Revision bump to fix non-root runs. Thanks to Ondrej Caletka for the patch and info about the issue.

(Portage version: 2.2.0_alpha120/cvs/Linux x86_64)
author: Tomas Chvatal <scarabeus@gentoo.org> 2012-07-26 14:00:35 +0000
committer: Tomas Chvatal <scarabeus@gentoo.org> 2012-07-26 14:00:35 +0000
commit: 95403ceb8a9d39fcf301588007a8b1ea50f6b49e (patch)
tree: e89fc4e3bf709362fe9eef45ce7adadc7e88bc16 /net-dns/knot
parent: net-misc/gip: Version Bump; respect the *FLAGS, #427874 (diff)
download: gentoo-2-95403ceb8a9d39fcf301588007a8b1ea50f6b49e.tar.gz
gentoo-2-95403ceb8a9d39fcf301588007a8b1ea50f6b49e.tar.bz2
gentoo-2-95403ceb8a9d39fcf301588007a8b1ea50f6b49e.zip
3 files changed, 349 insertions, 4 deletions
diff --git a/net-dns/knot/ChangeLog b/net-dns/knot/ChangeLog
index bf0d027e3b7d..8bcb179dc097 100644
--- a/net-dns/knot/ChangeLog
+++ b/net-dns/knot/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-dns/knot
 # Copyright 1999-2012 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-dns/knot/ChangeLog,v 1.9 2012/06/21 18:08:30 scarabeus Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-dns/knot/ChangeLog,v 1.10 2012/07/26 14:00:35 scarabeus Exp $
+
+*knot-1.0.6-r1 (26 Jul 2012)
+
+  26 Jul 2012; Tomáš Chvátal <scarabeus@gentoo.org>
+  +files/knot-1.0.6-userpriv.patch, +knot-1.0.6-r1.ebuild, -knot-1.0.6.ebuild:
+  Revision bump to fix non-root runs. Thanks to Ondrej Caletka for the patch and
+  info about the issue.
 
 *knot-1.0.6 (21 Jun 2012)
 
@@ -47,4 +54,3 @@
   Initial commit of knot dns authoritative server used by NIC.cz. Added to herd
   bind as it is closest herd. Can't do much runtime testing on gentoo but
   possibly can fix packaging errors.
-
diff --git a/net-dns/knot/files/knot-1.0.6-userpriv.patch b/net-dns/knot/files/knot-1.0.6-userpriv.patch
new file mode 100644
index 000000000000..1526ca445dfb
--- /dev/null
+++ b/net-dns/knot/files/knot-1.0.6-userpriv.patch
@@ -0,0 +1,338 @@
+diff --git a/src/knot/conf/conf.c b/src/knot/conf/conf.c
+index 4bbf622..0785b04 100644
+--- a/src/knot/conf/conf.c
++++ b/src/knot/conf/conf.c
+@@ -309,6 +309,10 @@ static int conf_process(conf_t *conf)
+ 		strncat(dest, dbext, strlen(dbext));
+ 		zone->ixfr_db = dest;
+ 	}
++	
++	/* Update UID and GID. */
++	if (conf->uid < 0) conf->uid = getuid();
++	if (conf->gid < 0) conf->gid = getgid();
+ 
+ 	return ret;
+ }
+diff --git a/src/knot/ctl/knotc_main.c b/src/knot/ctl/knotc_main.c
+index 97412dd..7f74bca 100644
+--- a/src/knot/ctl/knotc_main.c
++++ b/src/knot/ctl/knotc_main.c
+@@ -43,7 +43,8 @@ enum knotc_flag_t {
+ 	F_VERBOSE     = 1 << 1,
+ 	F_WAIT        = 1 << 2,
+ 	F_INTERACTIVE = 1 << 3,
+-	F_AUTO        = 1 << 4
++	F_AUTO        = 1 << 4,
++	F_UNPRIVILEGED= 1 << 5
+ };
+ 
+ static inline unsigned has_flag(unsigned flags, enum knotc_flag_t f) {
+@@ -142,10 +143,15 @@ pid_t wait_cmd(pid_t proc, int *rc)
+ 	return proc;
+ }
+ 
+-pid_t start_cmd(const char *argv[], int argc)
++pid_t start_cmd(const char *argv[], int argc, int flags)
+ {
+ 	pid_t chproc = fork();
+ 	if (chproc == 0) {
++	
++		/* Alter privileges. */
++		if (flags & F_UNPRIVILEGED) {
++			proc_update_privileges(conf()->uid, conf()->gid);
++		}
+ 
+ 		/* Duplicate, it doesn't run from stack address anyway. */
+ 		char **args = malloc((argc + 1) * sizeof(char*));
+@@ -180,7 +186,7 @@ pid_t start_cmd(const char *argv[], int argc)
+ int exec_cmd(const char *argv[], int argc)
+ {
+ 	int ret = 0;
+-	pid_t proc = start_cmd(argv, argc);
++	pid_t proc = start_cmd(argv, argc, 0);
+ 	wait_cmd(proc, &ret);
+ 	return ret;
+ }
+@@ -291,17 +297,6 @@ int execute(const char *action, char **argv, int argc, pid_t pid,
+ 	int valid_cmd = 0;
+ 	int rc = 0;
+ 	if (strcmp(action, "start") == 0) {
+-		// Check pidfile for w+
+-		FILE* chkf = fopen(pidfile, "w+");
+-		if (chkf == NULL) {
+-			log_server_error("PID file '%s' is not writeable, "
+-			                 "refusing to start\n", pidfile);
+-			return 1;
+-		} else {
+-			fclose(chkf);
+-			chkf = NULL;
+-		}
+-
+ 		// Check PID
+ 		valid_cmd = 1;
+ //		if (pid < 0 && pid == KNOT_ERANGE) {
+@@ -604,7 +599,7 @@ int execute(const char *action, char **argv, int argc, pid_t pid,
+ 			}
+ 			fflush(stdout);
+ 			fflush(stderr);
+-			pid_t zcpid = start_cmd(args, ac);
++			pid_t zcpid = start_cmd(args, ac, F_UNPRIVILEGED);
+ 			zctask_add(tasks, jobs, zcpid, zone);
+ 			++running;
+ 		}
+@@ -722,7 +717,7 @@ int main(int argc, char **argv)
+ 		log_levels_add(LOGT_STDOUT, LOG_ANY,
+ 		               LOG_MASK(LOG_INFO)|LOG_MASK(LOG_DEBUG));
+ 	}
+-
++	
+ 	// Fetch PID
+ 	char* pidfile = pid_filename();
+ 	if (!pidfile) {
+diff --git a/src/knot/ctl/process.c b/src/knot/ctl/process.c
+index bb61804..8864cd0 100644
+--- a/src/knot/ctl/process.c
++++ b/src/knot/ctl/process.c
+@@ -21,6 +21,8 @@
+ #include <errno.h>
+ #include <string.h>
+ #include <signal.h>
++#include <grp.h>
++#include <unistd.h>
+ 
+ #include "knot/common.h"
+ #include "knot/ctl/process.h"
+@@ -113,6 +115,7 @@ int pid_write(const char* fn)
+ int pid_remove(const char* fn)
+ {
+ 	if (unlink(fn) < 0) {
++		perror("unlink");
+ 		return KNOTD_EINVAL;
+ 	}
+ 
+@@ -124,3 +127,45 @@ int pid_running(pid_t pid)
+ 	return kill(pid, 0) == 0;
+ }
+ 
++void proc_update_privileges(int uid, int gid)
++{
++#ifdef HAVE_SETGROUPS
++	/* Drop supplementary groups. */
++	if (uid != getuid() || gid != getgid()) {
++		if (setgroups(0, NULL) < 0) {
++			log_server_warning("Failed to drop supplementary groups"
++			                   " for uid '%d' (%s).\n",
++			                   getuid(), strerror(errno));
++		}
++	}
++#endif
++	
++	/* Watch uid/gid. */
++	if (gid != getgid()) {
++		log_server_info("Changing group id to '%d'.\n", gid);
++		if (setregid(gid, gid) < 0) {
++			log_server_error("Failed to change gid to '%d'.\n",
++			                 gid);
++		}
++	}
++	if (uid != getuid()) {
++		log_server_info("Changing user id to '%d'.\n", uid);
++		if (setreuid(uid, uid) < 0) {
++			log_server_error("Failed to change uid to '%d'.\n",
++			                 uid);
++		}
++	}
++	
++	/* Check storage writeability. */
++	char *lfile = strcdup(conf()->storage, "/knot.lock");
++	assert(lfile != NULL);
++	FILE* fp = fopen(lfile, "w");
++	if (fp == NULL) {
++		log_server_warning("Storage directory '%s' is not writeable.\n",
++		                   conf()->storage);
++	} else {
++		fclose(fp);
++		unlink(lfile);
++	}
++	free(lfile);
++}
+diff --git a/src/knot/ctl/process.h b/src/knot/ctl/process.h
+index d8f2f4c..a387add 100644
+--- a/src/knot/ctl/process.h
++++ b/src/knot/ctl/process.h
+@@ -83,6 +83,15 @@ int pid_remove(const char* fn);
+  */
+ int pid_running(pid_t pid);
+ 
++/*!
++ * \brief Update process privileges to new UID/GID.
++ *
++ * \param uid New user ID.
++ * \param gid New group ID.
++ *
++ */
++void proc_update_privileges(int uid, int gid);
++
+ #endif // _KNOTD_PROCESS_H_
+ 
+ /*! @} */
+diff --git a/src/knot/main.c b/src/knot/main.c
+index 99ee1cf..a62230a 100644
+--- a/src/knot/main.c
++++ b/src/knot/main.c
+@@ -20,6 +20,7 @@
+ #include <unistd.h>
+ #include <getopt.h>
+ #include <limits.h>
++
+ #ifdef HAVE_CAP_NG_H
+ #include <cap-ng.h>
+ #endif /* HAVE_CAP_NG_H */
+@@ -161,7 +162,6 @@ int main(int argc, char **argv)
+ 	conf_read_lock();
+ 	conf_add_hook(conf(), CONF_LOG, log_conf_hook, 0);
+ 	conf_add_hook(conf(), CONF_ALL, server_conf_hook, server);
+-	conf_add_hook(conf(), CONF_ALL, zones_ns_conf_hook, server->nameserver);
+ 	conf_read_unlock();
+ 
+ 	// Find implicit configuration file
+@@ -242,21 +242,28 @@ int main(int argc, char **argv)
+ 	}
+ 	log_server_info("\n");
+ 
+-	// Create server instance
+-	char* pidfile = pid_filename();
++	/* Alter privileges. */
++	proc_update_privileges(conf()->uid, conf()->gid);
++	
++	/* Load zones and add hook. */
++	zones_ns_conf_hook(conf(), server->nameserver);
++	conf_add_hook(conf(), CONF_ALL, zones_ns_conf_hook, server->nameserver);
+ 
+ 	// Run server
+ 	int res = 0;
++	int has_pid = 0;
++	char* pidfile = pid_filename();
+ 	log_server_info("Starting server...\n");
+ 	if ((server_start(server)) == KNOTD_EOK) {
+ 
+ 		// Save PID
+-		int has_pid = 1;
++		has_pid = 1;
+ 		int rc = pid_write(pidfile);
+ 		if (rc < 0) {
+ 			has_pid = 0;
+ 			log_server_warning("Failed to create "
+-					   "PID file '%s'.\n", pidfile);
++					   "PID file '%s' (%s).\n",
++					   pidfile, strerror(errno));
+ 		}
+ 
+ 		// Change directory if daemonized
+@@ -370,7 +377,7 @@ int main(int argc, char **argv)
+ 	server_destroy(&server);
+ 
+ 	// Remove PID file
+-	if (pid_remove(pidfile) < 0) {
++	if (has_pid && pid_remove(pidfile) < 0) {
+ 		log_server_warning("Failed to remove PID file.\n");
+ 	}
+ 
+diff --git a/src/knot/server/server.c b/src/knot/server/server.c
+index 5611a0c..5df7fe1 100644
+--- a/src/knot/server/server.c
++++ b/src/knot/server/server.c
+@@ -22,8 +22,6 @@
+ #include <errno.h>
+ #include <openssl/evp.h>
+ #include <assert.h>
+-#include <grp.h>
+-
+ 
+ #include "common/prng.h"
+ #include "knot/common.h"
+@@ -743,51 +741,9 @@ int server_conf_hook(const struct conf_t *conf, void *data)
+ 			                 "configured interfaces.\n");
+ 		}
+ 	}
+-	
+-	/* Lock configuration. */
+-	conf_read_lock();
+-	int priv_failed = 0;
+-	
+-#ifdef HAVE_SETGROUPS
+-	/* Drop supplementary groups. */
+-	if (conf->gid > -1 || conf->uid > -1) {
+-		ret = setgroups(0, NULL);
+-		
+-		/* Collect results. */
+-		if (ret < 0) {
+-			log_server_error("Failed to set supplementary groups "
+-			                 "for uid '%d' (%s).\n",
+-			                 getuid(), strerror(errno));
+-			priv_failed = 1;
+-		}
+-	}
+-#endif
+-	
+-	/* Watch uid/gid. */
+-	if (conf->gid > -1 && conf->gid != getgid()) {
+-		log_server_info("Changing group id to '%d'.\n", conf->gid);
+-		if (setregid(conf->gid, conf->gid) < 0) {
+-			log_server_error("Failed to change gid to '%d'.\n",
+-			                 conf->gid);
+-			priv_failed = 1;
+-		}
+-	}
+-	if (conf->uid > -1 && conf->uid != getuid()) {
+-		log_server_info("Changing user id to '%d'.\n", conf->uid);
+-		if (setreuid(conf->uid, conf->uid) < 0) {
+-			log_server_error("Failed to change uid to '%d'.\n",
+-			                 conf->uid);
+-			priv_failed = 1;
+-		}
+-	}
+-
+-	if (priv_failed) {
+-		ret = KNOTD_EACCES;
+-	}
+ 
+ 	/* Exit if the server is not running. */
+ 	if (ret != KNOTD_EOK || !(server->state & ServerRunning)) {
+-		conf_read_unlock();
+ 		return KNOTD_ENOTRUNNING;
+ 	}
+ 
+@@ -807,9 +763,6 @@ int server_conf_hook(const struct conf_t *conf, void *data)
+ 		}
+ 	}
+ 
+-	/* Unlock config. */
+-	conf_read_unlock();
+-
+ 	return ret;
+ }
+ 
+diff --git a/src/zcompile/zcompile.c b/src/zcompile/zcompile.c
+index c4415d4..3c39004 100644
+--- a/src/zcompile/zcompile.c
++++ b/src/zcompile/zcompile.c
+@@ -570,7 +570,7 @@ int zone_read(const char *name, const char *zonefile, const char *outfile,
+ 	}
+ 
+ 	if (!knot_dname_is_fqdn(dname)) {
+-		fprintf(stderr, "Error: given zone origin is not FQDN.\n");
++		log_zone_error("Error: given zone origin is not FQDN.\n");
+ 		knot_dname_release(dname);
+ 		return KNOTDZCOMPILE_EINVAL;
+ 	}
+@@ -660,8 +660,7 @@ int zone_read(const char *name, const char *zonefile, const char *outfile,
+ 
+ 	if (found_orphans != parser->rrsig_orphan_count) {
+ 		/*! \todo This might be desired behaviour. */
+-		fprintf(stderr,
+-		        "There are unassigned RRSIGs in the zone!\n");
++		log_zone_error("There are unassigned RRSIGs in the zone!\n");
+ 		parser->errors++;
+ 	}
+ 
diff --git a/net-dns/knot/knot-1.0.6.ebuild b/net-dns/knot/knot-1.0.6-r1.ebuild
index 6036622730bf..980cf69f11af 100644
--- a/net-dns/knot/knot-1.0.6.ebuild
+++ b/net-dns/knot/knot-1.0.6-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2012 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-dns/knot/knot-1.0.6.ebuild,v 1.1 2012/06/21 18:08:30 scarabeus Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-dns/knot/knot-1.0.6-r1.ebuild,v 1.1 2012/07/26 14:00:35 scarabeus Exp $
 
 EAPI=4
 
@@ -29,7 +29,8 @@ DEPEND="${RDEPEND}
 src_prepare() {
 	epatch \
 		"${FILESDIR}"/${PN}-move-pidfile-to-var.patch \
-		"${FILESDIR}"/${PN}-braindead-lto.patch
+		"${FILESDIR}"/${PN}-braindead-lto.patch \
+		"${FILESDIR}"/${P}-userpriv.patch
 	sed -i \
 		-e 's:-Werror::g' \
 		configure.ac || die
author	Tomas Chvatal <scarabeus@gentoo.org>	2012-07-26 14:00:35 +0000
committer	Tomas Chvatal <scarabeus@gentoo.org>	2012-07-26 14:00:35 +0000
commit	95403ceb8a9d39fcf301588007a8b1ea50f6b49e (patch)
tree	e89fc4e3bf709362fe9eef45ce7adadc7e88bc16 /net-dns/knot
parent	net-misc/gip: Version Bump; respect the *FLAGS, #427874 (diff)
download	gentoo-2-95403ceb8a9d39fcf301588007a8b1ea50f6b49e.tar.gz gentoo-2-95403ceb8a9d39fcf301588007a8b1ea50f6b49e.tar.bz2 gentoo-2-95403ceb8a9d39fcf301588007a8b1ea50f6b49e.zip