service +Source5: kea-dhcp6.service +Source6: kea-dhcp-ddns.service +Source7: kea-ctrl-agent.service +Source8: kea-sysusers.conf +Source9: kea-tmpfiles.conf Patch0: kea-2.6.1-boost_1.87-compat.patch BuildRequires: autoconf >= 2.59 BuildRequires: automake @@ -355,7 +361,7 @@ Development files for the Kea DHCP server %autosetup -p1 -n kea-%version %build -export FREERADIUS_INCLUDE="%_includedir/freeradius" +export FREERADIUS_INCLUDE="%{_includedir}/freeradius" export FREERADIUS_LIB="" export FREERADIUS_DICTIONARY="" autoreconf -fi @@ -368,56 +374,45 @@ autoreconf -fi --with-dhcp-mysql --with-dhcp-pgsql \ --enable-perfdhcp --enable-shell make %{?_smp_mflags} +%sysusers_generate_pre %{SOURCE8} %{name} %{name}-user.conf %install -b=%buildroot %make_install -find %buildroot -type f -name "*.la" -delete -print -mkdir -p "$b/%_unitdir" "$b/%_tmpfilesdir" "$b/%_sysusersdir" -cat <<-EOF >"$b/%_unitdir/kea.service" - [Unit] - Description=ISC Kea DHCP server - Before=multi-user.target - After=remote-fs.target network.target nss-lookup.target time-sync.target ldap.service ndsd.service - [Service] - Type=forking - Environment=KEA_PIDFILE_DIR=%_rundir/%name - RuntimeDirectory=kea - ExecStart=%_sbindir/keactrl start - ExecReload=%_sbindir/keactrl reload - ExecStop=%_sbindir/keactrl stop - [Install] - WantedBy=multi-user.target - Alias=dhcp-server.service -EOF -cat <<-EOF >"$b/%_tmpfilesdir/kea.conf" - d /run/kea 0775 keadhcp keadhcp - -EOF -echo 'u keadhcp - "Kea DHCP server" /var/lib/kea' >system-user-keadhcp.conf -cp -a system-user-keadhcp.conf "$b/%_sysusersdir/" -%sysusers_generate_pre system-user-keadhcp.conf random system-user-keadhcp.conf +find %{buildroot} -type f -name "*.la" -delete -print -perl -i -pe 's{%_localstatedir/log/kea-}{%_localstatedir/log/kea/}' \ - "$b/%_sysconfdir/kea"/*.conf +install -D -m 0644 %{SOURCE4} %{buildroot}%{_unitdir}/kea-dhcp4.service +install -D -m 0644 %{SOURCE5} %{buildroot}%{_unitdir}/kea-dhcp6.service +install -D -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/kea-dhcp-ddns.service +install -D -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/kea-ctrl-agent.service -mkdir -p "$b%_localstatedir/log/kea" +install -D -m 0644 %{SOURCE8} %{buildroot}%{_sysusersdir}/%{name}-user.conf +install -D -m 0644 %{SOURCE9} %{buildroot}%{_tmpfilesdir}/%{name}-tmpfiles.conf + +perl -i -pe 's{%{_localstatedir}/log/kea-}{%_localstatedir/log/kea/}' \ + "%{buildroot}/%{_sysconfdir}/kea"/*.conf + +install -d -m 0750 "%{buildroot}%{_localstatedir}/log/kea" # Remove unnecessary files -find "%buildroot/%_libdir" -name "*.so.*" -type l -delete -rm -Rf "%buildroot/%python3_sitelib/kea/__pycache__" +find "%{buildroot}/%{_libdir}" -name "*.so.*" -type l -delete +rm -Rf "%{buildroot}/%{python3_sitelib}/kea/__pycache__" -%pre -f random.pre -systemd-tmpfiles --create kea.conf || : -%service_add_pre kea.service +%pre -f kea.pre +%service_add_pre kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service %post -%service_add_post kea.service +%tmpfiles_create %{_tmpfilesdir}/%{name}-tmpfiles.conf +%service_add_post kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service +if [ $1 -gt 1 ]; then + chown -R kea:kea %{_sharedstatedir}/kea + chown -R kea:kea %{_localstatedir}/log/kea +fi %preun -%service_del_preun kea.service +%service_del_preun kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service %postun -%service_del_postun kea.service +%service_del_postun kea-dhcp4.service kea-dhcp6.service kea-dhcp-ddns.service kea-ctrl-agent.service %ldconfig_scriptlets -n libkea-asiodns%asiodns_sover %ldconfig_scriptlets -n libkea-asiolink%asiolink_sover @@ -444,100 +439,101 @@ systemd-tmpfiles --create kea.conf || : %ldconfig_scriptlets -n libkea-util%util_sover %files -%dir %_sysconfdir/kea -%config(noreplace) %_sysconfdir/kea/*.conf -%_mandir/man8/*.8%{?ext_man} -%_sbindir/kea* -%_sbindir/perfdhcp -%_datadir/kea/ -%_unitdir/*.service -%dir %_localstatedir/lib/kea -%_tmpfilesdir/ -%_sysusersdir/ -%attr(0775,keadhcp,keadhcp) %_localstatedir/log/kea/ +%dir %{_sysconfdir}/kea +%config(noreplace) %attr(0640,root,kea) %{_sysconfdir}/kea/*.conf +%{_mandir}/man8/*.8%{?ext_man} +%{_sbindir}/kea* +%{_sbindir}/perfdhcp +%{_datadir}/kea/ +%{_unitdir}/*.service +%dir %attr(0750,kea,kea) %{_sharedstatedir}/kea +%{_sysusersdir}/%{name}-user.conf +%{_tmpfilesdir}/%{name}-tmpfiles.conf +%attr(0750,kea,kea) %{_localstatedir}/log/kea/ +%ghost %{_rundir}/kea %files doc -%doc %_datadir/doc/kea/ -%exclude %_datadir/doc/kea/html/.buildinfo +%doc %{_datadir}/doc/kea/ +%exclude %{_datadir}/doc/kea/html/.buildinfo %files hooks -%dir %_libdir/kea -%_libdir/kea/hooks/ +%dir %{_libdir}/kea +%{_libdir}/kea/hooks/ %files -n libkea-asiodns%asiodns_sover -%_libdir/libkea-asiodns.so.%asiodns_sover.* +%{_libdir}/libkea-asiodns.so.%asiodns_sover.* %files -n libkea-asiolink%asiolink_sover -%_libdir/libkea-asiolink.so.%asiolink_sover.* +%{_libdir}/libkea-asiolink.so.%asiolink_sover.* %files -n libkea-cc%cc_sover -%_libdir/libkea-cc.so.%cc_sover.* +%{_libdir}/libkea-cc.so.%cc_sover.* %files -n libkea-cfgclient%cfgclient_sover -%_libdir/libkea-cfgclient.so.%cfgclient_sover.* +%{_libdir}/libkea-cfgclient.so.%cfgclient_sover.* %files -n libkea-cryptolink%cryptolink_sover -%_libdir/libkea-cryptolink.so.%cryptolink_sover.* +%{_libdir}/libkea-cryptolink.so.%cryptolink_sover.* %files -n libkea-d2srv%d2srv_sover -%_libdir/libkea-d2srv.so.%d2srv_sover.* +%{_libdir}/libkea-d2srv.so.%d2srv_sover.* %files -n libkea-database%database_sover -%_libdir/libkea-database.so.%database_sover.* +%{_libdir}/libkea-database.so.%database_sover.* %files -n libkea-dhcp++%dhcppp_sover -%_libdir/libkea-dhcp++.so.%dhcppp_sover.* +%{_libdir}/libkea-dhcp++.so.%dhcppp_sover.* %files -n libkea-dhcp_ddns%dhcp_ddns_sover -%_libdir/libkea-dhcp_ddns.so.%dhcp_ddns_sover.* +%{_libdir}/libkea-dhcp_ddns.so.%dhcp_ddns_sover.* %files -n libkea-dhcpsrv%dhcpsrv_sover -%_libdir/libkea-dhcpsrv.so.%dhcpsrv_sover.* +%{_libdir}/libkea-dhcpsrv.so.%dhcpsrv_sover.* %files -n libkea-dns++%dnspp_sover -%_libdir/libkea-dns++.so.%dnspp_sover.* +%{_libdir}/libkea-dns++.so.%dnspp_sover.* %files -n libkea-eval%eval_sover -%_libdir/libkea-eval.so.%eval_sover.* +%{_libdir}/libkea-eval.so.%eval_sover.* %files -n libkea-exceptions%exceptions_sover -%_libdir/libkea-exceptions.so.%exceptions_sover.* +%{_libdir}/libkea-exceptions.so.%exceptions_sover.* %files -n libkea-hooks%hooks_sover -%_libdir/libkea-hooks.so.%hooks_sover.* +%{_libdir}/libkea-hooks.so.%hooks_sover.* %files -n libkea-http%http_sover -%_libdir/libkea-http.so.%http_sover.* +%{_libdir}/libkea-http.so.%http_sover.* %files -n libkea-log%log_sover -%_libdir/libkea-log.so.%log_sover.* +%{_libdir}/libkea-log.so.%log_sover.* %files -n libkea-mysql%mysql_sover -%_libdir/libkea-mysql.so.%mysql_sover.* +%{_libdir}/libkea-mysql.so.%mysql_sover.* %files -n libkea-pgsql%pgsql_sover -%_libdir/libkea-pgsql.so.%pgsql_sover.* +%{_libdir}/libkea-pgsql.so.%pgsql_sover.* %files -n libkea-process%process_sover -%_libdir/libkea-process.so.%process_sover.* +%{_libdir}/libkea-process.so.%process_sover.* %files -n libkea-stats%stats_sover -%_libdir/libkea-stats.so.%stats_sover.* +%{_libdir}/libkea-stats.so.%stats_sover.* %files -n libkea-tcp%tcp_sover -%_libdir/libkea-tcp.so.%tcp_sover.* +%{_libdir}/libkea-tcp.so.%tcp_sover.* %files -n libkea-util-io%util_io_sover -%_libdir/libkea-util-io.so.%util_io_sover.* +%{_libdir}/libkea-util-io.so.%util_io_sover.* %files -n libkea-util%util_sover -%_libdir/libkea-util.so.%util_sover.* +%{_libdir}/libkea-util.so.%util_sover.* %files -n python3-kea -%python3_sitelib/kea/ +%{python3_sitelib}/kea/ %files devel -%_includedir/kea/ -%_libdir/libkea*.so +%{_includedir}/kea/ +%{_libdir}/libkea*.so %changelog