Merge lp:~andreserl/maas/dhcpd_paranoia into lp:~maas-maintainers/maas/packaging

Proposed by Andres Rodriguez on 2016-03-16
Status: Merged
Approved by: Andres Rodriguez on 2016-03-16
Approved revision: 462
Merged at revision: 460
Proposed branch: lp:~andreserl/maas/dhcpd_paranoia
Merge into: lp:~maas-maintainers/maas/packaging
Diff against target: 80 lines (+17/-14)
4 files modified
debian/changelog (+11/-3)
debian/maas-dhcp.apparmor (+0/-4)
debian/maas-dhcp.maas-dhcpd.service (+3/-4)
debian/maas-dhcp.maas-dhcpd6.service (+3/-3)
To merge this branch: bzr merge lp:~andreserl/maas/dhcpd_paranoia
Reviewer Review Type Date Requested Status
Andres Rodriguez Approve on 2016-03-16
Blake Rouse 2016-03-16 Approve on 2016-03-16
Review via email: mp+289187@code.launchpad.net

Commit message

Update dhcpd permissions to conform with most recent paranoia described on LP: 1543794, so capability dac_override is not granted.

To post a comment you must log in.
Blake Rouse (blake-rouse) wrote :

Looks good except for the revert you are doing. Fix before landing.

review: Approve
lp:~andreserl/maas/dhcpd_paranoia updated on 2016-03-16
461. By Andres Rodriguez on 2016-03-16

Fix change on Killmode

462. By Andres Rodriguez on 2016-03-16

fix typo

Andres Rodriguez (andreserl) wrote :

landing then!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2016-03-12 01:45:07 +0000
3+++ debian/changelog 2016-03-16 14:20:56 +0000
4@@ -1,6 +1,14 @@
5-maas (2.0.0~alpha2+bzr4773-0ubuntu1) UNRELEASED; urgency=medium
6-
7- * New usptream release, 2.0.0 bzr 4773 (LP: #1553261).
8+maas (2.0.0~alpha3+bzr4785-0ubuntu1) UNRELEASED; urgency=medium
9+
10+ * New upstream release, 2.0.0 bzr 4779 (LP: #1553261)
11+ * Update dhcpd permissions to conform with most recent paranoia described
12+ on LP: 1543794, so capability dac_override is not granted.
13+
14+ -- Andres Rodriguez <andreserl@ubuntu.com> Mon, 14 Mar 2016 18:34:53 -0400
15+
16+maas (2.0.0~alpha2+bzr4776-0ubuntu1) xenial; urgency=medium
17+
18+ * New usptream release, 2.0.0 bzr 4776 (LP: #1553261).
19 * maas-dns Depends: bind9 >= 1:9.10.3.dfsg.P2-5 for better system time.
20 LP: #1553176.
21 * debian/extras/maas-{region,rack}: Replace maas-region-admin
22
23=== modified file 'debian/maas-dhcp.apparmor'
24--- debian/maas-dhcp.apparmor 2015-08-11 10:57:05 +0000
25+++ debian/maas-dhcp.apparmor 2016-03-16 14:20:56 +0000
26@@ -1,7 +1,3 @@
27-# Work around bug:
28-# https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/1186662
29-capability dac_override,
30-
31 /run/maas/dhcp/ r,
32 /run/maas/dhcp/** r,
33 /run/maas/dhcp/*.pid lrw,
34
35=== modified file 'debian/maas-dhcp.maas-dhcpd.service'
36--- debian/maas-dhcp.maas-dhcpd.service 2016-03-15 18:58:50 +0000
37+++ debian/maas-dhcp.maas-dhcpd.service 2016-03-16 14:20:56 +0000
38@@ -15,16 +15,15 @@
39 KillSignal=SIGKILL
40 # Allow dhcp server to write lease and pid file as 'dhcpd' user
41 ExecStartPre=/bin/mkdir -p /run/maas/dhcp
42-ExecStartPre=/bin/chown root:root /run/maas/dhcp
43-# The leases files need to be root:root even when dropping privileges
44+# The leases files need to be root:dhcpd even when dropping privileges
45 ExecStartPre=/bin/mkdir -p /var/lib/maas/dhcp
46-ExecStartPre=/bin/chown root:root /var/lib/maas/dhcp
47 # Start the daemon
48 ExecStart=/bin/sh -ec '\
49 INTERFACES=$(cat /var/lib/maas/dhcpd-interfaces); \
50 LEASES_FILE=/var/lib/maas/dhcp/dhcpd.leases; \
51 [ -e $LEASES_FILE ] || touch $LEASES_FILE; \
52- chown root:root /var/lib/maas/dhcp /var/lib/maas/dhcp/dhcpd.leases*; \
53+ chown root:dhcpd /var/lib/maas/dhcp /var/lib/maas/dhcp/dhcpd.leases*; \
54+ chmod 775 /var/lib/maas/dhcp ; chmod 664 /var/lib/maas/dhcp/dhcpd.leases; \
55 exec dhcpd -user dhcpd -group dhcpd -f -q -4 -pf /run/maas/dhcp/dhcpd.pid \
56 -cf /var/lib/maas/dhcpd.conf -lf $LEASES_FILE $INTERFACES'
57
58
59=== modified file 'debian/maas-dhcp.maas-dhcpd6.service'
60--- debian/maas-dhcp.maas-dhcpd6.service 2016-03-15 18:58:50 +0000
61+++ debian/maas-dhcp.maas-dhcpd6.service 2016-03-16 14:20:56 +0000
62@@ -15,16 +15,16 @@
63 KillSignal=SIGKILL
64 # Allow dhcp server to write lease and pid file as 'dhcpd' user
65 ExecStartPre=/bin/mkdir -p /run/maas/dhcp
66-ExecStartPre=/bin/chown root:root /run/maas/dhcp
67-# The leases files need to be root:root even when dropping privileges
68+# The leases files need to be root:dhcpd even when dropping privileges
69 ExecStartPre=/bin/mkdir -p /var/lib/maas/dhcp
70-ExecStartPre=/bin/chown root:root /var/lib/maas/dhcp
71 # Start the daemon
72 ExecStart=/bin/sh -ec '\
73 INTERFACES=$(cat /var/lib/maas/dhcpd-interfaces); \
74 LEASES_FILE=/var/lib/maas/dhcp/dhcpd6.leases; \
75 [ -e $LEASES_FILE ] || touch $LEASES_FILE; \
76 chown root:root /var/lib/maas/dhcp /var/lib/maas/dhcp/dhcpd6.leases*; \
77+ chown root:dhcpd /var/lib/maas/dhcp /var/lib/maas/dhcp/dhcpd6.leases; \
78+ chmod 775 /var/lib/maas/dhcp ; chmod 664 /var/lib/maas/dhcp/dhcpd6.leases; \
79 exec dhcpd -user dhcpd -group dhcpd -f -6 -pf /run/maas/dhcp/dhcpd6.pid \
80 -cf /var/lib/maas/dhcpd6.conf -lf $LEASES_FILE $INTERFACES'
81

Subscribers

People subscribed via source and target branches