Hello community, here is the log from the commit of package dhcp for openSUSE:Factory checked in at Wed Aug 31 10:47:54 CEST 2011. -------- --- dhcp/dhcp.changes 2011-05-12 10:43:04.000000000 +0200 +++ /mounts/work_src_done/STABLE/dhcp/dhcp.changes 2011-08-29 17:37:52.000000000 +0200 @@ -1,0 +2,47 @@ +Mon Aug 29 15:15:44 UTC 2011 - mt@suse.de + +- Updated to ISC dhcp-4.2.2 release, providing two security fixes + (CVE-2011-2748,CVE-2011-2749,[ISC-Bugs #24960],bnc#712653), that + allowed remote attackers to cause a denial of service (a daemon + exit) via crafted BOOTP packets. Further also DNS update fix to + detect overlapping pools or misconfigured fixed-address entries, + that caused a server crash during DNS update and other fixes. + For a complete list, please see the RELNOTES file provided in + the package and also available online at http://www.isc.org/. +- Merged/adopted dhclient option-checks, send-hostname-rml, ldap + patch, xen-checksum, close-on-exec patches and removed obsolete + in6_pktinfo-prototype and relay-no-ip-on-interface patches. +- Moved server pid files into chroot directory even chroot is + not used and create a link in /var/run, so it can write one + when started as user without chroot and avoid stop problems + when the chroot sysconfig setting changed (bnc#712438). +- Disabled log-info level messages in dhclient(6) quiet mode to + avoid excessive logging of non-critical messages (bnc#711420). +- Fixed dhclient-script to not remove alias IP when it didn't + changed to not wipe out iptables connmark when renewing the + lease (bnc#700771). Thanks to James Carter for the patch. +- Fixed DDNS-howto.txt reference in the config file; it has been + moved to the dhcp-doc package (bnc#697279). +- Removed GPL licensed files (bind-*/contrib/dbus) from bind.tgz + to ensure, they're not used to build non-GPL dhcp (bnc#714004). +- Changed to apply strict-aliasing/RELRO for >= 12.x only + +------------------------------------------------------------------- +Wed Jul 20 18:53:07 UTC 2011 - crrodriguez@opensuse.org + +- Correct previous change. + +------------------------------------------------------------------- +Wed Jul 20 04:45:40 UTC 2011 - crrodriguez@opensuse.org + +- THis is a long running network daemon, link with + full RELRO security enhancements. +- remove -fno-strict-aliasing from CFLAGS, no longer needed. + +------------------------------------------------------------------- +Tue May 17 03:58:24 UTC 2011 - crrodriguez@opensuse.org + +- Import redhat's patch to open all needed FDs with O_CLOEXEC + so they dont leak. + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- dhcp-4.1.1-P1-relay-no-ip-on-interface.diff dhcp-4.1.1-in6_pktinfo-prototype.diff dhcp-4.1.1-man-includes.diff dhcp-4.2.0-xen-checksum.patch dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2 dhcp-4.2.1-P1.tar.bz2 dhcp-4.2.1-dhclient-send-hostname-rml.diff New: ---- dhcp-4.2.2-close-on-exec.diff dhcp-4.2.2-dhclient-option-checks.bnc675052.diff dhcp-4.2.2-dhclient-send-hostname-rml.diff dhcp-4.2.2-ldap-patch-mt01.diff.bz2 dhcp-4.2.2-man-includes.diff dhcp-4.2.2-quiet-dhclient.bnc711420.diff dhcp-4.2.2-xen-checksum.diff dhcp-4.2.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dhcp.spec ++++++ --- /var/tmp/diff_new_pack.57d6Rw/_old 2011-08-31 10:47:04.000000000 +0200 +++ /var/tmp/diff_new_pack.57d6Rw/_new 2011-08-31 10:47:04.000000000 +0200 @@ -17,7 +17,7 @@ # norootforbuild -%define isc_version 4.2.1-P1 +%define isc_version 4.2.2 %define susefw2dir %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services %define omc_prefix /usr/share/omc %define omc_svcdir %{omc_prefix}/svcinfo.d @@ -39,8 +39,8 @@ License: BSD3c(or similar) Group: Productivity/Networking/Boot/Servers AutoReqProv: on -Version: 4.2.1.P1 -Release: 5 +Version: 4.2.2 +Release: 1 Summary: Common Files Used by ISC DHCP Software Url: http://www.isc.org/software/dhcp Source0: dhcp-%{isc_version}.tar.bz2 @@ -75,18 +75,18 @@ # paranoia patch is included now, but not the # additional patch by thomas@suse.de not ... Patch11: dhcp-4.1.1-paranoia.diff -Patch12: dhcp-4.1.1-man-includes.diff +Patch12: dhcp-4.2.2-man-includes.diff Patch13: dhcp-4.1.1-tmpfile.diff -Patch14: dhcp-4.1.1-in6_pktinfo-prototype.diff Patch15: contrib-lease-path.diff Patch20: dhcp-4.1.1-dhclient-exec-filedes.diff -Patch21: dhcp-4.2.1-dhclient-send-hostname-rml.diff -## patch lives here: http://www.suse.de/~mt/git/dhcp-ldap.git/ -Patch30: dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2 +Patch21: dhcp-4.2.2-dhclient-send-hostname-rml.diff +## patch repo lives here: http://www.suse.de/~mt/git/dhcp-ldap.git/ +Patch30: dhcp-4.2.2-ldap-patch-mt01.diff.bz2 Patch40: dhcp-4.1.1-P1-lpf-bind-msg-fix.diff -Patch41: dhcp-4.1.1-P1-relay-no-ip-on-interface.diff -Patch44: dhcp-4.2.0-xen-checksum.patch -Patch45: dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff +Patch44: dhcp-4.2.2-xen-checksum.diff +Patch45: dhcp-4.2.2-dhclient-option-checks.bnc675052.diff +Patch46: dhcp-4.2.2-close-on-exec.diff +Patch47: dhcp-4.2.2-quiet-dhclient.bnc711420.diff ## PreReq: /bin/touch /sbin/chkconfig sysconfig BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -216,7 +216,6 @@ %patch11 -p1 %patch12 -p1 %patch13 -p1 -%patch14 -p1 %patch15 -p0 %patch20 -p1 %patch21 -p1 @@ -224,15 +223,26 @@ %patch30 -p1 %endif %patch40 -p1 -%patch41 -p1 %patch44 -p1 %patch45 -p1 +%patch46 -p1 +%patch47 -p1 ## find . -type f -name *.cat* -exec rm -f {} ; dos2unix contrib/ms2isc/* %build -CFLAGS="$RPM_OPT_FLAGS -W -Wall -fno-strict-aliasing -Wno-unused" +# Remove GPL licensed files to make sure, +# they're not used to build (bnc#714004). +pushd bind +gunzip -c bind.tar.gz | tar xf - +rm -rf bind-*/contrib/dbus +popd +%if %suse_version >= 1210 +CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -Wno-unused" +%else +CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -W -Wall -fno-strict-aliasing -Wno-unused" +%endif %ifarch ppc ppc64 s390x # bugs 134590, 171532 CFLAGS="$CFLAGS -fsigned-char" @@ -242,7 +252,11 @@ %else CFLAGS="$CFLAGS -fpie" %endif +%if %suse_version >= 1210 +LDFLAGS="-Wl,-z,relro,-z,now -pie" +%else LDFLAGS="-pie" +%endif FFLAGS="$CFLAGS" CXXFLAGS="$CFLAGS" export RPM_OPT_FLAGS LDFLAGS ++++++ dhclient-script ++++++ --- /var/tmp/diff_new_pack.57d6Rw/_old 2011-08-31 10:47:04.000000000 +0200 +++ /var/tmp/diff_new_pack.57d6Rw/_new 2011-08-31 10:47:04.000000000 +0200 @@ -400,8 +400,8 @@ BOUND|RENEW|REBIND|REBOOT) #################################################################### - if [ x$old_ip_address != x -a x$alias_ip_address != x ] && \ - [ x$alias_ip_address != x$old_ip_address ] ; + if [ x$alias_ip_address != x -a x$alias_ip_address != x$old_ip_address -a \ + x$new_ip_address != x$old_ip_address ] ; then # Possible new alias. Remove old alias. /sbin/ip addr del $alias_ip_address/$alias_subnet_mask dev $interface @@ -426,7 +426,8 @@ set_ipv4_routes fi - if [ x$new_ip_address != x$alias_ip_address -a x$alias_ip_address != x ]; + if [ x$new_ip_address != x$alias_ip_address -a x$alias_ip_address != x \ + -a x$new_ip_address != x$old_ip_address ]; then /sbin/ip addr add $alias_ip_address/$alias_subnet_mask \ dev $interface ++++++ dhcp-4.2.2-close-on-exec.diff ++++++ diff --git a/client/clparse.c b/client/clparse.c index 9de4ce2..ca24ba6 100644 --- a/client/clparse.c +++ b/client/clparse.c @@ -220,7 +220,7 @@ int read_client_conf_file (const char *name, struct interface_info *ip, int token; isc_result_t status; - if ((file = open (name, O_RDONLY)) < 0) + if ((file = open (name, O_RDONLY | O_CLOEXEC)) < 0) return uerr2isc (errno); cfile = NULL; @@ -257,7 +257,7 @@ void read_client_leases () /* Open the lease file. If we can't open it, just return - we can safely trust the server to remember our state. */ - if ((file = open (path_dhclient_db, O_RDONLY)) < 0) + if ((file = open (path_dhclient_db, O_RDONLY | O_CLOEXEC)) < 0) return; cfile = NULL; diff --git a/client/dhclient.c b/client/dhclient.c index 82c26bb..a1cab01 100644 --- a/client/dhclient.c +++ b/client/dhclient.c @@ -131,11 +131,11 @@ main(int argc, char **argv) { /* Make sure that file descriptors 0 (stdin), 1, (stdout), and 2 (stderr) are open. To do this, we assume that when we open a file the lowest available file descriptor is used. */ - fd = open("/dev/null", O_RDWR); + fd = open("/dev/null", O_RDWR | O_CLOEXEC); if (fd == 0) - fd = open("/dev/null", O_RDWR); + fd = open("/dev/null", O_RDWR | O_CLOEXEC); if (fd == 1) - fd = open("/dev/null", O_RDWR); + fd = open("/dev/null", O_RDWR | O_CLOEXEC); if (fd == 2) log_perror = 0; /* No sense logging to /dev/null. */ else if (fd != -1) @@ -423,7 +423,7 @@ main(int argc, char **argv) { int e; oldpid = 0; - if ((pidfd = fopen(path_dhclient_pid, "r")) != NULL) { + if ((pidfd = fopen(path_dhclient_pid, "re")) != NULL) { e = fscanf(pidfd, "%ld\n", &temp); oldpid = (pid_t)temp; @@ -2689,7 +2689,7 @@ void rewrite_client_leases () if (leaseFile != NULL) fclose (leaseFile); - leaseFile = fopen (path_dhclient_db, "w"); + leaseFile = fopen (path_dhclient_db, "we"); if (leaseFile == NULL) { log_error ("can't create %s: %m", path_dhclient_db); return; @@ -2799,7 +2799,7 @@ write_duid(struct data_string *duid) return DHCP_R_INVALIDARG; if (leaseFile == NULL) { /* XXX? */ - leaseFile = fopen(path_dhclient_db, "w"); + leaseFile = fopen(path_dhclient_db, "we"); if (leaseFile == NULL) { log_error("can't create %s: %m", path_dhclient_db); return ISC_R_IOERROR; @@ -2847,7 +2847,7 @@ write_client6_lease(struct client_state *client, struct dhc6_lease *lease, return DHCP_R_INVALIDARG; if (leaseFile == NULL) { /* XXX? */ - leaseFile = fopen(path_dhclient_db, "w"); + leaseFile = fopen(path_dhclient_db, "we"); if (leaseFile == NULL) { log_error("can't create %s: %m", path_dhclient_db); return ISC_R_IOERROR; @@ -2979,7 +2979,7 @@ int write_client_lease (client, lease, rewrite, makesure) return 1; if (leaseFile == NULL) { /* XXX */ - leaseFile = fopen (path_dhclient_db, "w"); + leaseFile = fopen (path_dhclient_db, "we"); if (leaseFile == NULL) { log_error ("can't create %s: %m", path_dhclient_db); return 0; @@ -3472,9 +3472,9 @@ void go_daemon () close(2); /* Reopen them on /dev/null. */ - open("/dev/null", O_RDWR); - open("/dev/null", O_RDWR); - open("/dev/null", O_RDWR); + open("/dev/null", O_RDWR | O_CLOEXEC); + open("/dev/null", O_RDWR | O_CLOEXEC); + open("/dev/null", O_RDWR | O_CLOEXEC); write_client_pid_file (); diff --git a/common/bpf.c b/common/bpf.c index 8bd5727..7b8f1d4 100644 --- a/common/bpf.c +++ b/common/bpf.c @@ -94,7 +94,7 @@ int if_register_bpf (info) for (b = 0; 1; b++) { /* %Audit% 31 bytes max. %2004.06.17,Safe% */ sprintf(filename, BPF_FORMAT, b); - sock = open (filename, O_RDWR, 0); + sock = open (filename, O_RDWR | O_CLOEXEC, 0); if (sock < 0) { if (errno == EBUSY) { continue; diff --git a/common/discover.c b/common/discover.c index 1d84219..93a278e 100644 --- a/common/discover.c +++ b/common/discover.c @@ -421,7 +421,7 @@ begin_iface_scan(struct iface_conf_list *ifaces) { int len; int i; - ifaces->fp = fopen("/proc/net/dev", "r"); + ifaces->fp = fopen("/proc/net/dev", "re"); if (ifaces->fp == NULL) { log_error("Error opening '/proc/net/dev' to list interfaces"); return 0; @@ -456,7 +456,7 @@ begin_iface_scan(struct iface_conf_list *ifaces) { #ifdef DHCPv6 if (local_family == AF_INET6) { - ifaces->fp6 = fopen("/proc/net/if_inet6", "r"); + ifaces->fp6 = fopen("/proc/net/if_inet6", "re"); if (ifaces->fp6 == NULL) { log_error("Error opening '/proc/net/if_inet6' to " "list IPv6 interfaces; %m"); diff --git a/common/dlpi.c b/common/dlpi.c index b9eb1d3..c044ec6 100644 --- a/common/dlpi.c +++ b/common/dlpi.c @@ -806,7 +806,7 @@ dlpiopen(const char *ifname) { } *dp = '\0'; - return open (devname, O_RDWR, 0); + return open (devname, O_RDWR | O_CLOEXEC, 0); } /* diff --git a/common/nit.c b/common/nit.c index 0da9c36..896cbb6 100644 --- a/common/nit.c +++ b/common/nit.c @@ -81,7 +81,7 @@ int if_register_nit (info) struct strioctl sio; /* Open a NIT device */ - sock = open ("/dev/nit", O_RDWR); + sock = open ("/dev/nit", O_RDWR | O_CLOEXEC); if (sock < 0) log_fatal ("Can't open NIT device for %s: %m", info -> name); diff --git a/common/resolv.c b/common/resolv.c index b29d4cf..d946ccc 100644 --- a/common/resolv.c +++ b/common/resolv.c @@ -49,7 +49,7 @@ void read_resolv_conf (parse_time) struct domain_search_list *dp, *dl, *nd; isc_result_t status; - if ((file = open (path_resolv_conf, O_RDONLY)) < 0) { + if ((file = open (path_resolv_conf, O_RDONLY | O_CLOEXEC)) < 0) { log_error ("Can't open %s: %m", path_resolv_conf); return; } diff --git a/common/upf.c b/common/upf.c index fff3949..4f9318e 100644 --- a/common/upf.c +++ b/common/upf.c @@ -77,7 +77,7 @@ int if_register_upf (info) /* %Audit% Cannot exceed 36 bytes. %2004.06.17,Safe% */ sprintf(filename, "/dev/pf/pfilt%d", b); - sock = open (filename, O_RDWR, 0); + sock = open (filename, O_RDWR | O_CLOEXEC, 0); if (sock < 0) { if (errno == EBUSY) { continue; diff --git a/dst/dst_api.c b/dst/dst_api.c index 8925c66..fa4eb5f 100644 --- a/dst/dst_api.c +++ b/dst/dst_api.c @@ -437,7 +437,7 @@ dst_s_write_private_key(const DST_KEY *key) PRIVATE_KEY, PATH_MAX); /* Do not overwrite an existing file */ - if ((fp = dst_s_fopen(file, "w", 0600)) != NULL) { + if ((fp = dst_s_fopen(file, "we", 0600)) != NULL) { int nn; if ((nn = fwrite(encoded_block, 1, len, fp)) != len) { EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n", @@ -494,7 +494,7 @@ dst_s_read_public_key(const char *in_name, const unsigned in_id, int in_alg) * flags, proto, alg stored as decimal (or hex numbers FIXME). * (FIXME: handle parentheses for line continuation.) */ - if ((fp = dst_s_fopen(name, "r", 0)) == NULL) { + if ((fp = dst_s_fopen(name, "re", 0)) == NULL) { EREPORT(("dst_read_public_key(): Public Key not found %s\n", name)); return (NULL); @@ -620,7 +620,7 @@ dst_s_write_public_key(const DST_KEY *key) return (0); } /* create public key file */ - if ((fp = dst_s_fopen(filename, "w+", 0644)) == NULL) { + if ((fp = dst_s_fopen(filename, "w+e", 0644)) == NULL) { EREPORT(("DST_write_public_key: open of file:%s failed (errno=%d)\n", filename, errno)); return (0); @@ -854,7 +854,7 @@ dst_s_read_private_key_file(char *name, DST_KEY *pk_key, unsigned in_id, return (0); } /* first check if we can find the key file */ - if ((fp = dst_s_fopen(filename, "r", 0)) == NULL) { + if ((fp = dst_s_fopen(filename, "re", 0)) == NULL) { EREPORT(("dst_s_read_private_key_file: Could not open file %s in directory %s\n", filename, dst_path[0] ? dst_path : (char *) getcwd(NULL, PATH_MAX - 1))); diff --git a/dst/prandom.c b/dst/prandom.c index 4de3fe4..fbbe07c 100644 --- a/dst/prandom.c +++ b/dst/prandom.c @@ -269,7 +269,7 @@ get_dev_random(u_char *output, unsigned size) s = stat("/dev/random", &st); if (s == 0 && S_ISCHR(st.st_mode)) { - if ((fd = open("/dev/random", O_RDONLY | O_NONBLOCK)) != -1) { + if ((fd = open("/dev/random", O_RDONLY | O_NONBLOCK | O_CLOEXEC)) != -1) { if ((n = read(fd, output, size)) < 0) n = 0; close(fd); @@ -480,7 +480,7 @@ digest_file(dst_work *work) work->file_digest = dst_free_key(work->file_digest); return (0); } - if ((fp = fopen(name, "r")) == NULL) + if ((fp = fopen(name, "re")) == NULL) return (0); for (no = 0; (i = fread(buf, sizeof(*buf), sizeof(buf), fp)) > 0; no += i) diff --git a/omapip/trace.c b/omapip/trace.c index 9fd3fb5..9c4e11e 100644 --- a/omapip/trace.c +++ b/omapip/trace.c @@ -141,10 +141,10 @@ isc_result_t trace_begin (const char *filename, return DHCP_R_INVALIDARG; } - traceoutfile = open (filename, O_CREAT | O_WRONLY | O_EXCL, 0600); + traceoutfile = open (filename, O_CREAT | O_WRONLY | O_EXCL | O_CLOEXEC, 0600); if (traceoutfile < 0 && errno == EEXIST) { log_error ("WARNING: Overwriting trace file "%s"", filename); - traceoutfile = open (filename, O_WRONLY | O_EXCL | O_TRUNC, + traceoutfile = open (filename, O_WRONLY | O_EXCL | O_TRUNC | O_CLOEXEC, 0600); } @@ -431,7 +431,7 @@ void trace_file_replay (const char *filename) isc_result_t result; int len; - traceinfile = fopen (filename, "r"); + traceinfile = fopen (filename, "re"); if (!traceinfile) { log_error("Can't open tracefile %s: %m", filename); return; diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c index f21f16f..d2aa90e 100644 --- a/relay/dhcrelay.c +++ b/relay/dhcrelay.c @@ -183,11 +183,11 @@ main(int argc, char **argv) { /* Make sure that file descriptors 0(stdin), 1,(stdout), and 2(stderr) are open. To do this, we assume that when we open a file the lowest available file descriptor is used. */ - fd = open("/dev/null", O_RDWR); + fd = open("/dev/null", O_RDWR | O_CLOEXEC); if (fd == 0) - fd = open("/dev/null", O_RDWR); + fd = open("/dev/null", O_RDWR | O_CLOEXEC); if (fd == 1) - fd = open("/dev/null", O_RDWR); + fd = open("/dev/null", O_RDWR | O_CLOEXEC); if (fd == 2) log_perror = 0; /* No sense logging to /dev/null. */ else if (fd != -1) @@ -540,13 +540,14 @@ main(int argc, char **argv) { if (no_pid_file == ISC_FALSE) { pfdesc = open(path_dhcrelay_pid, - O_CREAT | O_TRUNC | O_WRONLY, 0644); + O_CREAT | O_TRUNC | O_WRONLY | + O_CLOEXEC, 0644); if (pfdesc < 0) { log_error("Can't create %s: %m", path_dhcrelay_pid); } else { - pf = fdopen(pfdesc, "w"); + pf = fdopen(pfdesc, "we"); if (!pf) log_error("Can't fdopen %s: %m", path_dhcrelay_pid); diff --git a/server/confpars.c b/server/confpars.c index c0742d4..62568e9 100644 --- a/server/confpars.c +++ b/server/confpars.c @@ -116,7 +116,7 @@ isc_result_t read_conf_file (const char *filename, struct group *group, } #endif - if ((file = open (filename, O_RDONLY)) < 0) { + if ((file = open (filename, O_RDONLY | O_CLOEXEC)) < 0) { if (leasep) { log_error ("Can't open lease database %s: %m --", path_dhcpd_db); diff --git a/server/db.c b/server/db.c index dc75321..be5db26 100644 --- a/server/db.c +++ b/server/db.c @@ -1035,7 +1035,7 @@ void db_startup (testp) } #endif if (!testp) { - db_file = fopen (path_dhcpd_db, "a"); + db_file = fopen (path_dhcpd_db, "ae"); if (!db_file) log_fatal ("Can't open %s for append.", path_dhcpd_db); expire_all_pools (); @@ -1074,7 +1074,7 @@ int new_lease_file () db_validity = lease_file_is_corrupt; snprintf (newfname, sizeof(newfname), "%s.XXXXXX", path_dhcpd_db); - db_fd = mkstemp (newfname); + db_fd = mkostemp (newfname, O_CLOEXEC); if (db_fd < 0) { log_error ("Can't create new lease file: %m"); return 0; @@ -1083,7 +1083,7 @@ int new_lease_file () log_error ("Can't fchmod new lease file: %m"); goto fail; } - if ((new_db_file = fdopen(db_fd, "w")) == NULL) { + if ((new_db_file = fdopen(db_fd, "we")) == NULL) { log_error("Can't fdopen new lease file: %m"); close(db_fd); goto fdfail; diff --git a/server/dhcpd.c b/server/dhcpd.c index 27e04e4..9233d26 100644 --- a/server/dhcpd.c +++ b/server/dhcpd.c @@ -274,11 +274,11 @@ main(int argc, char **argv) { /* Make sure that file descriptors 0 (stdin), 1, (stdout), and 2 (stderr) are open. To do this, we assume that when we open a file the lowest available file descriptor is used. */ - fd = open("/dev/null", O_RDWR); + fd = open("/dev/null", O_RDWR | O_CLOEXEC); if (fd == 0) - fd = open("/dev/null", O_RDWR); + fd = open("/dev/null", O_RDWR | O_CLOEXEC); if (fd == 1) - fd = open("/dev/null", O_RDWR); + fd = open("/dev/null", O_RDWR | O_CLOEXEC); if (fd == 2) log_perror = 0; /* No sense logging to /dev/null. */ else if (fd != -1) @@ -809,7 +809,7 @@ main(int argc, char **argv) { */ if (no_pid_file == ISC_FALSE) { /*Read previous pid file. */ - if ((i = open (path_dhcpd_pid, O_RDONLY)) >= 0) { + if ((i = open (path_dhcpd_pid, O_RDONLY | O_CLOEXEC)) >= 0) { status = read(i, pbuf, (sizeof pbuf) - 1); close (i); if (status > 0) { @@ -828,7 +828,7 @@ main(int argc, char **argv) { } /* Write new pid file. */ - i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC, 0644); + i = open(path_dhcpd_pid, O_WRONLY|O_CREAT|O_TRUNC|O_CLOEXEC, 0644); if (i >= 0) { sprintf(pbuf, "%d\n", (int) getpid()); IGNORE_RET (write(i, pbuf, strlen(pbuf))); @@ -856,9 +856,9 @@ main(int argc, char **argv) { close(2); /* Reopen them on /dev/null. */ - open("/dev/null", O_RDWR); - open("/dev/null", O_RDWR); - open("/dev/null", O_RDWR); + open("/dev/null", O_RDWR | O_CLOEXEC); + open("/dev/null", O_RDWR | O_CLOEXEC); + open("/dev/null", O_RDWR | O_CLOEXEC); log_perror = 0; /* No sense logging to /dev/null. */ IGNORE_RET (chdir("/")); diff --git a/server/ldap.c b/server/ldap.c index 68acbbb..77efe26 100644 --- a/server/ldap.c +++ b/server/ldap.c @@ -1098,7 +1098,7 @@ ldap_start (void) if (ldap_debug_file != NULL && ldap_debug_fd == -1) { - if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY, + if ((ldap_debug_fd = open (ldap_debug_file, O_CREAT | O_TRUNC | O_WRONLY | O_CLOEXEC, S_IRUSR | S_IWUSR)) < 0) log_error ("Error opening debug LDAP log file %s: %s", ldap_debug_file, strerror (errno)); -- 1.7.3.4 ++++++ dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff -> dhcp-4.2.2-dhclient-option-checks.bnc675052.diff ++++++ --- dhcp/dhcp-4.2.1-P1-dhclient-option-checks.bnc675052.diff 2011-04-27 16:22:54.000000000 +0200 +++ /mounts/work_src_done/STABLE/dhcp/dhcp-4.2.2-dhclient-option-checks.bnc675052.diff 2011-08-29 17:37:14.000000000 +0200 @@ -1,25 +1,8 @@ -From 7c0b7ae289a0f25853bd4bb660f3dd34b5c1ce88 Mon Sep 17 00:00:00 2001 -From: Marius Tomaschewski <mt@suse.de> -Date: Wed, 27 Apr 2011 13:56:47 +0200 -Subject: [PATCH] dhclient string option checks - -Merged dhclient pretty escape and string option checks. -Use relaxed domain-name option check causing a regression, when the -server is misusing it to provide a domain list and does not provide -it via the domain-search option; pretty escape semicolon as well -(bnc#675052, CVE-2011-0997). - -Signed-off-by: Marius Tomaschewski <mt@suse.de> ---- - client/dhclient.c | 8 ++++---- - common/options.c | 2 +- - 2 files changed, 5 insertions(+), 5 deletions(-) - diff --git a/client/dhclient.c b/client/dhclient.c -index 970b935..93db494 100644 +index 9fd7ccc..82c26bb 100644 --- a/client/dhclient.c +++ b/client/dhclient.c -@@ -3142,7 +3142,7 @@ void script_write_params (client, prefix, lease) +@@ -3251,7 +3251,7 @@ void script_write_params (client, prefix, lease) } else { log_error("suspect value in %s " "option - discarded", @@ -28,7 +11,7 @@ } } -@@ -3155,7 +3155,7 @@ void script_write_params (client, prefix, lease) +@@ -3264,7 +3264,7 @@ void script_write_params (client, prefix, lease) } else { log_error("suspect value in %s " "option - discarded", @@ -37,7 +20,7 @@ } } -@@ -4077,7 +4077,7 @@ static int check_domain_name(const char *ptr, size_t len, int dots) +@@ -4193,7 +4193,7 @@ static int check_domain_name(const char *ptr, size_t len, int dots) const char *p; /* not empty or complete length not over 255 characters */ @@ -46,21 +29,8 @@ return(-1); /* consists of [[:alnum:]-]+ labels separated by [.] */ -@@ -4140,11 +4140,11 @@ static int check_option_values(struct universe *universe, - if ((universe == NULL) || (universe == &dhcp_universe)) { - switch(opt) { - case DHO_HOST_NAME: -- case DHO_DOMAIN_NAME: - case DHO_NIS_DOMAIN: - case DHO_NETBIOS_SCOPE: - return check_domain_name(ptr, len, 0); - break; -+ case DHO_DOMAIN_NAME: /* accept a list for compatibiliy */ - case DHO_DOMAIN_SEARCH: - return check_domain_name_list(ptr, len, 0); - break; diff --git a/common/options.c b/common/options.c -index c26f88c..8b4be65 100644 +index 80fd8db..6b95f3b 100644 --- a/common/options.c +++ b/common/options.c @@ -3916,7 +3916,7 @@ pretty_escape(char **dst, char *dend, const unsigned char **src, ++++++ dhcp-4.2.1-dhclient-send-hostname-rml.diff -> dhcp-4.2.2-dhclient-send-hostname-rml.diff ++++++ --- dhcp/dhcp-4.2.1-dhclient-send-hostname-rml.diff 2011-03-30 17:57:23.000000000 +0200 +++ /mounts/work_src_done/STABLE/dhcp/dhcp-4.2.2-dhclient-send-hostname-rml.diff 2011-08-29 17:37:14.000000000 +0200 @@ -1,34 +1,34 @@ diff --git a/client/dhclient.8 b/client/dhclient.8 -index 7a3c154..e284210 100644 +index 6306b08..1394c38 100644 --- a/client/dhclient.8 +++ b/client/dhclient.8 -@@ -64,6 +64,10 @@ dhclient - Dynamic Host Configuration Protocol Client - .I port +@@ -60,6 +60,10 @@ dhclient - Dynamic Host Configuration Protocol Client + .I LL|LLT ] [ +.B -H +.I hostname +] +[ - .B -d + .B -p + .I port ] - [ -@@ -305,6 +309,10 @@ If a different port is specified on which the client should listen and - transmit, the client will also use a different destination port - - one less than the specified port. +@@ -299,6 +303,10 @@ PID file. When shutdown via this method + .B dhclient-script(8) + will be executed with the specific reason for calling the script set. .TP +.BI -H \ hostname +This flag may be used to specify a client hostname that should be sent to +the DHCP server. Note, that this option is a SUSE/Novell extension. +.TP - .BI -s \ server - Specify the server IP address or fully qualified domain name to use as - a destination for DHCP protocol messages before + .BI -p \ port + The UDP port number on which the DHCP client should listen and transmit. + If unspecified, diff --git a/client/dhclient.c b/client/dhclient.c -index dc19e8b..bd02cc9 100644 +index 9b53f07..9fd7ccc 100644 --- a/client/dhclient.c +++ b/client/dhclient.c -@@ -110,6 +110,7 @@ main(int argc, char **argv) { +@@ -119,6 +119,7 @@ main(int argc, char **argv) { int no_dhclient_db = 0; int no_dhclient_pid = 0; int no_dhclient_script = 0; @@ -36,24 +36,30 @@ #ifdef DHCPv6 int local_family_set = 0; #endif /* DHCPv6 */ -@@ -220,6 +221,16 @@ main(int argc, char **argv) { +@@ -231,6 +232,22 @@ main(int argc, char **argv) { if (++i == argc) usage(); mockup_relay = argv[i]; + } else if (!strcmp (argv[i], "-H")) { ++ size_t len; + if (++i == argc || !argv[i] || *(argv[i]) == '\0') + usage (); -+ if (strlen (argv[i]) > HOST_NAME_MAX) { ++ len = strlen (argv[i]); ++ if (len > HOST_NAME_MAX) { + log_error("-H option host-name string "%s" is too long:" + "maximum length is %d characters", + argv[i], HOST_NAME_MAX); + exit(1); ++ } else if(check_domain_name(argv[i], len, 0) != 0) { ++ log_error("suspect host-name in -H "%s"", ++ argv[i]); ++ exit(1); + } + dhclient_hostname = argv [i]; } else if (!strcmp(argv[i], "-nw")) { nowait = 1; } else if (!strcmp(argv[i], "-n")) { -@@ -468,6 +479,32 @@ main(int argc, char **argv) { +@@ -484,6 +501,35 @@ main(int argc, char **argv) { /* Parse the dhclient.conf file. */ read_client_conf(); @@ -63,10 +69,12 @@ + char buf[HOST_NAME_MAX + 40]; + int len; + -+ snprintf (buf, sizeof(buf), "send host-name "%s";", dhclient_hostname); ++ snprintf (buf, sizeof(buf), "send host-name "%s";", ++ dhclient_hostname); + len = strlen(buf); + -+ status = new_parse (&cfile, -1, buf, len, "host-name option", 0); ++ status = new_parse (&cfile, -1, buf, len, ++ "host-name option", 0); + if (status != ISC_R_SUCCESS) + log_fatal ("Cannot parse send host-name statement!"); + @@ -78,7 +86,8 @@ + if (token == END_OF_FILE) + break; + -+ parse_client_statement (cfile, NULL, &top_level_config); ++ parse_client_statement (cfile, NULL, ++ &top_level_config); + } + end_parse (&cfile); + } @@ -86,19 +95,15 @@ /* Parse the lease database. */ read_client_leases(); -@@ -676,12 +713,12 @@ static void usage() +@@ -708,9 +754,9 @@ static void usage() - log_error("Usage: dhclient %s %s", + log_fatal("Usage: dhclient " #ifdef DHCPv6 -- "[-4|-6] [-SNTP1dvrx] [-nw] [-p <port>] [-D LL|LLT]", -+ "[-4|-6] [-SNTP1dvrx] [-nw] [-H <hostname>] [-p <port>] [-D LL|LLT]", +- "[-4|-6] [-SNTP1dvrx] [-nw] [-p <port>] [-D LL|LLT]\n" ++ "[-4|-6] [-SNTP1dvrx] [-nw] [-H <hostname>] [-p <port>] [-D LL|LLT]\n" #else /* DHCPv6 */ -- "[-1dvrx] [-nw] [-p <port>]", -+ "[-1dvrx] [-nw] [-H <hostname>] [-p <port>]", +- "[-1dvrx] [-nw] [-p <port>]\n" ++ "[-1dvrx] [-nw] [-H <hostname>] [-p <port>]\n" #endif /* DHCPv6 */ - "[-s server]"); -- log_error(" [-cf config-file] [-lf lease-file]%s", -+ log_error(" [-cf config-file] [-lf lease-file] %s", - "[-pf pid-file] [-e VAR=val]"); - log_fatal(" [-sf script-file] [interface]"); - } + " [-s server-addr] [-cf config-file] " + "[-lf lease-file]\n" ++++++ dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2 -> dhcp-4.2.2-ldap-patch-mt01.diff.bz2 ++++++ Files dhcp/dhcp-4.2.1-P1-ldap-patch-mt01.diff.bz2 and /mounts/work_src_done/STABLE/dhcp/dhcp-4.2.2-ldap-patch-mt01.diff.bz2 differ ++++++ dhcp-4.1.1-man-includes.diff -> dhcp-4.2.2-man-includes.diff ++++++ --- dhcp/dhcp-4.1.1-man-includes.diff 2010-05-07 16:12:26.000000000 +0200 +++ /mounts/work_src_done/STABLE/dhcp/dhcp-4.2.2-man-includes.diff 2011-08-29 17:37:15.000000000 +0200 @@ -1,26 +1,28 @@ diff --git a/dhcpctl/dhcpctl.3 b/dhcpctl/dhcpctl.3 -index 2e1cb8a..ee44755 100644 +index 9aa1851..7497612 100644 --- a/dhcpctl/dhcpctl.3 +++ b/dhcpctl/dhcpctl.3 -@@ -425,7 +425,7 @@ that most error checking has been ommitted for brevity. - #include <stdio.h> +@@ -430,8 +430,8 @@ that most error checking has been ommitted for brevity. #include <netinet/in.h> + #include <arpa/inet.h> --#include <isc/result.h> -+#include <isc-dhcp/result.h> - #include <dhcpctl/dhcpctl.h> +-#include "omapip/result.h" +-#include "dhcpctl.h" ++#include <omapip/result.h> ++#include <dhcpctl/dhcpctl.h> int main (int argc, char **argv) { + dhcpctl_data_string ipaddrstring = NULL; diff --git a/omapip/omapi.3 b/omapip/omapi.3 -index 4673549..8e2503f 100644 +index 4868d7c..23389b0 100644 --- a/omapip/omapi.3 +++ b/omapip/omapi.3 -@@ -87,7 +87,7 @@ the lease ends. +@@ -88,7 +88,7 @@ the lease ends. #include <stdio.h> #include <netinet/in.h> - #include <isc/result.h> -+ #include <isc-dhcp/result.h> ++ #include <omapip/result.h> #include <dhcpctl/dhcpctl.h> int main (int argc, char **argv) { ++++++ dhcp-4.2.2-quiet-dhclient.bnc711420.diff ++++++ diff --git a/client/dhclient.c b/client/dhclient.c index a1cab01..ff5ede5 100644 --- a/client/dhclient.c +++ b/client/dhclient.c @@ -444,6 +444,9 @@ main(int argc, char **argv) { } else { log_perror = 0; quiet_interface_discovery = 1; +#if !defined(DEBUG) + setlogmask(LOG_UPTO(LOG_NOTICE)); +#endif } /* If we're given a relay agent address to insert, for testing -- 1.7.3.4 ++++++ dhcp-4.2.2-xen-checksum.diff ++++++ diff --git a/common/bpf.c b/common/bpf.c index b0ef657..8bd5727 100644 --- a/common/bpf.c +++ b/common/bpf.c @@ -485,7 +485,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) offset = decode_udp_ip_header (interface, interface -> rbuf, interface -> rbuf_offset, - from, hdr.bh_caplen, &paylen); + from, hdr.bh_caplen, &paylen, 0); /* If the IP or UDP checksum was bad, skip the packet... */ if (offset < 0) { diff --git a/common/dlpi.c b/common/dlpi.c index 8f2c73d..b9eb1d3 100644 --- a/common/dlpi.c +++ b/common/dlpi.c @@ -693,7 +693,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) length -= offset; #endif offset = decode_udp_ip_header (interface, dbuf, bufix, - from, length, &paylen); + from, length, &paylen, 0); /* * If the IP or UDP checksum was bad, skip the packet... diff --git a/common/lpf.c b/common/lpf.c index 16eecc9..4bdb0f1 100644 --- a/common/lpf.c +++ b/common/lpf.c @@ -29,19 +29,33 @@ #include "dhcpd.h" #if defined (USE_LPF_SEND) || defined (USE_LPF_RECEIVE) #include <sys/ioctl.h> +#include <sys/socket.h> #include <sys/uio.h> #include <errno.h> #include <asm/types.h> #include <linux/filter.h> #include <linux/if_ether.h> +#include <linux/if_packet.h> #include <netinet/in_systm.h> -#include <net/if_packet.h> #include "includes/netinet/ip.h" #include "includes/netinet/udp.h" #include "includes/netinet/if_ether.h" #include <net/if.h> +#ifndef PACKET_AUXDATA +#define PACKET_AUXDATA 8 + +struct tpacket_auxdata +{ + __u32 tp_status; + __u32 tp_len; + __u32 tp_snaplen; + __u16 tp_mac; + __u16 tp_net; +}; +#endif + /* Reinitializes the specified interface after an address change. This is not required for packet-filter APIs. */ @@ -67,10 +81,14 @@ int if_register_lpf (info) struct interface_info *info; { int sock; - struct sockaddr sa; + union { + struct sockaddr_ll ll; + struct sockaddr common; + } sa; + struct ifreq ifr; /* Make an LPF socket. */ - if ((sock = socket(PF_PACKET, SOCK_PACKET, + if ((sock = socket(PF_PACKET, SOCK_RAW, htons((short)ETH_P_ALL))) < 0) { if (errno == ENOPROTOOPT || errno == EPROTONOSUPPORT || errno == ESOCKTNOSUPPORT || errno == EPFNOSUPPORT || @@ -85,11 +103,16 @@ int if_register_lpf (info) log_fatal ("Open a socket for LPF: %m"); } + memset (&ifr, 0, sizeof ifr); + strncpy (ifr.ifr_name, (const char *)info -> ifp, sizeof ifr.ifr_name); + if (ioctl (sock, SIOCGIFINDEX, &ifr)) + log_fatal ("Failed to get interface index: %m"); + /* Bind to the interface name */ memset (&sa, 0, sizeof sa); - sa.sa_family = AF_PACKET; - strncpy (sa.sa_data, (const char *)info -> ifp, sizeof sa.sa_data); - if (bind (sock, &sa, sizeof sa)) { + sa.ll.sll_family = AF_PACKET; + sa.ll.sll_ifindex = ifr.ifr_ifindex; + if (bind (sock, &sa.common, sizeof sa)) { if (errno == ENOPROTOOPT || errno == EPROTONOSUPPORT || errno == ESOCKTNOSUPPORT || errno == EPFNOSUPPORT || errno == EAFNOSUPPORT || errno == EINVAL) { @@ -171,9 +194,18 @@ static void lpf_gen_filter_setup (struct interface_info *); void if_register_receive (info) struct interface_info *info; { + int val; + /* Open a LPF device and hang it on this interface... */ info -> rfdesc = if_register_lpf (info); + val = 1; + if (setsockopt (info -> rfdesc, SOL_PACKET, PACKET_AUXDATA, &val, + sizeof val) < 0) { + if (errno != ENOPROTOOPT) + log_fatal ("Failed to set auxiliary packet data: %m"); + } + #if defined (HAVE_TR_SUPPORT) if (info -> hw_address.hbuf [0] == HTYPE_IEEE802) lpf_tr_filter_setup (info); @@ -295,7 +327,6 @@ ssize_t send_packet (interface, packet, raw, len, from, to, hto) double hh [16]; double ih [1536 / sizeof (double)]; unsigned char *buf = (unsigned char *)ih; - struct sockaddr_pkt sa; int result; int fudge; @@ -316,17 +347,7 @@ ssize_t send_packet (interface, packet, raw, len, from, to, hto) (unsigned char *)raw, len); memcpy (buf + ibufp, raw, len); - /* For some reason, SOCK_PACKET sockets can't be connected, - so we have to do a sentdo every time. */ - memset (&sa, 0, sizeof sa); - sa.spkt_family = AF_PACKET; - strncpy ((char *)sa.spkt_device, - (const char *)interface -> ifp, sizeof sa.spkt_device); - sa.spkt_protocol = htons(ETH_P_IP); - - result = sendto (interface -> wfdesc, - buf + fudge, ibufp + len - fudge, 0, - (const struct sockaddr *)&sa, sizeof sa); + result = write (interface -> wfdesc, buf + fudge, ibufp + len - fudge); if (result < 0) log_error ("send_packet: %m"); return result; @@ -343,14 +364,35 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) { int length = 0; int offset = 0; + int nocsum = 0; unsigned char ibuf [1536]; unsigned bufix = 0; unsigned paylen; - - length = read (interface -> rfdesc, ibuf, sizeof ibuf); + unsigned char cmsgbuf[CMSG_LEN(sizeof(struct tpacket_auxdata))]; + struct iovec iov = { + .iov_base = ibuf, + .iov_len = sizeof ibuf, + }; + struct msghdr msg = { + .msg_iov = &iov, + .msg_iovlen = 1, + .msg_control = cmsgbuf, + .msg_controllen = sizeof(cmsgbuf), + }; + struct cmsghdr *cmsg; + + length = recvmsg (interface -> rfdesc, &msg, 0); if (length <= 0) return length; + for (cmsg = CMSG_FIRSTHDR(&msg); cmsg; cmsg = CMSG_NXTHDR(&msg, cmsg)) { + if (cmsg->cmsg_level == SOL_PACKET && + cmsg->cmsg_type == PACKET_AUXDATA) { + struct tpacket_auxdata *aux = (void *)CMSG_DATA(cmsg); + nocsum = aux->tp_status & TP_STATUS_CSUMNOTREADY; + } + } + bufix = 0; /* Decode the physical header... */ offset = decode_hw_header (interface, ibuf, bufix, hfrom); @@ -367,7 +409,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) /* Decode the IP and UDP headers... */ offset = decode_udp_ip_header (interface, ibuf, bufix, from, - (unsigned)length, &paylen); + (unsigned)length, &paylen, nocsum); /* If the IP or UDP checksum was bad, skip the packet... */ if (offset < 0) diff --git a/common/nit.c b/common/nit.c index 3822206..0da9c36 100644 --- a/common/nit.c +++ b/common/nit.c @@ -369,7 +369,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) /* Decode the IP and UDP headers... */ offset = decode_udp_ip_header (interface, ibuf, bufix, - from, length, &paylen); + from, length, &paylen, 0); /* If the IP or UDP checksum was bad, skip the packet... */ if (offset < 0) diff --git a/common/packet.c b/common/packet.c index 42bca69..fd2d975 100644 --- a/common/packet.c +++ b/common/packet.c @@ -211,7 +211,7 @@ ssize_t decode_udp_ip_header(struct interface_info *interface, unsigned char *buf, unsigned bufix, struct sockaddr_in *from, unsigned buflen, - unsigned *rbuflen) + unsigned *rbuflen, int nocsum) { unsigned char *data; struct ip ip; @@ -322,7 +322,7 @@ decode_udp_ip_header(struct interface_info *interface, 8, IPPROTO_UDP + ulen)))); udp_packets_seen++; - if (usum && usum != sum) { + if (!nocsum && usum && usum != sum) { udp_packets_bad_checksum++; if (udp_packets_seen > 4 && (udp_packets_seen / udp_packets_bad_checksum) < 2) { diff --git a/common/upf.c b/common/upf.c index feb82a2..fff3949 100644 --- a/common/upf.c +++ b/common/upf.c @@ -320,7 +320,7 @@ ssize_t receive_packet (interface, buf, len, from, hfrom) /* Decode the IP and UDP headers... */ offset = decode_udp_ip_header (interface, ibuf, bufix, - from, length, &paylen); + from, length, &paylen, 0); /* If the IP or UDP checksum was bad, skip the packet... */ if (offset < 0) diff --git a/includes/dhcpd.h b/includes/dhcpd.h index adf04cc..ded57a9 100644 --- a/includes/dhcpd.h +++ b/includes/dhcpd.h @@ -2793,7 +2793,7 @@ ssize_t decode_hw_header (struct interface_info *, unsigned char *, unsigned, struct hardware *); ssize_t decode_udp_ip_header (struct interface_info *, unsigned char *, unsigned, struct sockaddr_in *, - unsigned, unsigned *); + unsigned, unsigned *, int); /* ethernet.c */ void assemble_ethernet_header (struct interface_info *, unsigned char *, -- 1.7.3.4 ++++++ dhcp-4.2.1-P1.tar.bz2 -> dhcp-4.2.2.tar.bz2 ++++++ dhcp/dhcp-4.2.1-P1.tar.bz2 /mounts/work_src_done/STABLE/dhcp/dhcp-4.2.2.tar.bz2 differ: char 11, line 1 ++++++ dhcpd.conf ++++++ --- /var/tmp/diff_new_pack.57d6Rw/_old 2011-08-31 10:47:05.000000000 +0200 +++ /var/tmp/diff_new_pack.57d6Rw/_new 2011-08-31 10:47:05.000000000 +0200 @@ -13,7 +13,7 @@ # if you do not use dynamical DNS updates: # # if you want to use dynamical DNS updates, you should first read -# read /usr/share/doc/packages/dhcp-server/DDNS-howto.txt +# the manuals and DDNS-howto.txt provided in the dhcp-doc package. # ddns-updates off; ++++++ rc.dhcpd ++++++ --- /var/tmp/diff_new_pack.57d6Rw/_old 2011-08-31 10:47:05.000000000 +0200 +++ /var/tmp/diff_new_pack.57d6Rw/_new 2011-08-31 10:47:05.000000000 +0200 @@ -59,6 +59,11 @@ DAEMON_CONF=/etc/dhcpd.conf DAEMON_STATE=/var/lib/dhcp DAEMON_LEASES=dhcpd.leases +# note: $DAEMON_PIDFILE is a symlink to the +# $DAEMON_STATE$DAEMON_PIDFILE (also +# while DHCPD_RUN_CHROOTED=no) now, +# as DHCPD_RUN_AS is not allowed to +# create pid files in /var/run. DAEMON_PIDFILE=/var/run/dhcpd.pid STARTPROC_LOGFILE=/var/log/rc.dhcpd.log LDAP_CONF=/etc/openldap/ldap.conf @@ -128,7 +133,7 @@ # remove empty pid files to avoid disturbing warnings by checkproc/killproc # (these can occur if dhcpd does not start correctly) test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE -test -e $CHROOT_PREFIX/$DAEMON_PIDFILE && ! test -s $CHROOT_PREFIX/$DAEMON_PIDFILE && rm $CHROOT_PREFIX/$DAEMON_PIDFILE +test -e $DAEMON_STATE/$DAEMON_PIDFILE && ! test -s $DAEMON_STATE/$DAEMON_PIDFILE && rm $DAEMON_STATE/$DAEMON_PIDFILE case "$1" in start) @@ -240,33 +245,33 @@ ## the chroot jail. Therefore, and old pid file may exist. This is only a problem if it ## incidentally contains the pid of a running process. If this process is not a 'dhcpd', ## we remove the pid. (dhcpd itself only checks whether the pid is alive or not.) - if test -e $CHROOT_PREFIX/$DAEMON_PIDFILE -a -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then - p=$(<$CHROOT_PREFIX/$DAEMON_PIDFILE) + if test -s $DAEMON_STATE/$DAEMON_PIDFILE; then + p=$(<$DAEMON_STATE/$DAEMON_PIDFILE) if test -n "$p" && grep -qsE "^${DAEMON_BIN}" "/proc/$p/cmdline" ; then echo -n '(already running) ' else - rm $CHROOT_PREFIX/$DAEMON_PIDFILE + rm -f $DAEMON_STATE/$DAEMON_PIDFILE fi fi + PID_FILE_ARG="$DAEMON_PIDFILE" else DHCPD_ARGS="-lf ${DAEMON_STATE}/db/$DAEMON_LEASES" + PID_FILE_ARG="$DAEMON_STATE$DAEMON_PIDFILE" fi if [ -n "$DHCPD_RUN_AS" ]; then DHCPD_RUN_AS_GROUP="$(getent group $(getent passwd $DHCPD_RUN_AS | cut -d: -f4) | cut -d: -f1)" DHCPD_ARGS="$DHCPD_ARGS -user $DHCPD_RUN_AS -group $DHCPD_RUN_AS_GROUP" - if test "$DHCPD_RUN_CHROOTED" = "yes" ; then - chown "${DHCPD_RUN_AS}:${DHCPD_RUN_AS_GROUP}" \ - "$CHROOT_PREFIX/${DAEMON_PIDFILE%/*}" - fi + chown "${DHCPD_RUN_AS}:${DHCPD_RUN_AS_GROUP}" \ + "$DAEMON_STATE/${DAEMON_PIDFILE%/*}" fi ## check syntax with -t (output to log file) and start only when the syntax is okay rm -f $STARTPROC_LOGFILE # start log error=0 - if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $DAEMON_PIDFILE > $STARTPROC_LOGFILE 2>&1 ; then + if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $PID_FILE_ARG > $STARTPROC_LOGFILE 2>&1 ; then error=1 else ## Start daemon. If this fails the return value is set appropriate. @@ -274,19 +279,20 @@ ## to match the LSB spec. test "$2" = "-v" && echo -en \ - "\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'" + "\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'" - $DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE + $DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE ret=$? fi - + if [ $error -gt 0 -o ${ret:-0} -gt 0 ]; then ## be verbose echo "" - echo -n " please see $STARTPROC_LOGFILE for details "; + echo -n " please see $STARTPROC_LOGFILE for details " ## set status to failed rc_failed else + ln -sf "$DAEMON_STATE$DAEMON_PIDFILE" "$DAEMON_PIDFILE" [ "$DHCPD_RUN_CHROOTED" = "yes" ] && echo -n "[chroot]" || : fi @@ -296,14 +302,29 @@ stop) echo -n "Shutting down $DAEMON " + # Catch the case where daemon is running without chroot, + # but sysconfig/dhcp has been changed to use chroot (and + # another way around). + # In this case is there is no $chroot/$pidfile, but there + # should be a /pidfile that we use instead. + # We can not kill without pid file or dhcp4 kills dhcp6. + PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE" + if test "$DHCPD_RUN_CHROOTED" = "yes" ; then + if test ! -s "$DAEMON_STATE$DAEMON_PIDFILE" -a \ + -s "$DAEMON_PIDFILE" ; then + PID_FILE="$DAEMON_PIDFILE" + fi + else + if test ! -s "$DAEMON_PIDFILE" -a \ + -s "$DAEMON_STATE$DAEMON_PIDFILE" ; then + PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE" + fi + fi + ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. - - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN + killproc -p "$PID_FILE" $DAEMON_BIN ret=$? - if test -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then - kill $(<$CHROOT_PREFIX/$DAEMON_PIDFILE) 2>/dev/null - fi # umount proc and remove libraries from the chroot jail, # so they are not left over if the server is deinstalled @@ -347,8 +368,8 @@ echo -n "Reload service $DAEMON" if [ "$SUPPORTS_HUP" = "yes" ]; then - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN - #touch $CHROOT_PREFIX/$DAEMON_PIDFILE + killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN + #touch $DAEMON_STATE/$DAEMON_PIDFILE rc_status -v else $0 stop && sleep 3 && $0 start @@ -362,8 +383,8 @@ echo -n "Reload service $DAEMON" if [ "$SUPPORTS_HUP" = "yes" ]; then # If it supports signalling: - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN - #touch $CHROOT_PREFIX/$DAEMON_PIDFILE + killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN + #touch $DAEMON_STATE/$DAEMON_PIDFILE rc_status -v else ## Otherwise if it does not support reload: @@ -383,7 +404,7 @@ # 3 - service not running # NOTE: checkproc returns LSB compliant status values. - checkproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN + checkproc -p $DAEMON_STATE/$DAEMON_PIDFILE $DAEMON_BIN rc_status -v ;; probe) @@ -392,7 +413,7 @@ rc=0 for i in /etc/sysconfig/dhcpd $DAEMON_CONF $DHCPD_CONF_INCLUDE_FILES; do - test $i -nt $CHROOT_PREFIX/$DAEMON_PIDFILE && rc=1 + test $i -nt $DAEMON_STATE/$DAEMON_PIDFILE && rc=1 done test $rc = 1 && echo restart ;; ++++++ rc.dhcpd6 ++++++ --- /var/tmp/diff_new_pack.57d6Rw/_old 2011-08-31 10:47:05.000000000 +0200 +++ /var/tmp/diff_new_pack.57d6Rw/_new 2011-08-31 10:47:05.000000000 +0200 @@ -63,6 +63,11 @@ DAEMON_CONF=/etc/dhcpd6.conf DAEMON_STATE=/var/lib/dhcp6 DAEMON_LEASES=dhcpd6.leases +# note: $DAEMON_PIDFILE is a symlink to the +# $DAEMON_STATE$DAEMON_PIDFILE (also +# while DHCPD_RUN_CHROOTED=no) now, +# as DHCPD_RUN_AS is not allowed to +# create pid files in /var/run. DAEMON_PIDFILE=/var/run/dhcpd6.pid STARTPROC_LOGFILE=/var/log/rc.dhcpd6.log LDAP_CONF= @@ -132,7 +137,7 @@ # remove empty pid files to avoid disturbing warnings by checkproc/killproc # (these can occur if dhcpd does not start correctly) test -e $DAEMON_PIDFILE && ! test -s $DAEMON_PIDFILE && rm $DAEMON_PIDFILE -test -e $CHROOT_PREFIX/$DAEMON_PIDFILE && ! test -s $CHROOT_PREFIX/$DAEMON_PIDFILE && rm $CHROOT_PREFIX/$DAEMON_PIDFILE +test -e $DAEMON_STATE/$DAEMON_PIDFILE && ! test -s $DAEMON_STATE/$DAEMON_PIDFILE && rm $DAEMON_STATE/$DAEMON_PIDFILE case "$1" in start) @@ -244,33 +249,33 @@ ## the chroot jail. Therefore, and old pid file may exist. This is only a problem if it ## incidentally contains the pid of a running process. If this process is not a 'dhcpd', ## we remove the pid. (dhcpd itself only checks whether the pid is alive or not.) - if test -e $CHROOT_PREFIX/$DAEMON_PIDFILE -a -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then - p=$(<$CHROOT_PREFIX/$DAEMON_PIDFILE) + if test -s $DAEMON_STATE/$DAEMON_PIDFILE; then + p=$(<$DAEMON_STATE/$DAEMON_PIDFILE) if test -n "$p" && grep -qsE "^${DAEMON_BIN}" "/proc/$p/cmdline" ; then echo -n '(already running) ' else - rm $CHROOT_PREFIX/$DAEMON_PIDFILE + rm -f $DAEMON_STATE/$DAEMON_PIDFILE fi fi + PID_FILE_ARG="$DAEMON_PIDFILE" else DHCPD_ARGS="-lf ${DAEMON_STATE}/db/$DAEMON_LEASES" + PID_FILE_ARG="$DAEMON_STATE$DAEMON_PIDFILE" fi if [ -n "$DHCPD_RUN_AS" ]; then DHCPD_RUN_AS_GROUP="$(getent group $(getent passwd $DHCPD_RUN_AS | cut -d: -f4) | cut -d: -f1)" DHCPD_ARGS="$DHCPD_ARGS -user $DHCPD_RUN_AS -group $DHCPD_RUN_AS_GROUP" - if test "$DHCPD_RUN_CHROOTED" = "yes" ; then - chown "${DHCPD_RUN_AS}:${DHCPD_RUN_AS_GROUP}" \ - "$CHROOT_PREFIX/${DAEMON_PIDFILE%/*}" - fi + chown "${DHCPD_RUN_AS}:${DHCPD_RUN_AS_GROUP}" \ + "$DAEMON_STATE/${DAEMON_PIDFILE%/*}" fi ## check syntax with -t (output to log file) and start only when the syntax is okay rm -f $STARTPROC_LOGFILE # start log error=0 - if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $DAEMON_PIDFILE > $STARTPROC_LOGFILE 2>&1 ; then + if ! $DAEMON_BIN $DHCPDv_OPT -t -cf $CHROOT_PREFIX/$DAEMON_CONF -pf $PID_FILE_ARG > $STARTPROC_LOGFILE 2>&1 ; then error=1 else ## Start daemon. If this fails the return value is set appropriate. @@ -278,19 +283,20 @@ ## to match the LSB spec. test "$2" = "-v" && echo -en \ - "\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'" + "\nexecuting '$DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE'" - $DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $DAEMON_PIDFILE $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE + $DAEMON_BIN $DHCPDv_OPT -cf $DAEMON_CONF -pf $PID_FILE_ARG $DHCPD_ARGS $DHCPD_OTHER_ARGS $DHCPD_INTERFACE &> $STARTPROC_LOGFILE ret=$? fi - - if [ $error -gt 0 -o ${ret:-0} -gt 0 ]; then + + if [ $error -gt 0 -o ${ret:-0} -gt 0 ]; then ## be verbose echo "" echo -n " please see $STARTPROC_LOGFILE for details " ## set status to failed rc_failed else + ln -sf "$DAEMON_STATE$DAEMON_PIDFILE" "$DAEMON_PIDFILE" [ "$DHCPD_RUN_CHROOTED" = "yes" ] && echo -n "[chroot]" || : fi @@ -300,14 +306,29 @@ stop) echo -n "Shutting down $DAEMON " + # Catch the case where daemon is running without chroot, + # but sysconfig/dhcp has been changed to use chroot (and + # another way around). + # In this case is there is no $chroot/$pidfile, but there + # should be a /pidfile that we use instead. + # We can not kill without pid file or dhcp4 kills dhcp6. + PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE" + if test "$DHCPD_RUN_CHROOTED" = "yes" ; then + if test ! -s "$DAEMON_STATE$DAEMON_PIDFILE" -a \ + -s "$DAEMON_PIDFILE" ; then + PID_FILE="$DAEMON_PIDFILE" + fi + else + if test ! -s "$DAEMON_PIDFILE" -a \ + -s "$DAEMON_STATE$DAEMON_PIDFILE" ; then + PID_FILE="$DAEMON_STATE$DAEMON_PIDFILE" + fi + fi + ## Stop daemon with killproc(8) and if this fails ## set echo the echo return value. - - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN + killproc -p "$PID_FILE" $DAEMON_BIN ret=$? - if test -s $CHROOT_PREFIX/$DAEMON_PIDFILE; then - kill $(<$CHROOT_PREFIX/$DAEMON_PIDFILE) 2>/dev/null - fi # umount proc and remove libraries from the chroot jail, # so they are not left over if the server is deinstalled @@ -351,8 +372,8 @@ echo -n "Reload service $DAEMON" if [ "$SUPPORTS_HUP" = "yes" ]; then - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN - #touch $CHROOT_PREFIX/$DAEMON_PIDFILE + killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN + #touch $DAEMON_STATE/$DAEMON_PIDFILE rc_status -v else $0 stop && sleep 3 && $0 start @@ -366,8 +387,8 @@ echo -n "Reload service $DAEMON" if [ "$SUPPORTS_HUP" = "yes" ]; then # If it supports signalling: - killproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE -HUP $DAEMON_BIN - #touch $CHROOT_PREFIX/$DAEMON_PIDFILE + killproc -p $DAEMON_STATE/$DAEMON_PIDFILE -HUP $DAEMON_BIN + #touch $DAEMON_STATE/$DAEMON_PIDFILE rc_status -v else ## Otherwise if it does not support reload: @@ -387,7 +408,7 @@ # 3 - service not running # NOTE: checkproc returns LSB compliant status values. - checkproc -p $CHROOT_PREFIX/$DAEMON_PIDFILE $DAEMON_BIN + checkproc -p $DAEMON_STATE/$DAEMON_PIDFILE $DAEMON_BIN rc_status -v ;; probe) @@ -396,7 +417,7 @@ rc=0 for i in /etc/sysconfig/dhcpd $DAEMON_CONF $DHCPD_CONF_INCLUDE_FILES; do - test $i -nt $CHROOT_PREFIX/$DAEMON_PIDFILE && rc=1 + test $i -nt $DAEMON_STATE/$DAEMON_PIDFILE && rc=1 done test $rc = 1 && echo restart ;; ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org