From dd686d8d98082dcdba8289f2a1fac48658f98e8d882e32c4615b7c76450bdf31 Mon Sep 17 00:00:00 2001 From: OBS User buildservice-autocommit Date: Mon, 16 May 2011 09:17:24 +0000 Subject: [PATCH 1/4] Updating link to change in openSUSE:Factory/dhcp revision 58.0 OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=2cd9f069c34038ebb5ff1171863e61c4 --- dhcp.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dhcp.spec b/dhcp.spec index 4384357..c707dff 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -40,7 +40,7 @@ License: BSD3c(or similar) Group: Productivity/Networking/Boot/Servers AutoReqProv: on Version: 4.2.1.P1 -Release: 3 +Release: 5 Summary: Common Files Used by ISC DHCP Software Url: http://www.isc.org/software/dhcp Source0: dhcp-%{isc_version}.tar.bz2 @@ -132,6 +132,7 @@ Provides: dhcp-devel = %{version} Obsoletes: dhcp-devel < %{version} %if %{with_doc_package} + %package doc License: BSD3c(or similar) Summary: Documentation @@ -188,6 +189,7 @@ Authors: Internet Systems Consortium, Inc. %if %{with_doc_package} + %description doc This package contains additional documentation files provided with the software. The manual pages are in the corresponding packages. @@ -471,6 +473,7 @@ if ! test -f /.buildenv; then rm -rf $RPM_BUILD_ROOT; fi %{_localstatedir}/adm/fillup-templates/sysconfig.dhcpd %{_localstatedir}/adm/fillup-templates/sysconfig.syslog-dhcpd %if %{with_doc_package} + %files doc %defattr(-,root,root) %endif From 6441545555a7d73bb3728fb8c80f239d7a297e8f0d5346cd9dc812df8f2c0656 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Tue, 17 May 2011 10:54:19 +0000 Subject: [PATCH 2/4] Accepting request 70370 from home:elvigia:branches:network:dhcp - Import redhat's patch to open all needed FDs with O_CLOEXEC so they dont leak. OBS-URL: https://build.opensuse.org/request/show/70370 OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=73 --- dhcp-4.2.0-CLOEXEC.patch | 400 +++++++++++++++++++++++++++++++++++++++ dhcp.changes | 6 + dhcp.spec | 4 +- 3 files changed, 409 insertions(+), 1 deletion(-) create mode 100644 dhcp-4.2.0-CLOEXEC.patch diff --git a/dhcp-4.2.0-CLOEXEC.patch b/dhcp-4.2.0-CLOEXEC.patch new file mode 100644 index 0000000..3107eca --- /dev/null +++ b/dhcp-4.2.0-CLOEXEC.patch @@ -0,0 +1,400 @@ +--- client/clparse.c.orig ++++ client/clparse.c +@@ -210,7 +210,7 @@ int read_client_conf_file (const char *n + int token; + isc_result_t status; + +- if ((file = open (name, O_RDONLY)) < 0) ++ if ((file = open (name, O_RDONLY | O_CLOEXEC)) < 0) + return uerr2isc (errno); + + cfile = NULL; +@@ -247,7 +247,7 @@ void read_client_leases () + + /* Open the lease file. If we can't open it, just return - + we can safely trust the server to remember our state. */ +- if ((file = open (path_dhclient_db, O_RDONLY)) < 0) ++ if ((file = open (path_dhclient_db, O_RDONLY | O_CLOEXEC)) < 0) + return; + + cfile = NULL; +--- client/dhclient.c.orig ++++ client/dhclient.c +@@ -127,11 +127,11 @@ main(int argc, char **argv) { + /* Make sure that file descriptors 0 (stdin), 1, (stdout), and + 2 (stderr) are open. To do this, we assume that when we + open a file the lowest available file descriptor is used. */ +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 0) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 1) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 2) + log_perror = 0; /* No sense logging to /dev/null. */ + else if (fd != -1) +@@ -406,7 +406,7 @@ main(int argc, char **argv) { + int e; + + oldpid = 0; +- if ((pidfd = fopen(path_dhclient_pid, "r")) != NULL) { ++ if ((pidfd = fopen(path_dhclient_pid, "re")) != NULL) { + e = fscanf(pidfd, "%ld\n", &temp); + oldpid = (pid_t)temp; + +@@ -2627,7 +2627,7 @@ void rewrite_client_leases () + + if (leaseFile != NULL) + fclose (leaseFile); +- leaseFile = fopen (path_dhclient_db, "w"); ++ leaseFile = fopen (path_dhclient_db, "we"); + if (leaseFile == NULL) { + log_error ("can't create %s: %m", path_dhclient_db); + return; +@@ -2731,7 +2731,7 @@ write_duid(struct data_string *duid) + return DHCP_R_INVALIDARG; + + if (leaseFile == NULL) { /* XXX? */ +- leaseFile = fopen(path_dhclient_db, "w"); ++ leaseFile = fopen(path_dhclient_db, "we"); + if (leaseFile == NULL) { + log_error("can't create %s: %m", path_dhclient_db); + return ISC_R_IOERROR; +@@ -2779,7 +2779,7 @@ write_client6_lease(struct client_state + return DHCP_R_INVALIDARG; + + if (leaseFile == NULL) { /* XXX? */ +- leaseFile = fopen(path_dhclient_db, "w"); ++ leaseFile = fopen(path_dhclient_db, "we"); + if (leaseFile == NULL) { + log_error("can't create %s: %m", path_dhclient_db); + return ISC_R_IOERROR; +@@ -2911,7 +2911,7 @@ int write_client_lease (client, lease, r + return 1; + + if (leaseFile == NULL) { /* XXX */ +- leaseFile = fopen (path_dhclient_db, "w"); ++ leaseFile = fopen (path_dhclient_db, "we"); + if (leaseFile == NULL) { + log_error ("can't create %s: %m", path_dhclient_db); + return 0; +@@ -3400,9 +3400,9 @@ void go_daemon () + close(2); + + /* Reopen them on /dev/null. */ +- open("/dev/null", O_RDWR); +- open("/dev/null", O_RDWR); +- open("/dev/null", O_RDWR); ++ open("/dev/null", O_RDWR | O_CLOEXEC); ++ open("/dev/null", O_RDWR | O_CLOEXEC); ++ open("/dev/null", O_RDWR | O_CLOEXEC); + + write_client_pid_file (); + +@@ -3414,14 +3414,14 @@ void write_client_pid_file () + FILE *pf; + int pfdesc; + +- pfdesc = open (path_dhclient_pid, O_CREAT | O_TRUNC | O_WRONLY, 0644); ++ pfdesc = open (path_dhclient_pid, O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC, 0644); + + if (pfdesc < 0) { + log_error ("Can't create %s: %m", path_dhclient_pid); + return; + } + +- pf = fdopen (pfdesc, "w"); ++ pf = fdopen (pfdesc, "we"); + if (!pf) + log_error ("Can't fdopen %s: %m", path_dhclient_pid); + else { +--- common/bpf.c.orig ++++ common/bpf.c +@@ -94,7 +94,7 @@ int if_register_bpf (info) + for (b = 0; 1; b++) { + /* %Audit% 31 bytes max. %2004.06.17,Safe% */ + sprintf(filename, BPF_FORMAT, b); +- sock = open (filename, O_RDWR, 0); ++ sock = open (filename, O_RDWR | O_CLOEXEC, 0); + if (sock < 0) { + if (errno == EBUSY) { + continue; +--- common/discover.c.orig ++++ common/discover.c +@@ -409,7 +409,7 @@ begin_iface_scan(struct iface_conf_list + int len; + int i; + +- ifaces->fp = fopen("/proc/net/dev", "r"); ++ ifaces->fp = fopen("/proc/net/dev", "re"); + if (ifaces->fp == NULL) { + log_error("Error opening '/proc/net/dev' to list interfaces"); + return 0; +@@ -444,7 +444,7 @@ begin_iface_scan(struct iface_conf_list + + #ifdef DHCPv6 + if (local_family == AF_INET6) { +- ifaces->fp6 = fopen("/proc/net/if_inet6", "r"); ++ ifaces->fp6 = fopen("/proc/net/if_inet6", "re"); + if (ifaces->fp6 == NULL) { + log_error("Error opening '/proc/net/if_inet6' to " + "list IPv6 interfaces; %m"); +--- common/dlpi.c.orig ++++ common/dlpi.c +@@ -808,7 +808,7 @@ dlpiopen(const char *ifname) { + } + *dp = '\0'; + +- return open (devname, O_RDWR, 0); ++ return open (devname, O_RDWR | O_CLOEXEC, 0); + } + + /* +--- common/nit.c.orig ++++ common/nit.c +@@ -81,7 +81,7 @@ int if_register_nit (info) + struct strioctl sio; + + /* Open a NIT device */ +- sock = open ("/dev/nit", O_RDWR); ++ sock = open ("/dev/nit", O_RDWR | O_CLOEXEC); + if (sock < 0) + log_fatal ("Can't open NIT device for %s: %m", info -> name); + +--- common/resolv.c.orig ++++ common/resolv.c +@@ -49,7 +49,7 @@ void read_resolv_conf (parse_time) + struct domain_search_list *dp, *dl, *nd; + isc_result_t status; + +- if ((file = open (path_resolv_conf, O_RDONLY)) < 0) { ++ if ((file = open (path_resolv_conf, O_RDONLY | O_CLOEXEC)) < 0) { + log_error ("Can't open %s: %m", path_resolv_conf); + return; + } +--- common/upf.c.orig ++++ common/upf.c +@@ -77,7 +77,7 @@ int if_register_upf (info) + /* %Audit% Cannot exceed 36 bytes. %2004.06.17,Safe% */ + sprintf(filename, "/dev/pf/pfilt%d", b); + +- sock = open (filename, O_RDWR, 0); ++ sock = open (filename, O_RDWR | O_CLOEXEC, 0); + if (sock < 0) { + if (errno == EBUSY) { + continue; +--- dst/dst_api.c.orig ++++ dst/dst_api.c +@@ -437,7 +437,7 @@ dst_s_write_private_key(const DST_KEY *k + PRIVATE_KEY, PATH_MAX); + + /* Do not overwrite an existing file */ +- if ((fp = dst_s_fopen(file, "w", 0600)) != NULL) { ++ if ((fp = dst_s_fopen(file, "we", 0600)) != NULL) { + int nn; + if ((nn = fwrite(encoded_block, 1, len, fp)) != len) { + EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n", +@@ -494,7 +494,7 @@ dst_s_read_public_key(const char *in_nam + * flags, proto, alg stored as decimal (or hex numbers FIXME). + * (FIXME: handle parentheses for line continuation.) + */ +- if ((fp = dst_s_fopen(name, "r", 0)) == NULL) { ++ if ((fp = dst_s_fopen(name, "re", 0)) == NULL) { + EREPORT(("dst_read_public_key(): Public Key not found %s\n", + name)); + return (NULL); +@@ -620,7 +620,7 @@ dst_s_write_public_key(const DST_KEY *ke + return (0); + } + /* create public key file */ +- if ((fp = dst_s_fopen(filename, "w+", 0644)) == NULL) { ++ if ((fp = dst_s_fopen(filename, "w+e", 0644)) == NULL) { + EREPORT(("DST_write_public_key: open of file:%s failed (errno=%d)\n", + filename, errno)); + return (0); +@@ -854,7 +854,7 @@ dst_s_read_private_key_file(char *name, + return (0); + } + /* first check if we can find the key file */ +- if ((fp = dst_s_fopen(filename, "r", 0)) == NULL) { ++ if ((fp = dst_s_fopen(filename, "re", 0)) == NULL) { + EREPORT(("dst_s_read_private_key_file: Could not open file %s in directory %s\n", + filename, dst_path[0] ? dst_path : + (char *) getcwd(NULL, PATH_MAX - 1))); +--- dst/prandom.c.orig ++++ dst/prandom.c +@@ -269,7 +269,7 @@ get_dev_random(u_char *output, unsigned + + s = stat("/dev/random", &st); + if (s == 0 && S_ISCHR(st.st_mode)) { +- if ((fd = open("/dev/random", O_RDONLY | O_NONBLOCK)) != -1) { ++ if ((fd = open("/dev/random", O_RDONLY | O_NONBLOCK | O_CLOEXEC)) != -1) { + if ((n = read(fd, output, size)) < 0) + n = 0; + close(fd); +@@ -480,7 +480,7 @@ digest_file(dst_work *work) + work->file_digest = dst_free_key(work->file_digest); + return (0); + } +- if ((fp = fopen(name, "r")) == NULL) ++ if ((fp = fopen(name, "re")) == NULL) + return (0); + for (no = 0; (i = fread(buf, sizeof(*buf), sizeof(buf), fp)) > 0; + no += i) +--- omapip/trace.c.orig ++++ omapip/trace.c +@@ -141,10 +141,10 @@ isc_result_t trace_begin (const char *fi + return DHCP_R_INVALIDARG; + } + +- traceoutfile = open (filename, O_CREAT | O_WRONLY | O_EXCL, 0600); ++ traceoutfile = open (filename, O_CREAT | O_WRONLY | O_EXCL | O_CLOEXEC, 0600); + if (traceoutfile < 0 && errno == EEXIST) { + log_error ("WARNING: Overwriting trace file \"%s\"", filename); +- traceoutfile = open (filename, O_WRONLY | O_EXCL | O_TRUNC, ++ traceoutfile = open (filename, O_WRONLY | O_EXCL | O_TRUNC | O_CLOEXEC, + 0600); + } + +@@ -431,7 +431,7 @@ void trace_file_replay (const char *file + isc_result_t result; + int len; + +- traceinfile = fopen (filename, "r"); ++ traceinfile = fopen (filename, "re"); + if (!traceinfile) { + log_error("Can't open tracefile %s: %m", filename); + return; +--- relay/dhcrelay.c.orig ++++ relay/dhcrelay.c +@@ -177,11 +177,11 @@ main(int argc, char **argv) { + /* Make sure that file descriptors 0(stdin), 1,(stdout), and + 2(stderr) are open. To do this, we assume that when we + open a file the lowest available file descriptor is used. */ +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 0) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 1) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 2) + log_perror = 0; /* No sense logging to /dev/null. */ + else if (fd != -1) +@@ -520,12 +520,12 @@ main(int argc, char **argv) { + exit(0); + + pfdesc = open(path_dhcrelay_pid, +- O_CREAT | O_TRUNC | O_WRONLY, 0644); ++ O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC, 0644); + + if (pfdesc < 0) { + log_error("Can't create %s: %m", path_dhcrelay_pid); + } else { +- pf = fdopen(pfdesc, "w"); ++ pf = fdopen(pfdesc, "we"); + if (!pf) + log_error("Can't fdopen %s: %m", + path_dhcrelay_pid); +--- server/confpars.c.orig ++++ server/confpars.c +@@ -116,7 +116,7 @@ isc_result_t read_conf_file (const char + } + #endif + +- if ((file = open (filename, O_RDONLY)) < 0) { ++ if ((file = open (filename, O_RDONLY | O_CLOEXEC)) < 0) { + if (leasep) { + log_error ("Can't open lease database %s: %m --", + path_dhcpd_db); +--- server/db.c.orig ++++ server/db.c +@@ -1035,7 +1035,7 @@ void db_startup (testp) + } + #endif + if (!testp) { +- db_file = fopen (path_dhcpd_db, "a"); ++ db_file = fopen (path_dhcpd_db, "ae"); + if (!db_file) + log_fatal ("Can't open %s for append.", path_dhcpd_db); + expire_all_pools (); +@@ -1074,7 +1074,7 @@ int new_lease_file () + db_validity = lease_file_is_corrupt; + + snprintf (newfname, sizeof(newfname), "%s.XXXXXX", path_dhcpd_db); +- db_fd = mkstemp (newfname); ++ db_fd = mkostemp (newfname, O_CLOEXEC); + if (db_fd < 0) { + log_error ("Can't create new lease file: %m"); + return 0; +@@ -1083,7 +1083,7 @@ int new_lease_file () + log_error ("Can't fchmod new lease file: %m"); + goto fail; + } +- if ((new_db_file = fdopen(db_fd, "w")) == NULL) { ++ if ((new_db_file = fdopen(db_fd, "we")) == NULL) { + log_error("Can't fdopen new lease file: %m"); + close(db_fd); + goto fdfail; +--- server/dhcpd.c.orig ++++ server/dhcpd.c +@@ -272,11 +272,11 @@ main(int argc, char **argv) { + /* Make sure that file descriptors 0 (stdin), 1, (stdout), and + 2 (stderr) are open. To do this, we assume that when we + open a file the lowest available file descriptor is used. */ +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 0) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 1) +- fd = open("/dev/null", O_RDWR); ++ fd = open("/dev/null", O_RDWR | O_CLOEXEC); + if (fd == 2) + log_perror = 0; /* No sense logging to /dev/null. */ + else if (fd != -1) +@@ -800,7 +800,7 @@ main(int argc, char **argv) { + #endif /* PARANOIA */ + + /* Read previous pid file. */ +- if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) { ++ if ((i = open (path_dhcpd_pid, O_RDONLY | O_CLOEXEC)) >= 0) { + status = read(i, pbuf, (sizeof pbuf) - 1); + close (i); + if (status > 0) { +@@ -818,7 +818,7 @@ main(int argc, char **argv) { + } + + /* Write new pid file. */ +- if ((i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC, 0644)) >= 0) { ++ if ((i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0644)) >= 0) { + sprintf(pbuf, "%d\n", (int) getpid()); + IGNORE_RET (write(i, pbuf, strlen(pbuf))); + close(i); +@@ -844,9 +844,9 @@ main(int argc, char **argv) { + close(2); + + /* Reopen them on /dev/null. */ +- open("/dev/null", O_RDWR); +- open("/dev/null", O_RDWR); +- open("/dev/null", O_RDWR); ++ open("/dev/null", O_RDWR | O_CLOEXEC); ++ open("/dev/null", O_RDWR | O_CLOEXEC); ++ open("/dev/null", O_RDWR | O_CLOEXEC); + log_perror = 0; /* No sense logging to /dev/null. */ + + IGNORE_RET (chdir("/")); +--- server/ldap.c.orig ++++ server/ldap.c +@@ -1098,7 +1098,7 @@ ldap_start (void) + + if (ldap_debug_file != NULL && ldap_debug_fd == -1) + { +- if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY, ++ if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC, + S_IRUSR | S_IWUSR)) < 0) + log_error ("Error opening debug LDAP log file %s: %s", ldap_debug_file, + strerror (errno)); diff --git a/dhcp.changes b/dhcp.changes index d734575..4713a59 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue May 17 03:58:24 UTC 2011 - crrodriguez@opensuse.org + +- Import redhat's patch to open all needed FDs with O_CLOEXEC + so they dont leak. + ------------------------------------------------------------------- Thu May 12 08:39:03 UTC 2011 - mt@suse.de diff --git a/dhcp.spec b/dhcp.spec index c707dff..0f5a833 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -87,6 +87,7 @@ Patch40: dhcp-4.1.1-P1-lpf-bind-msg-fix.diff Patch41: dhcp-4.1.1-P1-relay-no-ip-on-interface.diff Patch44: dhcp-4.2.0-xen-checksum.patch Patch45: dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff +Patch46: dhcp-4.2.0-CLOEXEC.patch ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -227,12 +228,13 @@ Authors: %patch41 -p1 %patch44 -p1 %patch45 -p1 +%patch46 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/* %build -CFLAGS="$RPM_OPT_FLAGS -W -Wall -fno-strict-aliasing -Wno-unused" +CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -fno-strict-aliasing -Wno-unused" %ifarch ppc ppc64 s390x # bugs 134590, 171532 CFLAGS="$CFLAGS -fsigned-char" From 538b3bfcf1eaef23d120baec2d4619e9eeb95f464d1f7886c019d62653a2ec4c Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Mon, 29 Aug 2011 15:13:53 +0000 Subject: [PATCH 3/4] Accepting request 76554 from home:elvigia:branches:network:dhcp - Correct previous change. - THis is a long running network daemon, link with full RELRO security enhancements. - remove -fno-strict-aliasing from CFLAGS, no longer needed. OBS-URL: https://build.opensuse.org/request/show/76554 OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=74 --- dhcp.changes | 12 ++++++++++++ dhcp.spec | 4 ++-- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/dhcp.changes b/dhcp.changes index 4713a59..e0c835a 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,3 +1,15 @@ +------------------------------------------------------------------- +Wed Jul 20 18:53:07 UTC 2011 - crrodriguez@opensuse.org + +- Correct previous change. + +------------------------------------------------------------------- +Wed Jul 20 04:45:40 UTC 2011 - crrodriguez@opensuse.org + +- THis is a long running network daemon, link with + full RELRO security enhancements. +- remove -fno-strict-aliasing from CFLAGS, no longer needed. + ------------------------------------------------------------------- Tue May 17 03:58:24 UTC 2011 - crrodriguez@opensuse.org diff --git a/dhcp.spec b/dhcp.spec index 0f5a833..2fb7afa 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -234,7 +234,7 @@ find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/* %build -CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -fno-strict-aliasing -Wno-unused" +CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -Wno-unused" %ifarch ppc ppc64 s390x # bugs 134590, 171532 CFLAGS="$CFLAGS -fsigned-char" @@ -244,7 +244,7 @@ CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -fno-strict-aliasing -Wno-unused" %else CFLAGS="$CFLAGS -fpie" %endif -LDFLAGS="-pie" +LDFLAGS="-Wl,-z,relro,-z,now -pie" FFLAGS="$CFLAGS" CXXFLAGS="$CFLAGS" export RPM_OPT_FLAGS LDFLAGS From 209e98a28b008a3d86047cf55610256a20ce6a69c9fa03c18cc6916067c41f41 Mon Sep 17 00:00:00 2001 From: Marius Tomaschewski Date: Mon, 29 Aug 2011 15:37:53 +0000 Subject: [PATCH 4/4] - Updated to ISC dhcp-4.2.2 release, providing two security fixes (CVE-2011-2748,CVE-2011-2749,[ISC-Bugs #24960],bnc#712653), that allowed remote attackers to cause a denial of service (a daemon exit) via crafted BOOTP packets. Further also DNS update fix to detect overlapping pools or misconfigured fixed-address entries, that caused a server crash during DNS update and other fixes. For a complete list, please see the RELNOTES file provided in the package and also available online at http://www.isc.org/. - Merged/adopted dhclient option-checks, send-hostname-rml, ldap patch, xen-checksum, close-on-exec patches and removed obsolete in6_pktinfo-prototype and relay-no-ip-on-interface patches. - Moved server pid files into chroot directory even chroot is not used and create a link in /var/run, so it can write one when started as user without chroot and avoid stop problems when the chroot sysconfig setting changed (bnc#712438). - Disabled log-info level messages in dhclient(6) quiet mode to avoid excessive logging of non-critical messages (bnc#711420). - Fixed dhclient-script to not remove alias IP when it didn't changed to not wipe out iptables connmark when renewing the lease (bnc#700771). Thanks to James Carter for the patch. - Fixed DDNS-howto.txt reference in the config file; it has been moved to the dhcp-doc package (bnc#697279). - Removed GPL licensed files (bind-*/contrib/dbus) from bind.tgz to ensure, they're not used to build non-GPL dhcp (bnc#714004). - Changed to apply strict-aliasing/RELRO for >= 12.x only OBS-URL: https://build.opensuse.org/package/show/network:dhcp/dhcp?expand=0&rev=75 --- dhclient-script | 7 +- dhcp-4.1.1-P1-relay-no-ip-on-interface.diff | 31 --- dhcp-4.1.1-in6_pktinfo-prototype.diff | 21 -- ...1-P1-dhclient-option-checks.bnc675052.diff | 77 ------ dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2 | 3 - dhcp-4.2.1-P1.tar.bz2 | 3 - ...XEC.patch => dhcp-4.2.2-close-on-exec.diff | 226 ++++++++++-------- ....2.2-dhclient-option-checks.bnc675052.diff | 47 ++++ ...dhcp-4.2.2-dhclient-send-hostname-rml.diff | 67 +++--- dhcp-4.2.2-ldap-patch-mt01.diff.bz2 | 3 + ...ludes.diff => dhcp-4.2.2-man-includes.diff | 20 +- dhcp-4.2.2-quiet-dhclient.bnc711420.diff | 17 ++ ...ksum.patch => dhcp-4.2.2-xen-checksum.diff | 110 +++++---- dhcp-4.2.2.tar.bz2 | 3 + dhcp.changes | 29 +++ dhcp.spec | 42 ++-- dhcpd.conf | 2 +- rc.dhcpd | 69 ++++-- rc.dhcpd6 | 69 ++++-- 19 files changed, 453 insertions(+), 393 deletions(-) delete mode 100644 dhcp-4.1.1-P1-relay-no-ip-on-interface.diff delete mode 100644 dhcp-4.1.1-in6_pktinfo-prototype.diff delete mode 100644 dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff delete mode 100644 dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2 delete mode 100644 dhcp-4.2.1-P1.tar.bz2 rename dhcp-4.2.0-CLOEXEC.patch => dhcp-4.2.2-close-on-exec.diff (68%) create mode 100644 dhcp-4.2.2-dhclient-option-checks.bnc675052.diff rename dhcp-4.2.1-dhclient-send-hostname-rml.diff => dhcp-4.2.2-dhclient-send-hostname-rml.diff (57%) create mode 100644 dhcp-4.2.2-ldap-patch-mt01.diff.bz2 rename dhcp-4.1.1-man-includes.diff => dhcp-4.2.2-man-includes.diff (53%) create mode 100644 dhcp-4.2.2-quiet-dhclient.bnc711420.diff rename dhcp-4.2.0-xen-checksum.patch => dhcp-4.2.2-xen-checksum.diff (68%) create mode 100644 dhcp-4.2.2.tar.bz2 diff --git a/dhclient-script b/dhclient-script index caccc29..733a1a0 100644 --- a/dhclient-script +++ b/dhclient-script @@ -400,8 +400,8 @@ ARPCHECK|ARPSEND) BOUND|RENEW|REBIND|REBOOT) #################################################################### - if [ x$old_ip_address != x -a x$alias_ip_address != x ] && \ - [ x$alias_ip_address != x$old_ip_address ] ; + if [ x$alias_ip_address != x -a x$alias_ip_address != x$old_ip_address -a \ + x$new_ip_address != x$old_ip_address ] ; then # Possible new alias. Remove old alias. /sbin/ip addr del $alias_ip_address/$alias_subnet_mask dev $interface @@ -426,7 +426,8 @@ BOUND|RENEW|REBIND|REBOOT) set_ipv4_routes fi - if [ x$new_ip_address != x$alias_ip_address -a x$alias_ip_address != x ]; + if [ x$new_ip_address != x$alias_ip_address -a x$alias_ip_address != x \ + -a x$new_ip_address != x$old_ip_address ]; then /sbin/ip addr add $alias_ip_address/$alias_subnet_mask \ dev $interface diff --git a/dhcp-4.1.1-P1-relay-no-ip-on-interface.diff b/dhcp-4.1.1-P1-relay-no-ip-on-interface.diff deleted file mode 100644 index 68e1e3f..0000000 --- a/dhcp-4.1.1-P1-relay-no-ip-on-interface.diff +++ /dev/null @@ -1,31 +0,0 @@ -From 4509d956715297469469ab0e207c2641f521470d Mon Sep 17 00:00:00 2001 -From: Marius Tomaschewski -Date: Fri, 29 Oct 2010 18:49:06 +0200 -Subject: [PATCH] dhcp-4.1.1-P1-relay-no-ip-on-interface - -Fix for a dhcrelay segfault while receiving packets on interfaces -without any IPv4 address assigned (bnc#631305, [ISC-Bugs #22409]). - -Signed-off-by: Marius Tomaschewski ---- - relay/dhcrelay.c | 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) - -diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c -index 11676ae..c375c83 100644 ---- a/relay/dhcrelay.c -+++ b/relay/dhcrelay.c -@@ -565,6 +565,10 @@ do_relay4(struct interface_info *ip, struct dhcp_packet *packet, - log_info("Discarding packet with invalid hlen."); - return; - } -+ if (ip->address_count < 1 || ip->addresses == NULL) { -+ log_info("Discarding packet from interface without IP address"); -+ return; -+ } - - /* Find the interface that corresponds to the giaddr - in the packet. */ --- -1.7.1 - diff --git a/dhcp-4.1.1-in6_pktinfo-prototype.diff b/dhcp-4.1.1-in6_pktinfo-prototype.diff deleted file mode 100644 index 951134f..0000000 --- a/dhcp-4.1.1-in6_pktinfo-prototype.diff +++ /dev/null @@ -1,21 +0,0 @@ -diff --git a/common/socket.c b/common/socket.c -index 036f7ae..6f56740 100644 ---- a/common/socket.c -+++ b/common/socket.c -@@ -40,11 +40,16 @@ - * I have implemented it under Linux; other systems should be doable also. - */ - -+#ifndef _GNU_SOURCE -+#define _GNU_SOURCE -+#endif - #include "dhcpd.h" - #include - #include - #include - #include -+#include /* for struct in6_pktinfo, with glibc >= 2.10.1 -+ _GNU_SOURCE required to enable it */ - - #ifdef USE_SOCKET_FALLBACK - # if !defined (USE_SOCKET_SEND) diff --git a/dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff b/dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff deleted file mode 100644 index f4210ee..0000000 --- a/dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff +++ /dev/null @@ -1,77 +0,0 @@ -From 7c0b7ae289a0f25853bd4bb660f3dd34b5c1ce88 Mon Sep 17 00:00:00 2001 -From: Marius Tomaschewski -Date: Wed, 27 Apr 2011 13:56:47 +0200 -Subject: [PATCH] dhclient string option checks - -Merged dhclient pretty escape and string option checks. -Use relaxed domain-name option check causing a regression, when the -server is misusing it to provide a domain list and does not provide -it via the domain-search option; pretty escape semicolon as well -(bnc#675052, CVE-2011-0997). - -Signed-off-by: Marius Tomaschewski ---- - client/dhclient.c | 8 ++++---- - common/options.c | 2 +- - 2 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/client/dhclient.c b/client/dhclient.c -index 970b935..93db494 100644 ---- a/client/dhclient.c -+++ b/client/dhclient.c -@@ -3142,7 +3142,7 @@ void script_write_params (client, prefix, lease) - } else { - log_error("suspect value in %s " - "option - discarded", -- lease->filename); -+ "filename"); - } - } - -@@ -3155,7 +3155,7 @@ void script_write_params (client, prefix, lease) - } else { - log_error("suspect value in %s " - "option - discarded", -- lease->server_name); -+ "server-name"); - } - } - -@@ -4077,7 +4077,7 @@ static int check_domain_name(const char *ptr, size_t len, int dots) - const char *p; - - /* not empty or complete length not over 255 characters */ -- if ((len == 0) || (len > 256)) -+ if ((len == 0) || (len >= 256)) - return(-1); - - /* consists of [[:alnum:]-]+ labels separated by [.] */ -@@ -4140,11 +4140,11 @@ static int check_option_values(struct universe *universe, - if ((universe == NULL) || (universe == &dhcp_universe)) { - switch(opt) { - case DHO_HOST_NAME: -- case DHO_DOMAIN_NAME: - case DHO_NIS_DOMAIN: - case DHO_NETBIOS_SCOPE: - return check_domain_name(ptr, len, 0); - break; -+ case DHO_DOMAIN_NAME: /* accept a list for compatibiliy */ - case DHO_DOMAIN_SEARCH: - return check_domain_name_list(ptr, len, 0); - break; -diff --git a/common/options.c b/common/options.c -index c26f88c..8b4be65 100644 ---- a/common/options.c -+++ b/common/options.c -@@ -3916,7 +3916,7 @@ pretty_escape(char **dst, char *dend, const unsigned char **src, - } - } else if (**src == '"' || **src == '\'' || **src == '$' || - **src == '`' || **src == '\\' || **src == '|' || -- **src == '&') { -+ **src == '&' || **src == ';') { - if (*dst + 2 > dend) - return -1; - --- -1.7.3.4 - diff --git a/dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2 b/dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2 deleted file mode 100644 index d7cb6ba..0000000 --- a/dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:6f1458dc06686ad2c80111f09d1ffc61f0f7feecbd9e693bdc55904a35708608 -size 11461 diff --git a/dhcp-4.2.1-P1.tar.bz2 b/dhcp-4.2.1-P1.tar.bz2 deleted file mode 100644 index b0e4b27..0000000 --- a/dhcp-4.2.1-P1.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cb8e19d01c5ab5de1da759c3fb34e4967e863e78c8d6106d2cbb0ffeaa80df76 -size 8659247 diff --git a/dhcp-4.2.0-CLOEXEC.patch b/dhcp-4.2.2-close-on-exec.diff similarity index 68% rename from dhcp-4.2.0-CLOEXEC.patch rename to dhcp-4.2.2-close-on-exec.diff index 3107eca..a633a05 100644 --- a/dhcp-4.2.0-CLOEXEC.patch +++ b/dhcp-4.2.2-close-on-exec.diff @@ -1,15 +1,17 @@ ---- client/clparse.c.orig -+++ client/clparse.c -@@ -210,7 +210,7 @@ int read_client_conf_file (const char *n +diff --git a/client/clparse.c b/client/clparse.c +index 9de4ce2..ca24ba6 100644 +--- a/client/clparse.c ++++ b/client/clparse.c +@@ -220,7 +220,7 @@ int read_client_conf_file (const char *name, struct interface_info *ip, int token; isc_result_t status; - + - if ((file = open (name, O_RDONLY)) < 0) + if ((file = open (name, O_RDONLY | O_CLOEXEC)) < 0) return uerr2isc (errno); cfile = NULL; -@@ -247,7 +247,7 @@ void read_client_leases () +@@ -257,7 +257,7 @@ void read_client_leases () /* Open the lease file. If we can't open it, just return - we can safely trust the server to remember our state. */ @@ -18,9 +20,11 @@ return; cfile = NULL; ---- client/dhclient.c.orig -+++ client/dhclient.c -@@ -127,11 +127,11 @@ main(int argc, char **argv) { +diff --git a/client/dhclient.c b/client/dhclient.c +index 82c26bb..a1cab01 100644 +--- a/client/dhclient.c ++++ b/client/dhclient.c +@@ -131,11 +131,11 @@ main(int argc, char **argv) { /* Make sure that file descriptors 0 (stdin), 1, (stdout), and 2 (stderr) are open. To do this, we assume that when we open a file the lowest available file descriptor is used. */ @@ -35,7 +39,7 @@ if (fd == 2) log_perror = 0; /* No sense logging to /dev/null. */ else if (fd != -1) -@@ -406,7 +406,7 @@ main(int argc, char **argv) { +@@ -423,7 +423,7 @@ main(int argc, char **argv) { int e; oldpid = 0; @@ -44,7 +48,7 @@ e = fscanf(pidfd, "%ld\n", &temp); oldpid = (pid_t)temp; -@@ -2627,7 +2627,7 @@ void rewrite_client_leases () +@@ -2689,7 +2689,7 @@ void rewrite_client_leases () if (leaseFile != NULL) fclose (leaseFile); @@ -53,7 +57,7 @@ if (leaseFile == NULL) { log_error ("can't create %s: %m", path_dhclient_db); return; -@@ -2731,7 +2731,7 @@ write_duid(struct data_string *duid) +@@ -2799,7 +2799,7 @@ write_duid(struct data_string *duid) return DHCP_R_INVALIDARG; if (leaseFile == NULL) { /* XXX? */ @@ -62,7 +66,7 @@ if (leaseFile == NULL) { log_error("can't create %s: %m", path_dhclient_db); return ISC_R_IOERROR; -@@ -2779,7 +2779,7 @@ write_client6_lease(struct client_state +@@ -2847,7 +2847,7 @@ write_client6_lease(struct client_state *client, struct dhc6_lease *lease, return DHCP_R_INVALIDARG; if (leaseFile == NULL) { /* XXX? */ @@ -71,7 +75,7 @@ if (leaseFile == NULL) { log_error("can't create %s: %m", path_dhclient_db); return ISC_R_IOERROR; -@@ -2911,7 +2911,7 @@ int write_client_lease (client, lease, r +@@ -2979,7 +2979,7 @@ int write_client_lease (client, lease, rewrite, makesure) return 1; if (leaseFile == NULL) { /* XXX */ @@ -80,7 +84,7 @@ if (leaseFile == NULL) { log_error ("can't create %s: %m", path_dhclient_db); return 0; -@@ -3400,9 +3400,9 @@ void go_daemon () +@@ -3472,9 +3472,9 @@ void go_daemon () close(2); /* Reopen them on /dev/null. */ @@ -93,25 +97,10 @@ write_client_pid_file (); -@@ -3414,14 +3414,14 @@ void write_client_pid_file () - FILE *pf; - int pfdesc; - -- pfdesc = open (path_dhclient_pid, O_CREAT | O_TRUNC | O_WRONLY, 0644); -+ pfdesc = open (path_dhclient_pid, O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC, 0644); - - if (pfdesc < 0) { - log_error ("Can't create %s: %m", path_dhclient_pid); - return; - } - -- pf = fdopen (pfdesc, "w"); -+ pf = fdopen (pfdesc, "we"); - if (!pf) - log_error ("Can't fdopen %s: %m", path_dhclient_pid); - else { ---- common/bpf.c.orig -+++ common/bpf.c +diff --git a/common/bpf.c b/common/bpf.c +index 8bd5727..7b8f1d4 100644 +--- a/common/bpf.c ++++ b/common/bpf.c @@ -94,7 +94,7 @@ int if_register_bpf (info) for (b = 0; 1; b++) { /* %Audit% 31 bytes max. %2004.06.17,Safe% */ @@ -121,9 +110,11 @@ if (sock < 0) { if (errno == EBUSY) { continue; ---- common/discover.c.orig -+++ common/discover.c -@@ -409,7 +409,7 @@ begin_iface_scan(struct iface_conf_list +diff --git a/common/discover.c b/common/discover.c +index 1d84219..93a278e 100644 +--- a/common/discover.c ++++ b/common/discover.c +@@ -421,7 +421,7 @@ begin_iface_scan(struct iface_conf_list *ifaces) { int len; int i; @@ -132,7 +123,7 @@ if (ifaces->fp == NULL) { log_error("Error opening '/proc/net/dev' to list interfaces"); return 0; -@@ -444,7 +444,7 @@ begin_iface_scan(struct iface_conf_list +@@ -456,7 +456,7 @@ begin_iface_scan(struct iface_conf_list *ifaces) { #ifdef DHCPv6 if (local_family == AF_INET6) { @@ -141,9 +132,11 @@ if (ifaces->fp6 == NULL) { log_error("Error opening '/proc/net/if_inet6' to " "list IPv6 interfaces; %m"); ---- common/dlpi.c.orig -+++ common/dlpi.c -@@ -808,7 +808,7 @@ dlpiopen(const char *ifname) { +diff --git a/common/dlpi.c b/common/dlpi.c +index b9eb1d3..c044ec6 100644 +--- a/common/dlpi.c ++++ b/common/dlpi.c +@@ -806,7 +806,7 @@ dlpiopen(const char *ifname) { } *dp = '\0'; @@ -152,8 +145,10 @@ } /* ---- common/nit.c.orig -+++ common/nit.c +diff --git a/common/nit.c b/common/nit.c +index 0da9c36..896cbb6 100644 +--- a/common/nit.c ++++ b/common/nit.c @@ -81,7 +81,7 @@ int if_register_nit (info) struct strioctl sio; @@ -163,8 +158,10 @@ if (sock < 0) log_fatal ("Can't open NIT device for %s: %m", info -> name); ---- common/resolv.c.orig -+++ common/resolv.c +diff --git a/common/resolv.c b/common/resolv.c +index b29d4cf..d946ccc 100644 +--- a/common/resolv.c ++++ b/common/resolv.c @@ -49,7 +49,7 @@ void read_resolv_conf (parse_time) struct domain_search_list *dp, *dl, *nd; isc_result_t status; @@ -174,8 +171,10 @@ log_error ("Can't open %s: %m", path_resolv_conf); return; } ---- common/upf.c.orig -+++ common/upf.c +diff --git a/common/upf.c b/common/upf.c +index fff3949..4f9318e 100644 +--- a/common/upf.c ++++ b/common/upf.c @@ -77,7 +77,7 @@ int if_register_upf (info) /* %Audit% Cannot exceed 36 bytes. %2004.06.17,Safe% */ sprintf(filename, "/dev/pf/pfilt%d", b); @@ -185,9 +184,11 @@ if (sock < 0) { if (errno == EBUSY) { continue; ---- dst/dst_api.c.orig -+++ dst/dst_api.c -@@ -437,7 +437,7 @@ dst_s_write_private_key(const DST_KEY *k +diff --git a/dst/dst_api.c b/dst/dst_api.c +index 8925c66..fa4eb5f 100644 +--- a/dst/dst_api.c ++++ b/dst/dst_api.c +@@ -437,7 +437,7 @@ dst_s_write_private_key(const DST_KEY *key) PRIVATE_KEY, PATH_MAX); /* Do not overwrite an existing file */ @@ -196,7 +197,7 @@ int nn; if ((nn = fwrite(encoded_block, 1, len, fp)) != len) { EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n", -@@ -494,7 +494,7 @@ dst_s_read_public_key(const char *in_nam +@@ -494,7 +494,7 @@ dst_s_read_public_key(const char *in_name, const unsigned in_id, int in_alg) * flags, proto, alg stored as decimal (or hex numbers FIXME). * (FIXME: handle parentheses for line continuation.) */ @@ -205,7 +206,7 @@ EREPORT(("dst_read_public_key(): Public Key not found %s\n", name)); return (NULL); -@@ -620,7 +620,7 @@ dst_s_write_public_key(const DST_KEY *ke +@@ -620,7 +620,7 @@ dst_s_write_public_key(const DST_KEY *key) return (0); } /* create public key file */ @@ -214,7 +215,7 @@ EREPORT(("DST_write_public_key: open of file:%s failed (errno=%d)\n", filename, errno)); return (0); -@@ -854,7 +854,7 @@ dst_s_read_private_key_file(char *name, +@@ -854,7 +854,7 @@ dst_s_read_private_key_file(char *name, DST_KEY *pk_key, unsigned in_id, return (0); } /* first check if we can find the key file */ @@ -223,9 +224,11 @@ EREPORT(("dst_s_read_private_key_file: Could not open file %s in directory %s\n", filename, dst_path[0] ? dst_path : (char *) getcwd(NULL, PATH_MAX - 1))); ---- dst/prandom.c.orig -+++ dst/prandom.c -@@ -269,7 +269,7 @@ get_dev_random(u_char *output, unsigned +diff --git a/dst/prandom.c b/dst/prandom.c +index 4de3fe4..fbbe07c 100644 +--- a/dst/prandom.c ++++ b/dst/prandom.c +@@ -269,7 +269,7 @@ get_dev_random(u_char *output, unsigned size) s = stat("/dev/random", &st); if (s == 0 && S_ISCHR(st.st_mode)) { @@ -243,9 +246,11 @@ return (0); for (no = 0; (i = fread(buf, sizeof(*buf), sizeof(buf), fp)) > 0; no += i) ---- omapip/trace.c.orig -+++ omapip/trace.c -@@ -141,10 +141,10 @@ isc_result_t trace_begin (const char *fi +diff --git a/omapip/trace.c b/omapip/trace.c +index 9fd3fb5..9c4e11e 100644 +--- a/omapip/trace.c ++++ b/omapip/trace.c +@@ -141,10 +141,10 @@ isc_result_t trace_begin (const char *filename, return DHCP_R_INVALIDARG; } @@ -258,7 +263,7 @@ 0600); } -@@ -431,7 +431,7 @@ void trace_file_replay (const char *file +@@ -431,7 +431,7 @@ void trace_file_replay (const char *filename) isc_result_t result; int len; @@ -267,9 +272,11 @@ if (!traceinfile) { log_error("Can't open tracefile %s: %m", filename); return; ---- relay/dhcrelay.c.orig -+++ relay/dhcrelay.c -@@ -177,11 +177,11 @@ main(int argc, char **argv) { +diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c +index f21f16f..d2aa90e 100644 +--- a/relay/dhcrelay.c ++++ b/relay/dhcrelay.c +@@ -183,11 +183,11 @@ main(int argc, char **argv) { /* Make sure that file descriptors 0(stdin), 1,(stdout), and 2(stderr) are open. To do this, we assume that when we open a file the lowest available file descriptor is used. */ @@ -284,24 +291,28 @@ if (fd == 2) log_perror = 0; /* No sense logging to /dev/null. */ else if (fd != -1) -@@ -520,12 +520,12 @@ main(int argc, char **argv) { - exit(0); +@@ -540,13 +540,14 @@ main(int argc, char **argv) { - pfdesc = open(path_dhcrelay_pid, -- O_CREAT | O_TRUNC | O_WRONLY, 0644); -+ O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC, 0644); + if (no_pid_file == ISC_FALSE) { + pfdesc = open(path_dhcrelay_pid, +- O_CREAT | O_TRUNC | O_WRONLY, 0644); ++ O_CREAT | O_TRUNC | O_WRONLY | ++ O_CLOEXEC, 0644); - if (pfdesc < 0) { - log_error("Can't create %s: %m", path_dhcrelay_pid); - } else { -- pf = fdopen(pfdesc, "w"); -+ pf = fdopen(pfdesc, "we"); - if (!pf) - log_error("Can't fdopen %s: %m", - path_dhcrelay_pid); ---- server/confpars.c.orig -+++ server/confpars.c -@@ -116,7 +116,7 @@ isc_result_t read_conf_file (const char + if (pfdesc < 0) { + log_error("Can't create %s: %m", + path_dhcrelay_pid); + } else { +- pf = fdopen(pfdesc, "w"); ++ pf = fdopen(pfdesc, "we"); + if (!pf) + log_error("Can't fdopen %s: %m", + path_dhcrelay_pid); +diff --git a/server/confpars.c b/server/confpars.c +index c0742d4..62568e9 100644 +--- a/server/confpars.c ++++ b/server/confpars.c +@@ -116,7 +116,7 @@ isc_result_t read_conf_file (const char *filename, struct group *group, } #endif @@ -310,8 +321,10 @@ if (leasep) { log_error ("Can't open lease database %s: %m --", path_dhcpd_db); ---- server/db.c.orig -+++ server/db.c +diff --git a/server/db.c b/server/db.c +index dc75321..be5db26 100644 +--- a/server/db.c ++++ b/server/db.c @@ -1035,7 +1035,7 @@ void db_startup (testp) } #endif @@ -339,9 +352,11 @@ log_error("Can't fdopen new lease file: %m"); close(db_fd); goto fdfail; ---- server/dhcpd.c.orig -+++ server/dhcpd.c -@@ -272,11 +272,11 @@ main(int argc, char **argv) { +diff --git a/server/dhcpd.c b/server/dhcpd.c +index 27e04e4..9233d26 100644 +--- a/server/dhcpd.c ++++ b/server/dhcpd.c +@@ -274,11 +274,11 @@ main(int argc, char **argv) { /* Make sure that file descriptors 0 (stdin), 1, (stdout), and 2 (stderr) are open. To do this, we assume that when we open a file the lowest available file descriptor is used. */ @@ -356,25 +371,25 @@ if (fd == 2) log_perror = 0; /* No sense logging to /dev/null. */ else if (fd != -1) -@@ -800,7 +800,7 @@ main(int argc, char **argv) { - #endif /* PARANOIA */ +@@ -809,7 +809,7 @@ main(int argc, char **argv) { + */ + if (no_pid_file == ISC_FALSE) { + /*Read previous pid file. */ +- if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) { ++ if ((i = open (path_dhcpd_pid, O_RDONLY | O_CLOEXEC)) >= 0) { + status = read(i, pbuf, (sizeof pbuf) - 1); + close (i); + if (status > 0) { +@@ -828,7 +828,7 @@ main(int argc, char **argv) { + } - /* Read previous pid file. */ -- if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) { -+ if ((i = open (path_dhcpd_pid, O_RDONLY | O_CLOEXEC)) >= 0) { - status = read(i, pbuf, (sizeof pbuf) - 1); - close (i); - if (status > 0) { -@@ -818,7 +818,7 @@ main(int argc, char **argv) { - } - - /* Write new pid file. */ -- if ((i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC, 0644)) >= 0) { -+ if ((i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0644)) >= 0) { - sprintf(pbuf, "%d\n", (int) getpid()); - IGNORE_RET (write(i, pbuf, strlen(pbuf))); - close(i); -@@ -844,9 +844,9 @@ main(int argc, char **argv) { + /* Write new pid file. */ +- i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC, 0644); ++ i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0644); + if (i >= 0) { + sprintf(pbuf, "%d\n", (int) getpid()); + IGNORE_RET (write(i, pbuf, strlen(pbuf))); +@@ -856,9 +856,9 @@ main(int argc, char **argv) { close(2); /* Reopen them on /dev/null. */ @@ -387,8 +402,10 @@ log_perror = 0; /* No sense logging to /dev/null. */ IGNORE_RET (chdir("/")); ---- server/ldap.c.orig -+++ server/ldap.c +diff --git a/server/ldap.c b/server/ldap.c +index 68acbbb..77efe26 100644 +--- a/server/ldap.c ++++ b/server/ldap.c @@ -1098,7 +1098,7 @@ ldap_start (void) if (ldap_debug_file != NULL && ldap_debug_fd == -1) @@ -398,3 +415,6 @@ S_IRUSR | S_IWUSR)) < 0) log_error ("Error opening debug LDAP log file %s: %s", ldap_debug_file, strerror (errno)); +-- +1.7.3.4 + diff --git a/dhcp-4.2.2-dhclient-option-checks.bnc675052.diff b/dhcp-4.2.2-dhclient-option-checks.bnc675052.diff new file mode 100644 index 0000000..6414600 --- /dev/null +++ b/dhcp-4.2.2-dhclient-option-checks.bnc675052.diff @@ -0,0 +1,47 @@ +diff --git a/client/dhclient.c b/client/dhclient.c +index 9fd7ccc..82c26bb 100644 +--- a/client/dhclient.c ++++ b/client/dhclient.c +@@ -3251,7 +3251,7 @@ void script_write_params (client, prefix, lease) + } else { + log_error("suspect value in %s " + "option - discarded", +- lease->filename); ++ "filename"); + } + } + +@@ -3264,7 +3264,7 @@ void script_write_params (client, prefix, lease) + } else { + log_error("suspect value in %s " + "option - discarded", +- lease->server_name); ++ "server-name"); + } + } + +@@ -4193,7 +4193,7 @@ static int check_domain_name(const char *ptr, size_t len, int dots) + const char *p; + + /* not empty or complete length not over 255 characters */ +- if ((len == 0) || (len > 256)) ++ if ((len == 0) || (len >= 256)) + return(-1); + + /* consists of [[:alnum:]-]+ labels separated by [.] */ +diff --git a/common/options.c b/common/options.c +index 80fd8db..6b95f3b 100644 +--- a/common/options.c ++++ b/common/options.c +@@ -3916,7 +3916,7 @@ pretty_escape(char **dst, char *dend, const unsigned char **src, + } + } else if (**src == '"' || **src == '\'' || **src == '$' || + **src == '`' || **src == '\\' || **src == '|' || +- **src == '&') { ++ **src == '&' || **src == ';') { + if (*dst + 2 > dend) + return -1; + +-- +1.7.3.4 + diff --git a/dhcp-4.2.1-dhclient-send-hostname-rml.diff b/dhcp-4.2.2-dhclient-send-hostname-rml.diff similarity index 57% rename from dhcp-4.2.1-dhclient-send-hostname-rml.diff rename to dhcp-4.2.2-dhclient-send-hostname-rml.diff index 89be585..64fac9f 100644 --- a/dhcp-4.2.1-dhclient-send-hostname-rml.diff +++ b/dhcp-4.2.2-dhclient-send-hostname-rml.diff @@ -1,34 +1,34 @@ diff --git a/client/dhclient.8 b/client/dhclient.8 -index 7a3c154..e284210 100644 +index 6306b08..1394c38 100644 --- a/client/dhclient.8 +++ b/client/dhclient.8 -@@ -64,6 +64,10 @@ dhclient - Dynamic Host Configuration Protocol Client - .I port +@@ -60,6 +60,10 @@ dhclient - Dynamic Host Configuration Protocol Client + .I LL|LLT ] [ +.B -H +.I hostname +] +[ - .B -d + .B -p + .I port ] - [ -@@ -305,6 +309,10 @@ If a different port is specified on which the client should listen and - transmit, the client will also use a different destination port - - one less than the specified port. +@@ -299,6 +303,10 @@ PID file. When shutdown via this method + .B dhclient-script(8) + will be executed with the specific reason for calling the script set. .TP +.BI \-H \ hostname +This flag may be used to specify a client hostname that should be sent to +the DHCP server. Note, that this option is a SUSE/Novell extension. +.TP - .BI \-s \ server - Specify the server IP address or fully qualified domain name to use as - a destination for DHCP protocol messages before + .BI \-p \ port + The UDP port number on which the DHCP client should listen and transmit. + If unspecified, diff --git a/client/dhclient.c b/client/dhclient.c -index dc19e8b..bd02cc9 100644 +index 9b53f07..9fd7ccc 100644 --- a/client/dhclient.c +++ b/client/dhclient.c -@@ -110,6 +110,7 @@ main(int argc, char **argv) { +@@ -119,6 +119,7 @@ main(int argc, char **argv) { int no_dhclient_db = 0; int no_dhclient_pid = 0; int no_dhclient_script = 0; @@ -36,24 +36,30 @@ index dc19e8b..bd02cc9 100644 #ifdef DHCPv6 int local_family_set = 0; #endif /* DHCPv6 */ -@@ -220,6 +221,16 @@ main(int argc, char **argv) { +@@ -231,6 +232,22 @@ main(int argc, char **argv) { if (++i == argc) usage(); mockup_relay = argv[i]; + } else if (!strcmp (argv[i], "-H")) { ++ size_t len; + if (++i == argc || !argv[i] || *(argv[i]) == '\0') + usage (); -+ if (strlen (argv[i]) > HOST_NAME_MAX) { ++ len = strlen (argv[i]); ++ if (len > HOST_NAME_MAX) { + log_error("-H option host-name string \"%s\" is too long:" + "maximum length is %d characters", + argv[i], HOST_NAME_MAX); + exit(1); ++ } else if(check_domain_name(argv[i], len, 0) != 0) { ++ log_error("suspect host-name in -H \"%s\"", ++ argv[i]); ++ exit(1); + } + dhclient_hostname = argv [i]; } else if (!strcmp(argv[i], "-nw")) { nowait = 1; } else if (!strcmp(argv[i], "-n")) { -@@ -468,6 +479,32 @@ main(int argc, char **argv) { +@@ -484,6 +501,35 @@ main(int argc, char **argv) { /* Parse the dhclient.conf file. */ read_client_conf(); @@ -63,10 +69,12 @@ index dc19e8b..bd02cc9 100644 + char buf[HOST_NAME_MAX + 40]; + int len; + -+ snprintf (buf, sizeof(buf), "send host-name \"%s\";", dhclient_hostname); ++ snprintf (buf, sizeof(buf), "send host-name \"%s\";", ++ dhclient_hostname); + len = strlen(buf); + -+ status = new_parse (&cfile, -1, buf, len, "host-name option", 0); ++ status = new_parse (&cfile, -1, buf, len, ++ "host-name option", 0); + if (status != ISC_R_SUCCESS) + log_fatal ("Cannot parse send host-name statement!"); + @@ -78,7 +86,8 @@ index dc19e8b..bd02cc9 100644 + if (token == END_OF_FILE) + break; + -+ parse_client_statement (cfile, NULL, &top_level_config); ++ parse_client_statement (cfile, NULL, ++ &top_level_config); + } + end_parse (&cfile); + } @@ -86,19 +95,15 @@ index dc19e8b..bd02cc9 100644 /* Parse the lease database. */ read_client_leases(); -@@ -676,12 +713,12 @@ static void usage() +@@ -708,9 +754,9 @@ static void usage() - log_error("Usage: dhclient %s %s", + log_fatal("Usage: dhclient " #ifdef DHCPv6 -- "[-4|-6] [-SNTP1dvrx] [-nw] [-p ] [-D LL|LLT]", -+ "[-4|-6] [-SNTP1dvrx] [-nw] [-H ] [-p ] [-D LL|LLT]", +- "[-4|-6] [-SNTP1dvrx] [-nw] [-p ] [-D LL|LLT]\n" ++ "[-4|-6] [-SNTP1dvrx] [-nw] [-H ] [-p ] [-D LL|LLT]\n" #else /* DHCPv6 */ -- "[-1dvrx] [-nw] [-p ]", -+ "[-1dvrx] [-nw] [-H ] [-p ]", +- "[-1dvrx] [-nw] [-p ]\n" ++ "[-1dvrx] [-nw] [-H ] [-p ]\n" #endif /* DHCPv6 */ - "[-s server]"); -- log_error(" [-cf config-file] [-lf lease-file]%s", -+ log_error(" [-cf config-file] [-lf lease-file] %s", - "[-pf pid-file] [-e VAR=val]"); - log_fatal(" [-sf script-file] [interface]"); - } + " [-s server-addr] [-cf config-file] " + "[-lf lease-file]\n" diff --git a/dhcp-4.2.2-ldap-patch-mt01.diff.bz2 b/dhcp-4.2.2-ldap-patch-mt01.diff.bz2 new file mode 100644 index 0000000..5e94734 --- /dev/null +++ b/dhcp-4.2.2-ldap-patch-mt01.diff.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:b113289cbcaf5d9f76892b48a6c8a452f7f2180aab1a06a8acacc49d0fa137a9 +size 11732 diff --git a/dhcp-4.1.1-man-includes.diff b/dhcp-4.2.2-man-includes.diff similarity index 53% rename from dhcp-4.1.1-man-includes.diff rename to dhcp-4.2.2-man-includes.diff index c065a19..519ce60 100644 --- a/dhcp-4.1.1-man-includes.diff +++ b/dhcp-4.2.2-man-includes.diff @@ -1,26 +1,28 @@ diff --git a/dhcpctl/dhcpctl.3 b/dhcpctl/dhcpctl.3 -index 2e1cb8a..ee44755 100644 +index 9aa1851..7497612 100644 --- a/dhcpctl/dhcpctl.3 +++ b/dhcpctl/dhcpctl.3 -@@ -425,7 +425,7 @@ that most error checking has been ommitted for brevity. - #include +@@ -430,8 +430,8 @@ that most error checking has been ommitted for brevity. #include + #include --#include -+#include - #include +-#include "omapip/result.h" +-#include "dhcpctl.h" ++#include ++#include int main (int argc, char **argv) { + dhcpctl_data_string ipaddrstring = NULL; diff --git a/omapip/omapi.3 b/omapip/omapi.3 -index 4673549..8e2503f 100644 +index 4868d7c..23389b0 100644 --- a/omapip/omapi.3 +++ b/omapip/omapi.3 -@@ -87,7 +87,7 @@ the lease ends. +@@ -88,7 +88,7 @@ the lease ends. #include #include - #include -+ #include ++ #include #include int main (int argc, char **argv) { diff --git a/dhcp-4.2.2-quiet-dhclient.bnc711420.diff b/dhcp-4.2.2-quiet-dhclient.bnc711420.diff new file mode 100644 index 0000000..dc27937 --- /dev/null +++ b/dhcp-4.2.2-quiet-dhclient.bnc711420.diff @@ -0,0 +1,17 @@ +diff --git a/client/dhclient.c b/client/dhclient.c +index a1cab01..ff5ede5 100644 +--- a/client/dhclient.c ++++ b/client/dhclient.c +@@ -444,6 +444,9 @@ main(int argc, char **argv) { + } else { + log_perror = 0; + quiet_interface_discovery = 1; ++#if !defined(DEBUG) ++ setlogmask(LOG_UPTO(LOG_NOTICE)); ++#endif + } + + /* If we're given a relay agent address to insert, for testing +-- +1.7.3.4 + diff --git a/dhcp-4.2.0-xen-checksum.patch b/dhcp-4.2.2-xen-checksum.diff similarity index 68% rename from dhcp-4.2.0-xen-checksum.patch rename to dhcp-4.2.2-xen-checksum.diff index debd3f0..dc900ed 100644 --- a/dhcp-4.2.0-xen-checksum.patch +++ b/dhcp-4.2.2-xen-checksum.diff @@ -1,7 +1,8 @@ -diff -up dhcp-4.2.0/common/bpf.c.xen dhcp-4.2.0/common/bpf.c ---- dhcp-4.2.0/common/bpf.c.xen 2009-11-20 02:48:59.000000000 +0100 -+++ dhcp-4.2.0/common/bpf.c 2010-07-21 13:51:24.000000000 +0200 -@@ -485,7 +485,7 @@ ssize_t receive_packet (interface, buf, +diff --git a/common/bpf.c b/common/bpf.c +index b0ef657..8bd5727 100644 +--- a/common/bpf.c ++++ b/common/bpf.c +@@ -485,7 +485,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) offset = decode_udp_ip_header (interface, interface -> rbuf, interface -> rbuf_offset, @@ -10,10 +11,11 @@ diff -up dhcp-4.2.0/common/bpf.c.xen dhcp-4.2.0/common/bpf.c /* If the IP or UDP checksum was bad, skip the packet... */ if (offset < 0) { -diff -up dhcp-4.2.0/common/dlpi.c.xen dhcp-4.2.0/common/dlpi.c ---- dhcp-4.2.0/common/dlpi.c.xen 2009-11-20 02:49:00.000000000 +0100 -+++ dhcp-4.2.0/common/dlpi.c 2010-07-21 13:51:24.000000000 +0200 -@@ -694,7 +694,7 @@ ssize_t receive_packet (interface, buf, +diff --git a/common/dlpi.c b/common/dlpi.c +index 8f2c73d..b9eb1d3 100644 +--- a/common/dlpi.c ++++ b/common/dlpi.c +@@ -693,7 +693,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) length -= offset; #endif offset = decode_udp_ip_header (interface, dbuf, bufix, @@ -22,10 +24,11 @@ diff -up dhcp-4.2.0/common/dlpi.c.xen dhcp-4.2.0/common/dlpi.c /* * If the IP or UDP checksum was bad, skip the packet... -diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c ---- dhcp-4.2.0/common/lpf.c.xen 2009-07-23 20:52:19.000000000 +0200 -+++ dhcp-4.2.0/common/lpf.c 2010-07-21 13:51:24.000000000 +0200 -@@ -29,18 +29,33 @@ +diff --git a/common/lpf.c b/common/lpf.c +index 16eecc9..4bdb0f1 100644 +--- a/common/lpf.c ++++ b/common/lpf.c +@@ -29,19 +29,33 @@ #include "dhcpd.h" #if defined (USE_LPF_SEND) || defined (USE_LPF_RECEIVE) #include @@ -38,6 +41,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c #include +#include #include +-#include #include "includes/netinet/ip.h" #include "includes/netinet/udp.h" #include "includes/netinet/if_ether.h" @@ -59,7 +63,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c /* Reinitializes the specified interface after an address change. This is not required for packet-filter APIs. */ -@@ -66,10 +81,14 @@ int if_register_lpf (info) +@@ -67,10 +81,14 @@ int if_register_lpf (info) struct interface_info *info; { int sock; @@ -76,7 +80,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c htons((short)ETH_P_ALL))) < 0) { if (errno == ENOPROTOOPT || errno == EPROTONOSUPPORT || errno == ESOCKTNOSUPPORT || errno == EPFNOSUPPORT || -@@ -84,11 +103,16 @@ int if_register_lpf (info) +@@ -85,11 +103,16 @@ int if_register_lpf (info) log_fatal ("Open a socket for LPF: %m"); } @@ -96,7 +100,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c if (errno == ENOPROTOOPT || errno == EPROTONOSUPPORT || errno == ESOCKTNOSUPPORT || errno == EPFNOSUPPORT || errno == EAFNOSUPPORT || errno == EINVAL) { -@@ -170,9 +194,18 @@ static void lpf_gen_filter_setup (struct +@@ -171,9 +194,18 @@ static void lpf_gen_filter_setup (struct interface_info *); void if_register_receive (info) struct interface_info *info; { @@ -115,32 +119,34 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c #if defined (HAVE_TR_SUPPORT) if (info -> hw_address.hbuf [0] == HTYPE_IEEE802) lpf_tr_filter_setup (info); -@@ -294,7 +327,6 @@ ssize_t send_packet (interface, packet, +@@ -295,7 +327,6 @@ ssize_t send_packet (interface, packet, raw, len, from, to, hto) double hh [16]; double ih [1536 / sizeof (double)]; unsigned char *buf = (unsigned char *)ih; -- struct sockaddr sa; +- struct sockaddr_pkt sa; int result; int fudge; -@@ -315,15 +347,7 @@ ssize_t send_packet (interface, packet, +@@ -316,17 +347,7 @@ ssize_t send_packet (interface, packet, raw, len, from, to, hto) (unsigned char *)raw, len); memcpy (buf + ibufp, raw, len); - /* For some reason, SOCK_PACKET sockets can't be connected, - so we have to do a sentdo every time. */ - memset (&sa, 0, sizeof sa); -- sa.sa_family = AF_PACKET; -- strncpy (sa.sa_data, -- (const char *)interface -> ifp, sizeof sa.sa_data); +- sa.spkt_family = AF_PACKET; +- strncpy ((char *)sa.spkt_device, +- (const char *)interface -> ifp, sizeof sa.spkt_device); +- sa.spkt_protocol = htons(ETH_P_IP); - - result = sendto (interface -> wfdesc, -- buf + fudge, ibufp + len - fudge, 0, &sa, sizeof sa); +- buf + fudge, ibufp + len - fudge, 0, +- (const struct sockaddr *)&sa, sizeof sa); + result = write (interface -> wfdesc, buf + fudge, ibufp + len - fudge); if (result < 0) log_error ("send_packet: %m"); return result; -@@ -340,14 +364,35 @@ ssize_t receive_packet (interface, buf, +@@ -343,14 +364,35 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) { int length = 0; int offset = 0; @@ -148,6 +154,8 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c unsigned char ibuf [1536]; unsigned bufix = 0; unsigned paylen; +- +- length = read (interface -> rfdesc, ibuf, sizeof ibuf); + unsigned char cmsgbuf[CMSG_LEN(sizeof(struct tpacket_auxdata))]; + struct iovec iov = { + .iov_base = ibuf, @@ -160,8 +168,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c + .msg_controllen = sizeof(cmsgbuf), + }; + struct cmsghdr *cmsg; - -- length = read (interface -> rfdesc, ibuf, sizeof ibuf); ++ + length = recvmsg (interface -> rfdesc, &msg, 0); if (length <= 0) return length; @@ -177,7 +184,7 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c bufix = 0; /* Decode the physical header... */ offset = decode_hw_header (interface, ibuf, bufix, hfrom); -@@ -364,7 +409,7 @@ ssize_t receive_packet (interface, buf, +@@ -367,7 +409,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) /* Decode the IP and UDP headers... */ offset = decode_udp_ip_header (interface, ibuf, bufix, from, @@ -186,10 +193,11 @@ diff -up dhcp-4.2.0/common/lpf.c.xen dhcp-4.2.0/common/lpf.c /* If the IP or UDP checksum was bad, skip the packet... */ if (offset < 0) -diff -up dhcp-4.2.0/common/nit.c.xen dhcp-4.2.0/common/nit.c ---- dhcp-4.2.0/common/nit.c.xen 2009-11-20 02:49:01.000000000 +0100 -+++ dhcp-4.2.0/common/nit.c 2010-07-21 13:51:24.000000000 +0200 -@@ -369,7 +369,7 @@ ssize_t receive_packet (interface, buf, +diff --git a/common/nit.c b/common/nit.c +index 3822206..0da9c36 100644 +--- a/common/nit.c ++++ b/common/nit.c +@@ -369,7 +369,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) /* Decode the IP and UDP headers... */ offset = decode_udp_ip_header (interface, ibuf, bufix, @@ -198,9 +206,10 @@ diff -up dhcp-4.2.0/common/nit.c.xen dhcp-4.2.0/common/nit.c /* If the IP or UDP checksum was bad, skip the packet... */ if (offset < 0) -diff -up dhcp-4.2.0/common/packet.c.xen dhcp-4.2.0/common/packet.c ---- dhcp-4.2.0/common/packet.c.xen 2009-07-23 20:52:20.000000000 +0200 -+++ dhcp-4.2.0/common/packet.c 2010-07-21 13:51:24.000000000 +0200 +diff --git a/common/packet.c b/common/packet.c +index 42bca69..fd2d975 100644 +--- a/common/packet.c ++++ b/common/packet.c @@ -211,7 +211,7 @@ ssize_t decode_udp_ip_header(struct interface_info *interface, unsigned char *buf, unsigned bufix, @@ -210,7 +219,7 @@ diff -up dhcp-4.2.0/common/packet.c.xen dhcp-4.2.0/common/packet.c { unsigned char *data; struct ip ip; -@@ -322,7 +322,7 @@ decode_udp_ip_header(struct interface_in +@@ -322,7 +322,7 @@ decode_udp_ip_header(struct interface_info *interface, 8, IPPROTO_UDP + ulen)))); udp_packets_seen++; @@ -219,10 +228,11 @@ diff -up dhcp-4.2.0/common/packet.c.xen dhcp-4.2.0/common/packet.c udp_packets_bad_checksum++; if (udp_packets_seen > 4 && (udp_packets_seen / udp_packets_bad_checksum) < 2) { -diff -up dhcp-4.2.0/common/upf.c.xen dhcp-4.2.0/common/upf.c ---- dhcp-4.2.0/common/upf.c.xen 2009-11-20 02:49:01.000000000 +0100 -+++ dhcp-4.2.0/common/upf.c 2010-07-21 13:51:24.000000000 +0200 -@@ -320,7 +320,7 @@ ssize_t receive_packet (interface, buf, +diff --git a/common/upf.c b/common/upf.c +index feb82a2..fff3949 100644 +--- a/common/upf.c ++++ b/common/upf.c +@@ -320,7 +320,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) /* Decode the IP and UDP headers... */ offset = decode_udp_ip_header (interface, ibuf, bufix, @@ -231,15 +241,19 @@ diff -up dhcp-4.2.0/common/upf.c.xen dhcp-4.2.0/common/upf.c /* If the IP or UDP checksum was bad, skip the packet... */ if (offset < 0) -diff -up dhcp-4.2.0/includes/dhcpd.h.xen dhcp-4.2.0/includes/dhcpd.h ---- dhcp-4.2.0/includes/dhcpd.h.xen 2010-07-21 13:38:31.000000000 +0200 -+++ dhcp-4.2.0/includes/dhcpd.h 2010-07-21 13:51:24.000000000 +0200 -@@ -2773,7 +2773,7 @@ ssize_t decode_hw_header PROTO ((struct - unsigned, struct hardware *)); - ssize_t decode_udp_ip_header PROTO ((struct interface_info *, unsigned char *, - unsigned, struct sockaddr_in *, -- unsigned, unsigned *)); -+ unsigned, unsigned *, int)); +diff --git a/includes/dhcpd.h b/includes/dhcpd.h +index adf04cc..ded57a9 100644 +--- a/includes/dhcpd.h ++++ b/includes/dhcpd.h +@@ -2793,7 +2793,7 @@ ssize_t decode_hw_header (struct interface_info *, unsigned char *, + unsigned, struct hardware *); + ssize_t decode_udp_ip_header (struct interface_info *, unsigned char *, + unsigned, struct sockaddr_in *, +- unsigned, unsigned *); ++ unsigned, unsigned *, int); /* ethernet.c */ - void assemble_ethernet_header PROTO ((struct interface_info *, unsigned char *, + void assemble_ethernet_header (struct interface_info *, unsigned char *, +-- +1.7.3.4 + diff --git a/dhcp-4.2.2.tar.bz2 b/dhcp-4.2.2.tar.bz2 new file mode 100644 index 0000000..2f62ca7 --- /dev/null +++ b/dhcp-4.2.2.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:dfafcabbd4b2f099fd7ae1f9a9f6f2dc472b134ed5b6a391c2f7082dfdc2d8b6 +size 8613758 diff --git a/dhcp.changes b/dhcp.changes index e0c835a..1c06616 100644 --- a/dhcp.changes +++ b/dhcp.changes @@ -1,3 +1,32 @@ +------------------------------------------------------------------- +Mon Aug 29 15:15:44 UTC 2011 - mt@suse.de + +- Updated to ISC dhcp-4.2.2 release, providing two security fixes + (CVE-2011-2748,CVE-2011-2749,[ISC-Bugs #24960],bnc#712653), that + allowed remote attackers to cause a denial of service (a daemon + exit) via crafted BOOTP packets. Further also DNS update fix to + detect overlapping pools or misconfigured fixed-address entries, + that caused a server crash during DNS update and other fixes. + For a complete list, please see the RELNOTES file provided in + the package and also available online at http://www.isc.org/. +- Merged/adopted dhclient option-checks, send-hostname-rml, ldap + patch, xen-checksum, close-on-exec patches and removed obsolete + in6_pktinfo-prototype and relay-no-ip-on-interface patches. +- Moved server pid files into chroot directory even chroot is + not used and create a link in /var/run, so it can write one + when started as user without chroot and avoid stop problems + when the chroot sysconfig setting changed (bnc#712438). +- Disabled log-info level messages in dhclient(6) quiet mode to + avoid excessive logging of non-critical messages (bnc#711420). +- Fixed dhclient-script to not remove alias IP when it didn't + changed to not wipe out iptables connmark when renewing the + lease (bnc#700771). Thanks to James Carter for the patch. +- Fixed DDNS-howto.txt reference in the config file; it has been + moved to the dhcp-doc package (bnc#697279). +- Removed GPL licensed files (bind-*/contrib/dbus) from bind.tgz + to ensure, they're not used to build non-GPL dhcp (bnc#714004). +- Changed to apply strict-aliasing/RELRO for >= 12.x only + ------------------------------------------------------------------- Wed Jul 20 18:53:07 UTC 2011 - crrodriguez@opensuse.org diff --git a/dhcp.spec b/dhcp.spec index 2fb7afa..096f4d1 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -17,7 +17,7 @@ # norootforbuild -%define isc_version 4.2.1-P1 +%define isc_version 4.2.2 %define susefw2dir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %define omc_prefix /usr/share/omc %define omc_svcdir %{omc_prefix}/svcinfo.d @@ -39,8 +39,8 @@ BuildRequires: dos2unix License: BSD3c(or similar) Group: Productivity/Networking/Boot/Servers AutoReqProv: on -Version: 4.2.1.P1 -Release: 5 +Version: 4.2.2 +Release: 0 Summary: Common Files Used by ISC DHCP Software Url: http://www.isc.org/software/dhcp Source0: dhcp-%{isc_version}.tar.bz2 @@ -75,19 +75,18 @@ Patch10: dhcp-4.1.1-default-paths.diff # paranoia patch is included now, but not the # additional patch by thomas@suse.de not ... Patch11: dhcp-4.1.1-paranoia.diff -Patch12: dhcp-4.1.1-man-includes.diff +Patch12: dhcp-4.2.2-man-includes.diff Patch13: dhcp-4.1.1-tmpfile.diff -Patch14: dhcp-4.1.1-in6_pktinfo-prototype.diff Patch15: contrib-lease-path.diff Patch20: dhcp-4.1.1-dhclient-exec-filedes.diff -Patch21: dhcp-4.2.1-dhclient-send-hostname-rml.diff -## patch lives here: http://www.suse.de/~mt/git/dhcp-ldap.git/ -Patch30: dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2 +Patch21: dhcp-4.2.2-dhclient-send-hostname-rml.diff +## patch repo lives here: http://www.suse.de/~mt/git/dhcp-ldap.git/ +Patch30: dhcp-4.2.2-ldap-patch-mt01.diff.bz2 Patch40: dhcp-4.1.1-P1-lpf-bind-msg-fix.diff -Patch41: dhcp-4.1.1-P1-relay-no-ip-on-interface.diff -Patch44: dhcp-4.2.0-xen-checksum.patch -Patch45: dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff -Patch46: dhcp-4.2.0-CLOEXEC.patch +Patch44: dhcp-4.2.2-xen-checksum.diff +Patch45: dhcp-4.2.2-dhclient-option-checks.bnc675052.diff +Patch46: dhcp-4.2.2-close-on-exec.diff +Patch47: dhcp-4.2.2-quiet-dhclient.bnc711420.diff ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -217,7 +216,6 @@ Authors: %patch11 -p1 %patch12 -p1 %patch13 -p1 -%patch14 -p1 %patch15 -p0 %patch20 -p1 %patch21 -p1 @@ -225,16 +223,26 @@ Authors: %patch30 -p1 %endif %patch40 -p1 -%patch41 -p1 %patch44 -p1 %patch45 -p1 -%patch46 +%patch46 -p1 +%patch47 -p1 ## find . -type f -name \*.cat\* -exec rm -f {} \; dos2unix contrib/ms2isc/* %build +# Remove GPL licensed files to make sure, +# they're not used to build (bnc#714004). +pushd bind +gunzip -c bind.tar.gz | tar xf - +rm -rf bind-*/contrib/dbus +popd +%if %suse_version >= 1210 CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -Wno-unused" +%else +CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -fno-strict-aliasing -Wno-unused" +%endif %ifarch ppc ppc64 s390x # bugs 134590, 171532 CFLAGS="$CFLAGS -fsigned-char" @@ -244,7 +252,11 @@ CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -Wno-unused" %else CFLAGS="$CFLAGS -fpie" %endif +%if %suse_version >= 1210 LDFLAGS="-Wl,-z,relro,-z,now -pie" +%else +LDFLAGS="-pie" +%endif FFLAGS="$CFLAGS" CXXFLAGS="$CFLAGS" export RPM_OPT_FLAGS LDFLAGS diff --git a/dhcpd.conf b/dhcpd.conf index ae75fe2..6dec0ec 100644 --- a/dhcpd.conf +++ b/dhcpd.conf @@ -13,7 +13,7 @@ max-lease-time 7200; # if you do not use dynamical DNS updates: # # if you want to use dynamical DNS updates, you should first read -# read /usr/share/doc/packages/dhcp-server/DDNS-howto.txt +# the manuals and DDNS-howto.txt provided in the dhcp-doc package. # ddns-updates off; diff --git a/rc.dhcpd b/rc.dhcpd index 5cdb21a..4a8a57d 100644 --- a/rc.dhcpd +++ b/rc.dhcpd @@ -59,6 +59,11 @@ DAEMON_BIN=${DHCPD_BINARY:=/usr/sbin/dhcpd} DAEMON_CONF=/etc/dhcpd.conf DAEMON_STATE=/var/lib/dhcp DAEMON_LEASES=dhcpd.leases +# note: $DAEMON_PIDFILE is a symlink to the +# $DAEMON_STATE$DAEMON_PIDFILE (also +# while DHCPD_RUN_CHROOTED=no) now, +# as DHCPD_RUN_AS is not allowed to +# create pid files in /var/run. DAEMON_PIDFILE=/var/run/dhcpd.pid STARTPROC_LOGFILE=/var/log/rc.dhcpd.log LDAP_CONF=/etc/openldap/ldap.conf @@ -128,7 +133,7 @@ fi # remove empty pid files to avoid disturbing warnings by checkproc/killproc # (these can occur if dhcpd does not start correctly) test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE -test -e $CHROOT_PREFIX/$DAEMON_PIDFILE && ! test -s $CHROOT_PREFIX/$DAEMON_PIDFILE && rm $CHROOT_PREFIX/$DAEMON_PIDFILE +test -e $DAEMON_STATE/$DAEMON_PIDFILE && ! test -s $DAEMON_STATE/$DAEMON_PIDFILE && rm $DAEMON_STATE/$DAEMON_PIDFILE case "$1" in start) @@ -240,33 +245,33 @@ case "$1" in ## the chroot jail. Therefore, and old pid file may exist. This is only a problem if it ## incidentally contains the pid of a running process. If this process is not a 'dhcpd', ## we remove the pid. (dhcpd itself only checks whether the pid is alive or not.) - if test -e $CHROOT_PREFIX/$DAEMON_PIDFILE -a -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then - p=$(<$CHROOT_PREFIX/$DAEMON_PIDFILE) + if test -s $DAEMON_STATE/$DAEMON_PIDFILE; then + p=$(<$DAEMON_STATE/$DAEMON_PIDFILE) if test -n "$p" && grep -qsE "^${DAEMON_BIN}" "/proc/$p/cmdline" ; then echo -n '(already running) ' else - rm $CHROOT_PREFIX/$DAEMON_PIDFILE + rm -f $DAEMON_STATE/$DAEMON_PIDFILE fi fi + PID_FILE_ARG="$DAEMON_PIDFILE" else DHCPD_ARGS="-lf ${DAEMON_STATE}/db/$DAEMON_LEASES" + PID_FILE_ARG="$DAEMON_STATE$DAEMON_PIDFILE" fi if [ -n "$DHCPD_RUN_AS" ]; then DHCPD_RUN_AS_GROUP="$(getent group $(getent passwd $DHCPD_RUN_AS | cut -d: -f4) | cut -d: -f1)" DHCPD_ARGS="$DHCPD_ARGS -user $DHCPD_RUN_AS -group $DHCPD_RUN_AS_GROUP" - if test "$DHCPD_RUN_CHROOTED" = "yes" ; then - chown "${DHCPD_RUN_AS}:${DHCPD_RUN_AS_GROUP}" \ - "$CHROOT_PREFIX/${DAEMON_PIDFILE%/*}" - fi + chown "${DHCPD_RUN_AS}:${DHCPD_RUN_AS_GROUP}" \ + "$DAEMON_STATE/${DAEMON_PIDFILE%/*}" fi ## check syntax with -t (output to log file) and start only when the syntax is okay rm -f $STARTPROC_LOGFILE # start log error=0 - if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $DAEMON_PIDFILE > $STARTPROC_LOGFILE 2>&1 ; then + if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $PID_FILE_ARG > $STARTPROC_LOGFILE 2>&1 ; then error=1 else ## Start daemon. If this fails the return value is set appropriate. @@ -274,19 +279,20 @@ case "$1" in ## to match the LSB spec. test "$2" = "-v" && echo -en \ - "\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'" + "\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'" - $DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE + $DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE ret=$? fi - + if [ $error -gt 0 -o ${ret:-0} -gt 0 ]; then ## be verbose echo "" - echo -n " please see $STARTPROC_LOGFILE for details "; + echo -n " please see $STARTPROC_LOGFILE for details " ## set status to failed rc_failed else + ln -sf "$DAEMON_STATE$DAEMON_PIDFILE" "$DAEMON_PIDFILE" [ "$DHCPD_RUN_CHROOTED" = "yes" ] && echo -n "[chroot]" || : fi @@ -296,14 +302,29 @@ case "$1" in stop) echo -n "Shutting down $DAEMON " + # Catch the case where daemon is running without chroot, + # but sysconfig/dhcp has been changed to use chroot (and + # another way around). + # In this case is there is no $chroot/$pidfile, but there + # should be a /pidfile that we use instead. + # We can not kill without pid file or dhcp4 kills dhcp6. + PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE" + if test "$DHCPD_RUN_CHROOTED" = "yes" ; then + if test ! -s "$DAEMON_STATE$DAEMON_PIDFILE" -a \ + -s "$DAEMON_PIDFILE" ; then + PID_FILE="$DAEMON_PIDFILE" + fi + else + if test ! -s "$DAEMON_PIDFILE" -a \ + -s "$DAEMON_STATE$DAEMON_PIDFILE" ; then + PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE" + fi + fi + ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. - - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN + killproc -p "$PID_FILE" $DAEMON_BIN ret=$? - if test -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then - kill $(<$CHROOT_PREFIX/$DAEMON_PIDFILE) 2>/dev/null - fi # umount proc and remove libraries from the chroot jail, # so they are not left over if the server is deinstalled @@ -347,8 +368,8 @@ case "$1" in echo -n "Reload service $DAEMON" if [ "$SUPPORTS_HUP" = "yes" ]; then - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN - #touch $CHROOT_PREFIX/$DAEMON_PIDFILE + killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN + #touch $DAEMON_STATE/$DAEMON_PIDFILE rc_status -v else $0 stop && sleep 3 && $0 start @@ -362,8 +383,8 @@ case "$1" in echo -n "Reload service $DAEMON" if [ "$SUPPORTS_HUP" = "yes" ]; then # If it supports signalling: - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN - #touch $CHROOT_PREFIX/$DAEMON_PIDFILE + killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN + #touch $DAEMON_STATE/$DAEMON_PIDFILE rc_status -v else ## Otherwise if it does not support reload: @@ -383,7 +404,7 @@ case "$1" in # 3 - service not running # NOTE: checkproc returns LSB compliant status values. - checkproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN + checkproc -p $DAEMON_STATE/$DAEMON_PIDFILE $DAEMON_BIN rc_status -v ;; probe) @@ -392,7 +413,7 @@ case "$1" in rc=0 for i in /etc/sysconfig/dhcpd $DAEMON_CONF $DHCPD_CONF_INCLUDE_FILES; do - test $i -nt $CHROOT_PREFIX/$DAEMON_PIDFILE && rc=1 + test $i -nt $DAEMON_STATE/$DAEMON_PIDFILE && rc=1 done test $rc = 1 && echo restart ;; diff --git a/rc.dhcpd6 b/rc.dhcpd6 index 9c7a34e..121be37 100644 --- a/rc.dhcpd6 +++ b/rc.dhcpd6 @@ -63,6 +63,11 @@ DAEMON_BIN=${DHCPD_BINARY:=/usr/sbin/dhcpd6} DAEMON_CONF=/etc/dhcpd6.conf DAEMON_STATE=/var/lib/dhcp6 DAEMON_LEASES=dhcpd6.leases +# note: $DAEMON_PIDFILE is a symlink to the +# $DAEMON_STATE$DAEMON_PIDFILE (also +# while DHCPD_RUN_CHROOTED=no) now, +# as DHCPD_RUN_AS is not allowed to +# create pid files in /var/run. DAEMON_PIDFILE=/var/run/dhcpd6.pid STARTPROC_LOGFILE=/var/log/rc.dhcpd6.log LDAP_CONF= @@ -132,7 +137,7 @@ fi # remove empty pid files to avoid disturbing warnings by checkproc/killproc # (these can occur if dhcpd does not start correctly) test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE -test -e $CHROOT_PREFIX/$DAEMON_PIDFILE && ! test -s $CHROOT_PREFIX/$DAEMON_PIDFILE && rm $CHROOT_PREFIX/$DAEMON_PIDFILE +test -e $DAEMON_STATE/$DAEMON_PIDFILE && ! test -s $DAEMON_STATE/$DAEMON_PIDFILE && rm $DAEMON_STATE/$DAEMON_PIDFILE case "$1" in start) @@ -244,33 +249,33 @@ case "$1" in ## the chroot jail. Therefore, and old pid file may exist. This is only a problem if it ## incidentally contains the pid of a running process. If this process is not a 'dhcpd', ## we remove the pid. (dhcpd itself only checks whether the pid is alive or not.) - if test -e $CHROOT_PREFIX/$DAEMON_PIDFILE -a -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then - p=$(<$CHROOT_PREFIX/$DAEMON_PIDFILE) + if test -s $DAEMON_STATE/$DAEMON_PIDFILE; then + p=$(<$DAEMON_STATE/$DAEMON_PIDFILE) if test -n "$p" && grep -qsE "^${DAEMON_BIN}" "/proc/$p/cmdline" ; then echo -n '(already running) ' else - rm $CHROOT_PREFIX/$DAEMON_PIDFILE + rm -f $DAEMON_STATE/$DAEMON_PIDFILE fi fi + PID_FILE_ARG="$DAEMON_PIDFILE" else DHCPD_ARGS="-lf ${DAEMON_STATE}/db/$DAEMON_LEASES" + PID_FILE_ARG="$DAEMON_STATE$DAEMON_PIDFILE" fi if [ -n "$DHCPD_RUN_AS" ]; then DHCPD_RUN_AS_GROUP="$(getent group $(getent passwd $DHCPD_RUN_AS | cut -d: -f4) | cut -d: -f1)" DHCPD_ARGS="$DHCPD_ARGS -user $DHCPD_RUN_AS -group $DHCPD_RUN_AS_GROUP" - if test "$DHCPD_RUN_CHROOTED" = "yes" ; then - chown "${DHCPD_RUN_AS}:${DHCPD_RUN_AS_GROUP}" \ - "$CHROOT_PREFIX/${DAEMON_PIDFILE%/*}" - fi + chown "${DHCPD_RUN_AS}:${DHCPD_RUN_AS_GROUP}" \ + "$DAEMON_STATE/${DAEMON_PIDFILE%/*}" fi ## check syntax with -t (output to log file) and start only when the syntax is okay rm -f $STARTPROC_LOGFILE # start log error=0 - if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $DAEMON_PIDFILE > $STARTPROC_LOGFILE 2>&1 ; then + if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $PID_FILE_ARG > $STARTPROC_LOGFILE 2>&1 ; then error=1 else ## Start daemon. If this fails the return value is set appropriate. @@ -278,19 +283,20 @@ case "$1" in ## to match the LSB spec. test "$2" = "-v" && echo -en \ - "\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'" + "\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'" - $DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE + $DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE ret=$? fi - - if [ $error -gt 0 -o ${ret:-0} -gt 0 ]; then + + if [ $error -gt 0 -o ${ret:-0} -gt 0 ]; then ## be verbose echo "" echo -n " please see $STARTPROC_LOGFILE for details " ## set status to failed rc_failed else + ln -sf "$DAEMON_STATE$DAEMON_PIDFILE" "$DAEMON_PIDFILE" [ "$DHCPD_RUN_CHROOTED" = "yes" ] && echo -n "[chroot]" || : fi @@ -300,14 +306,29 @@ case "$1" in stop) echo -n "Shutting down $DAEMON " + # Catch the case where daemon is running without chroot, + # but sysconfig/dhcp has been changed to use chroot (and + # another way around). + # In this case is there is no $chroot/$pidfile, but there + # should be a /pidfile that we use instead. + # We can not kill without pid file or dhcp4 kills dhcp6. + PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE" + if test "$DHCPD_RUN_CHROOTED" = "yes" ; then + if test ! -s "$DAEMON_STATE$DAEMON_PIDFILE" -a \ + -s "$DAEMON_PIDFILE" ; then + PID_FILE="$DAEMON_PIDFILE" + fi + else + if test ! -s "$DAEMON_PIDFILE" -a \ + -s "$DAEMON_STATE$DAEMON_PIDFILE" ; then + PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE" + fi + fi + ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. - - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN + killproc -p "$PID_FILE" $DAEMON_BIN ret=$? - if test -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then - kill $(<$CHROOT_PREFIX/$DAEMON_PIDFILE) 2>/dev/null - fi # umount proc and remove libraries from the chroot jail, # so they are not left over if the server is deinstalled @@ -351,8 +372,8 @@ case "$1" in echo -n "Reload service $DAEMON" if [ "$SUPPORTS_HUP" = "yes" ]; then - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN - #touch $CHROOT_PREFIX/$DAEMON_PIDFILE + killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN + #touch $DAEMON_STATE/$DAEMON_PIDFILE rc_status -v else $0 stop && sleep 3 && $0 start @@ -366,8 +387,8 @@ case "$1" in echo -n "Reload service $DAEMON" if [ "$SUPPORTS_HUP" = "yes" ]; then # If it supports signalling: - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN - #touch $CHROOT_PREFIX/$DAEMON_PIDFILE + killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN + #touch $DAEMON_STATE/$DAEMON_PIDFILE rc_status -v else ## Otherwise if it does not support reload: @@ -387,7 +408,7 @@ case "$1" in # 3 - service not running # NOTE: checkproc returns LSB compliant status values. - checkproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN + checkproc -p $DAEMON_STATE/$DAEMON_PIDFILE $DAEMON_BIN rc_status -v ;; probe) @@ -396,7 +417,7 @@ case "$1" in rc=0 for i in /etc/sysconfig/dhcpd $DAEMON_CONF $DHCPD_CONF_INCLUDE_FILES; do - test $i -nt $CHROOT_PREFIX/$DAEMON_PIDFILE && rc=1 + test $i -nt $DAEMON_STATE/$DAEMON_PIDFILE && rc=1 done test $rc = 1 && echo restart ;;