From de8f039cf3a527c87ec595fc94a691b0159cd79a Mon Sep 17 00:00:00 2001
From: Jernej Jakob <jernej.jakob@gmail.com>
Date: Thu, 11 Jun 2020 08:04:29 +0200
Subject: vyos-hostsd: T2583: update systemd service

- set RuntimeDirectory to vyos-hostsd
- set RuntimeDirectoryPreserve in order to not delete the state file between
  service restarts (/run will be deleted across reboots as it's on a tmpfs but
  the state doesn't need to be saved across reboots anyway)
- set WorkingDirectory to /run/vyos-hostsd
---
 src/systemd/vyos-hostsd.service | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src/systemd')

diff --git a/src/systemd/vyos-hostsd.service b/src/systemd/vyos-hostsd.service
index 731e570c9..db8f630d4 100644
--- a/src/systemd/vyos-hostsd.service
+++ b/src/systemd/vyos-hostsd.service
@@ -10,6 +10,9 @@ DefaultDependencies=no
 After=systemd-remount-fs.service
 
 [Service]
+WorkingDirectory=/run/vyos-hostsd
+RuntimeDirectory=vyos-hostsd
+RuntimeDirectoryPreserve=yes
 ExecStart=/usr/bin/python3 -u /usr/libexec/vyos/services/vyos-hostsd
 Type=idle
 KillMode=process
-- 
cgit v1.2.3


From 96ed330e9691f9db79c837505802ae5055f86348 Mon Sep 17 00:00:00 2001
From: Jernej Jakob <jernej.jakob@gmail.com>
Date: Thu, 11 Jun 2020 08:06:14 +0200
Subject: vyos-hostsd: T2583: add hostsd group

To better control access from other daemons that may not be running as root,
create a new group 'hostsd' to which the other daemons running users can be
added.
Run vyos-hostsd as root:hostsd to create the socket file with correct user and
group.
---
 debian/vyos-1x.postinst         | 5 +++++
 src/systemd/vyos-hostsd.service | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

(limited to 'src/systemd')

diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index a308401ee..672f90dff 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -19,3 +19,8 @@ if ! grep -q '^minion' /etc/passwd; then
     adduser --quiet minion disk
     adduser --quiet minion users
 fi
+
+# add hostsd group for vyos-hostsd
+if ! grep -q '^hostsd' /etc/group; then
+    addgroup --quiet --system hostsd
+fi
diff --git a/src/systemd/vyos-hostsd.service b/src/systemd/vyos-hostsd.service
index db8f630d4..b77335778 100644
--- a/src/systemd/vyos-hostsd.service
+++ b/src/systemd/vyos-hostsd.service
@@ -24,7 +24,7 @@ Restart=on-failure
 
 # Does't work in Jessie but leave it here
 User=root
-Group=vyattacfg
+Group=hostsd
 
 [Install]
 
-- 
cgit v1.2.3


From 3bc07c4fc8bdc865a767aa927bfe9487710ee4d4 Mon Sep 17 00:00:00 2001
From: Jernej Jakob <jernej.jakob@gmail.com>
Date: Thu, 11 Jun 2020 08:10:35 +0200
Subject: dhcp(v6)-server: T2583: run as 'dhcpd' user

Add a 'dhcpd' system user that is a member of hostsd group and can
connect to vyos-hostsd.
Run dhcpd as this user.
---
 debian/vyos-1x.postinst              | 6 ++++++
 src/systemd/isc-dhcp-server.service  | 6 +++---
 src/systemd/isc-dhcp-server6.service | 4 ++--
 3 files changed, 11 insertions(+), 5 deletions(-)

(limited to 'src/systemd')

diff --git a/debian/vyos-1x.postinst b/debian/vyos-1x.postinst
index 672f90dff..dc129cb54 100644
--- a/debian/vyos-1x.postinst
+++ b/debian/vyos-1x.postinst
@@ -24,3 +24,9 @@ fi
 if ! grep -q '^hostsd' /etc/group; then
     addgroup --quiet --system hostsd
 fi
+
+# add dhcpd user for dhcp-server
+if ! grep -q '^dhcpd' /etc/passwd; then
+    adduser --quiet --system --disabled-login --no-create-home --home /run/dhcp-server dhcpd
+    adduser --quiet dhcpd hostsd
+fi
diff --git a/src/systemd/isc-dhcp-server.service b/src/systemd/isc-dhcp-server.service
index e13c66dc6..9aa70a7cc 100644
--- a/src/systemd/isc-dhcp-server.service
+++ b/src/systemd/isc-dhcp-server.service
@@ -14,10 +14,10 @@ Environment=PID_FILE=/run/dhcp-server/dhcpd.pid CONFIG_FILE=/run/dhcp-server/dhc
 PIDFile=/run/dhcp-server/dhcpd.pid
 ExecStartPre=/bin/sh -ec '\
 touch ${LEASE_FILE}; \
-chown nobody:nogroup ${LEASE_FILE}* ; \
+chown dhcpd:nogroup ${LEASE_FILE}* ; \
 chmod 664 ${LEASE_FILE}* ; \
-/usr/sbin/dhcpd -4 -t -T -q -user nobody -group nogroup -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE} '
-ExecStart=/usr/sbin/dhcpd -4 -q -user nobody -group nogroup -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE}
+/usr/sbin/dhcpd -4 -t -T -q -user dhcpd -group nogroup -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE} '
+ExecStart=/usr/sbin/dhcpd -4 -q -user dhcpd -group nogroup -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE}
 Restart=always
 
 [Install]
diff --git a/src/systemd/isc-dhcp-server6.service b/src/systemd/isc-dhcp-server6.service
index 8ac861d7a..1345c5fc5 100644
--- a/src/systemd/isc-dhcp-server6.service
+++ b/src/systemd/isc-dhcp-server6.service
@@ -16,8 +16,8 @@ ExecStartPre=/bin/sh -ec '\
 touch ${LEASE_FILE}; \
 chown nobody:nogroup ${LEASE_FILE}* ; \
 chmod 664 ${LEASE_FILE}* ; \
-/usr/sbin/dhcpd -6 -t -T -q -user nobody -group nogroup -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE} '
-ExecStart=/usr/sbin/dhcpd -6 -q -user nobody -group nogroup -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE}
+/usr/sbin/dhcpd -6 -t -T -q -user dhcpd -group nogroup -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE} '
+ExecStart=/usr/sbin/dhcpd -6 -q -user dhcpd -group nogroup -pf ${PID_FILE} -cf ${CONFIG_FILE} -lf ${LEASE_FILE}
 Restart=always
 
 [Install]
-- 
cgit v1.2.3