diff options
| author | Scott Ullrich <sullrich@pfsense.org> | 2006-02-11 03:21:32 +0000 |
|---|---|---|
| committer | Scott Ullrich <sullrich@pfsense.org> | 2006-02-11 03:21:32 +0000 |
| commit | 68a0e4fc14d838c0888dd0e9ab077ff7aabab7e9 (patch) | |
| tree | 0dc3019867a5276dacd9506b4f20b0d3bb557caf /etc | |
| parent | 5860dad1525ef9663c95ade81406742980b98cd8 (diff) | |
| download | pfsense-68a0e4fc14d838c0888dd0e9ab077ff7aabab7e9.zip pfsense-68a0e4fc14d838c0888dd0e9ab077ff7aabab7e9.tar.gz | |
MFC 10007-100013
Run DHCPD as user DHCPD. Start DHCPD in a chroot for extra security.
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/inc/services.inc | 31 |
1 files changed, 25 insertions, 6 deletions
diff --git a/etc/inc/services.inc b/etc/inc/services.inc index 97fe45b..8f02380 100644 --- a/etc/inc/services.inc +++ b/etc/inc/services.inc @@ -39,8 +39,27 @@ function services_dhcpd_configure() { echo "services_dhcpd_configure($if) being called $mt\n"; } + /* configure DHCPD chroot */ + $fd = fopen("/tmp/dhcpd.sh","w"); + $status = `mount | grep "/var/dhcpd/dev"`; + fwrite($fd, "mkdir -p /var/dhcpd/dev\n"); + fwrite($fd, "mkdir -p /var/dhcpd\n"); + fwrite($fd, "mkdir -p /var/dhcpd/etc\n"); + fwrite($fd, "mkdir -p /var/dhcpd/usr/local/sbin\n"); + fwrite($fd, "mkdir -p /var/dhcpd/var/db\n"); + fwrite($fd, "mkdir -p /var/dhcpd/usr\n"); + fwrite($fd, "mkdir -p /var/dhcpd/var/dhcpd\n"); + fwrite($fd, "mkdir -p /var/dhcpd/lib\n"); + fwrite($fd, "mkdir -p /var/dhcpd/run\n"); + fwrite($fd, "cp /lib/libc.so.6 /var/dhcpd/lib/\n"); + fwrite($fd, "cp /usr/local/sbin/dhcpd /var/dhcpd\n"); + if(!trim($status)) + fwrite($fd, "mount_devfs devfs /var/dhcpd/dev\n"); + fclose($fd); + mwexec("/bin/sh /tmp/dhcpd.sh"); + /* kill any running dhcpd */ - killbypid("{$g['varrun_path']}/dhcpd.pid"); + killbypid("/var/dhcpd/run/dhcpd.pid"); $syscfg = $config['system']; $dhcpdcfg = $config['dhcpd']; @@ -64,7 +83,7 @@ function services_dhcpd_configure() { sleep(1); /* write dhcpd.conf */ - $fd = fopen("{$g['varetc_path']}/dhcpd.conf", "w"); + $fd = fopen("/var/dhcpd/etc/dhcpd.conf", "w"); if (!$fd) { printf("Error: cannot open dhcpd.conf in services_dhcpd_configure().\n"); return 1; @@ -248,14 +267,14 @@ EOD; fclose($fd); /* create an empty leases database */ - touch("{$g['vardb_path']}/dhcpd.leases"); + touch("/var/dhcpd/var/db/dhcpd.leases"); - /* fire up dhcpd */ - mwexec("/usr/local/sbin/dhcpd -cf {$g['varetc_path']}/dhcpd.conf " . + /* fire up dhcpd in a chroot */ + mwexec("/usr/local/sbin/dhcpd -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /var/dhcpd/etc/dhcpd.conf " . join(" ", $dhcpdifs)); if ($g['booting']) { - print "done.\n"; + print "done.\n"; } return 0; |
