Accepting request 444260 from home:vitezslav_cizek:branches:network

- honor --user and --group options in non-daemon mode (bsc#1013565) * add atftp-drop_privileges_non-daemon.patch OBS-URL: https://build.opensuse.org/request/show/444260 OBS-URL: https://build.opensuse.org/package/show/network/atftp?expand=0&rev=32
2016-12-08 09:00:44 +00:00 · 2016-12-08 09:00:44 +00:00 · 8ce17eeab2
commit 8ce17eeab2
parent af5e2987e9
3 changed files with 96 additions and 1 deletions
--- a/atftp-drop_privileges_non-daemon.patch
+++ b/atftp-drop_privileges_non-daemon.patch
@ -0,0 +1,86 @@
+Index: atftp-0.7/tftpd.c
+===================================================================
+--- atftp-0.7.orig/tftpd.c	2016-12-06 13:41:15.955496990 +0100
+++ atftp-0.7/tftpd.c	2016-12-06 14:55:23.573139906 +0100
+@@ -95,8 +95,8 @@ int deny_severity = LOG_NOTICE;
+ #endif
+ 
+ /* user ID and group ID when running as a daemon */
+-char user_name[MAXLEN] = "nobody";
+-char group_name[MAXLEN] = "nogroup";
+char user_name[MAXLEN] = "tftp";
+char group_name[MAXLEN] = "tftp";
+ 
+ /* For special uses, disable source port checking */
+ int source_port_checking = 1;
+@@ -274,33 +274,47 @@ int main(int argc, char **argv)
+           dup2(sockfd, 0);
+           close(sockfd);
+ 
+-          /* release priviliedge */
+-          user = getpwnam(user_name);
+-          group = getgrnam(group_name);
+-          if (!user || !group)
+-          {
+-               logger(LOG_ERR,
+-                      "atftpd: can't change identity to %s.%s, exiting.",
+-                      user_name, group_name);
+-               exit(1);
+-          }
+     }
+ 
+-          /* write our pid in the specified file before changing user*/
+-          if (pidfile)
+-          {
+-               if (tftpd_pid_file(pidfile, 1) != OK)
+-                    exit(1);
+-               /* to be able to remove it later */
+-               chown(pidfile, user->pw_uid, group->gr_gid);
+-          }
+     /* release privilege */
+     user = getpwnam(user_name);
+     group = getgrnam(group_name);
+     if (!user || !group)
+     {
+          logger(LOG_ERR,
+                 "atftpd: can't change identity to %s.%s, exiting.",
+                 user_name, group_name);
+          exit(1);
+     }
+ 
+-          setgid(group->gr_gid);
+-          setuid(user->pw_uid);
+     /* write our pid in the specified file before changing user*/
+     if (pidfile)
+     {
+          if (tftpd_pid_file(pidfile, 1) != OK)
+               exit(1);
+          /* to be able to remove it later */
+          chown(pidfile, user->pw_uid, group->gr_gid);
+     }
+ 
+-          /* Reopen log file now that we changed user, and that we've
+-           * open and dup2 the socket. */
+-          open_logger("atftpd", log_file, logging_level);
+     if(setgid(group->gr_gid))
+     {
+          logger(LOG_ERR, "atftpd: can't switch group to %s, exiting.", group_name);
+          exit(1);
+     }
+     if (setgroups(0, NULL))
+     {
+          logger(LOG_ERR, "atftpd: can't clear supplementary group list");
+          exit(1);
+      }
+     if(setuid(user->pw_uid))
+     {
+          logger(LOG_ERR, "atftpd: can't switch user to %s, exiting.", user_name);
+          exit(1);
+     }
+
+     /* Reopen log file now that we changed user, and that we've
+      * open and dup2 the socket. */
+     open_logger("atftpd", log_file, logging_level);
+ 
+      /* We need to retieve some information from incomming packets */
+      if (setsockopt(0, SOL_IP, IP_PKTINFO, &one, sizeof(one)) != 0)
--- a/atftp.changes
+++ b/atftp.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Dec  6 12:39:32 UTC 2016 - vcizek@suse.com
+
+- honor --user and --group options in non-daemon mode (bsc#1013565)
+  * add atftp-drop_privileges_non-daemon.patch
+
 -------------------------------------------------------------------
 Mon Jun 15 13:19:22 UTC 2015 - mpluskal@suse.com

--- a/atftp.spec
+++ b/atftp.spec
@ -1,7 +1,7 @@
 #
 # spec file for package atftp
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -50,6 +50,7 @@ Patch12:        atftp-0.7-ack_heuristic.patch
 Patch13:        atftp-0.7-default_user_man.patch
 # PATCH-FIX-SUSE update default directory in man (bnc#507011)
 Patch14:        atftp-0.7-default_dir_man.patch
+Patch15:        atftp-drop_privileges_non-daemon.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  pcre-devel
@ -93,6 +94,7 @@ boot of hundreds of machines simultaneously.
 %patch12
 %patch13
 %patch14
+%patch15 -p1

 %build
 autoreconf -fi
@ -174,6 +176,7 @@ fi
 %{_mandir}/man1/atftp.1.gz
 %{_mandir}/man8/atftpd.8.gz
 %{_mandir}/man8/in.tftpd.8.gz
+
 %config %{_fwdefdir}/atftp
 %dir %attr(0750,tftp,tftp) /srv/tftpboot
 %dir %attr(0750,tftp,tftp) %{_localstatedir}/log/atftpd/