Fincer
/
openntpd-portable
mirror of https://github.com/Fincer/openntpd-portable
1
0
Fork 0
Code Issues 0 Projects 0 Releases 10 Wiki Activity
Browse Source

rebase patches

OPENBSD_5_7
Brent Cook 9 years ago
parent
3b695eb518
commit
2b3c9bfe49
13 changed files with 32 additions and 99 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +2
    -2
      patches/0001-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch
  2. +0
    -36
      patches/0001-be-more-verbose-when-logging-privsep-errors.patch
  3. +5
    -5
      patches/0002-EAI_NODATA-does-not-exist-everywhere.patch
  4. +0
    -31
      patches/0002-do-not-allow-privsep-user-to-be-a-privileged-user.patch
  5. +2
    -2
      patches/0003-Use-LOG_NTP-syslog-facility-if-it-is-available.patch
  6. +4
    -4
      patches/0004-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch
  7. +2
    -2
      patches/0005-check-if-rdomain-support-is-available.patch
  8. +2
    -2
      patches/0006-update-ntpd.conf-to-indicate-OS-dependent-options.patch
  9. +2
    -2
      patches/0007-allow-overriding-default-user-and-file-locations.patch
  10. +2
    -2
      patches/0008-add-p-option-to-create-a-pid-file.patch
  11. +2
    -2
      patches/0009-initialize-setproctitle-where-needed.patch
  12. +2
    -2
      patches/0010-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch
  13. +7
    -7
      patches/0011-log-context-of-all-fatal-allocations.patch

patches/0003-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch → patches/0001-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch View File

@ -1,7 +1,7 @@
From be2634a7df434a90896a8678da308734943f69bb Mon Sep 17 00:00:00 2001
From c1965168591c557f8eca31399553c0988cffb18f Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Tue, 30 Dec 2014 09:10:22 -0600
Subject: [PATCH 03/13] Handle IPv6 DNS records on IPv4 networks more liberally
Subject: [PATCH 01/11] Handle IPv6 DNS records on IPv4 networks more liberally
Rather than fail on IPv4 only networks when seeing an IPv6 DNS record,
just give a warning.

+ 0
- 36
patches/0001-be-more-verbose-when-logging-privsep-errors.patch View File

@ -1,36 +0,0 @@
From c214bf6eca6de29239d00b4a9ce6528f82b25bec Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Thu, 1 Jan 2015 13:06:38 -0600
Subject: [PATCH 01/13] be more verbose when logging privsep errors
Make it easy for a sysadmin to diagnose a privilege separation path
problem without looking at the source code.
---
src/usr.sbin/ntpd/ntp.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index 87b769b..625364a 100644
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@@ -121,10 +121,13 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
ntp_dns(pipe_dns, nconf, pw);
close(pipe_dns[1]);
- if (stat(pw->pw_dir, &stb) == -1)
- fatal("stat");
- if (stb.st_uid != 0 || (stb.st_mode & (S_IWGRP|S_IWOTH)) != 0)
- fatalx("bad privsep dir permissions");
+ if (stat(pw->pw_dir, &stb) == -1) {
+ fatal("privsep dir %s could not be opened", pw->pw_dir);
+ }
+ if (stb.st_uid != 0 || (stb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
+ fatalx("bad privsep dir %s permissions: %o",
+ pw->pw_dir, stb.st_mode);
+ }
if (chroot(pw->pw_dir) == -1)
fatal("chroot");
if (chdir("/") == -1)
--
1.9.1

patches/0004-EAI_NODATA-does-not-exist-everywhere.patch → patches/0002-EAI_NODATA-does-not-exist-everywhere.patch View File

@ -1,7 +1,7 @@
From 266265a2ac85afe947b787e0c991168fa0c4adc0 Mon Sep 17 00:00:00 2001
From c6101d58f26d67ea731745592b35fcb4b05f1ab3 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Tue, 30 Dec 2014 09:04:08 -0600
Subject: [PATCH 04/13] EAI_NODATA does not exist everywhere
Subject: [PATCH 02/11] EAI_NODATA does not exist everywhere
FreeBSD says it is deprecated #ifdef's it out.
@ -15,12 +15,12 @@ portable software now has to have a special check instead.
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index 8904bc4..677139e 100644
index cee0a12..45f2d87 100644
--- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c
@@ -131,8 +131,14 @@ host_dns(const char *s, struct ntp_addr **hn)
hints.ai_family = PF_UNSPEC;
@@ -132,8 +132,14 @@ host_dns(const char *s, struct ntp_addr **hn)
hints.ai_socktype = SOCK_DGRAM; /* DUMMY */
/* ntpd MUST NOT use AI_ADDRCONFIG here */
error = getaddrinfo(s, NULL, &hints, &res0);
- if (error == EAI_AGAIN || error == EAI_NODATA || error == EAI_NONAME)
- return (0);

+ 0
- 31
patches/0002-do-not-allow-privsep-user-to-be-a-privileged-user.patch View File

@ -1,31 +0,0 @@
From 38bb78974653ef6e791f986cab561c3194f84297 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Thu, 1 Jan 2015 13:26:29 -0600
Subject: [PATCH 02/13] do not allow privsep user to be a privileged user
This may need to be a function call for different platforms with
different capability / privilege mechanisms.
---
src/usr.sbin/ntpd/ntp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index 625364a..c8f095e 100644
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@@ -145,6 +145,12 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
conf = nconf;
setup_listeners(se, conf, &listener_cnt);
+ if (pw->pw_uid == 0 || pw->pw_gid == 0)
+ fatal("privsep user cannot be root");
+
+ if (pw->pw_uid == geteuid() || pw->pw_gid == getegid())
+ fatal("privsep user cannot be the privileged user");
+
if (setgroups(1, &pw->pw_gid) ||
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
--
1.9.1

patches/0005-Use-LOG_NTP-syslog-facility-if-it-is-available.patch → patches/0003-Use-LOG_NTP-syslog-facility-if-it-is-available.patch View File

@ -1,7 +1,7 @@
From 125039fad99de2ad2ac0c0738c692dae14c48bfb Mon Sep 17 00:00:00 2001
From 5ff8767d8c59f65d4e2706cdb2a241e031f204f5 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Mon, 12 Jan 2015 21:16:54 -0600
Subject: [PATCH 05/13] Use LOG_NTP syslog facility if it is available
Subject: [PATCH 03/11] Use LOG_NTP syslog facility if it is available
FreeBSD PR: 114191
Submitted by: Robert Archer <freebsd@deathbeforedecaf.net>

patches/0006-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch → patches/0004-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch View File

@ -1,14 +1,14 @@
From c7bfa2373a06fbed91ca35cac664b1b92cf6a8d0 Mon Sep 17 00:00:00 2001
From b670f88c2b3aebb8b338aa855193ddd8c06d6319 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Tue, 30 Dec 2014 09:02:50 -0600
Subject: [PATCH 06/13] conditionally fill in sin_len/sin6_len if they exist
Subject: [PATCH 04/11] conditionally fill in sin_len/sin6_len if they exist
---
src/usr.sbin/ntpd/config.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index 677139e..9777110 100644
index 45f2d87..b3d198e 100644
--- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c
@@ -71,7 +71,9 @@ host_v4(const char *s)
@ -31,7 +31,7 @@ index 677139e..9777110 100644
sa_in6->sin6_family = AF_INET6;
memcpy(&sa_in6->sin6_addr,
&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
@@ -154,12 +158,16 @@ host_dns(const char *s, struct ntp_addr **hn)
@@ -155,12 +159,16 @@ host_dns(const char *s, struct ntp_addr **hn)
h->ss.ss_family = res->ai_family;
if (res->ai_family == AF_INET) {
sa_in = (struct sockaddr_in *)&h->ss;

patches/0007-check-if-rdomain-support-is-available.patch → patches/0005-check-if-rdomain-support-is-available.patch View File

@ -1,7 +1,7 @@
From c8bac970282975fd81542dcf5173e5ffdad545c3 Mon Sep 17 00:00:00 2001
From b911b4bf173e66a3d8c4a1323e89343d2957eb61 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Tue, 30 Dec 2014 09:05:46 -0600
Subject: [PATCH 07/13] check if rdomain support is available.
Subject: [PATCH 05/11] check if rdomain support is available.
Handle FreeBSD's calling rdomain 'FIB'.
- from naddy@openbsd.org

patches/0008-update-ntpd.conf-to-indicate-OS-dependent-options.patch → patches/0006-update-ntpd.conf-to-indicate-OS-dependent-options.patch View File

@ -1,7 +1,7 @@
From 9a2a22b3714bdb398f9b03a64d91aecbdd9b5fc0 Mon Sep 17 00:00:00 2001
From f6ca535f9c7d8094633465d44d974495a0d3a5c6 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Tue, 30 Dec 2014 09:20:03 -0600
Subject: [PATCH 08/13] update ntpd.conf to indicate OS-dependent options
Subject: [PATCH 06/11] update ntpd.conf to indicate OS-dependent options
Also, clarify listening behavior based on a patch from
Dererk <dererk@debian.org>

patches/0009-allow-overriding-default-user-and-file-locations.patch → patches/0007-allow-overriding-default-user-and-file-locations.patch View File

@ -1,7 +1,7 @@
From 2e60189298e177d811c4574bf07b4721361d306b Mon Sep 17 00:00:00 2001
From 8cfcaaf084e9969730f3291733430098de80c3ec Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Thu, 1 Jan 2015 07:18:11 -0600
Subject: [PATCH 09/13] allow overriding default user and file locations
Subject: [PATCH 07/11] allow overriding default user and file locations
Allow the build process to override the default ntpd file paths and
default user.

patches/0010-add-p-option-to-create-a-pid-file.patch → patches/0008-add-p-option-to-create-a-pid-file.patch View File

@ -1,7 +1,7 @@
From ff82cc8278eafc04ee00f1e847c7424d857b2907 Mon Sep 17 00:00:00 2001
From f284fcbe288ed0a227a44cdd715b1c5668d4b112 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Wed, 31 Dec 2014 08:26:41 -0600
Subject: [PATCH 10/13] add -p option to create a pid file
Subject: [PATCH 08/11] add -p option to create a pid file
This is used in both the Gentoo and Debian ports.

patches/0011-initialize-setproctitle-where-needed.patch → patches/0009-initialize-setproctitle-where-needed.patch View File

@ -1,7 +1,7 @@
From 026e34d46265334276120711dc80f42ea20c3b82 Mon Sep 17 00:00:00 2001
From 3208d0b0529a09765c0674cbc4c57ab26ab30fc9 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Mon, 12 Jan 2015 06:18:31 -0600
Subject: [PATCH 11/13] initialize setproctitle where needed
Subject: [PATCH 09/11] initialize setproctitle where needed
We need to save a copy of argv and __progname to avoid setproctitle
clobbering them.

patches/0012-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch → patches/0010-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch View File

@ -1,7 +1,7 @@
From 0763f9baeb5f915dce6da779cc57a6e374f92cf7 Mon Sep 17 00:00:00 2001
From 51d62c2c4c019ee1e5db2fef7a53df602b76d646 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Mon, 12 Jan 2015 21:17:35 -0600
Subject: [PATCH 12/13] document SIGUSR1 fallback if SIGINFO is not
Subject: [PATCH 10/11] document SIGUSR1 fallback if SIGINFO is not
implemented.
---

patches/0013-log-context-of-all-fatal-allocations.patch → patches/0011-log-context-of-all-fatal-allocations.patch View File

@ -1,7 +1,7 @@
From a53fb3d0ccb42e59b0ce2e3fa6f141da106a7294 Mon Sep 17 00:00:00 2001
From 707c861ce1cb0168aced9d796d44dafb95a841ab Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Mon, 19 Jan 2015 04:37:59 -0600
Subject: [PATCH 13/13] log context of all fatal allocations
Subject: [PATCH 11/11] log context of all fatal allocations
---
src/usr.sbin/ntpd/config.c | 8 ++++----
@ -12,7 +12,7 @@ Subject: [PATCH 13/13] log context of all fatal allocations
5 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index 9777110..56b50d2 100644
index b3d198e..77af63c 100644
--- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c
@@ -41,7 +41,7 @@ host(const char *s, struct ntp_addr **hn)
@ -42,7 +42,7 @@ index 9777110..56b50d2 100644
sa_in6 = (struct sockaddr_in6 *)&h->ss;
#ifdef SIN6_LEN
sa_in6->sin6_len = sizeof(struct sockaddr_in6);
@@ -154,7 +154,7 @@ host_dns(const char *s, struct ntp_addr **hn)
@@ -155,7 +155,7 @@ host_dns(const char *s, struct ntp_addr **hn)
res->ai_family != AF_INET6)
continue;
if ((h = calloc(1, sizeof(struct ntp_addr))) == NULL)
@ -52,7 +52,7 @@ index 9777110..56b50d2 100644
if (res->ai_family == AF_INET) {
sa_in = (struct sockaddr_in *)&h->ss;
diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index c8f095e..7db98f6 100644
index 4a0d09b..3558ec6 100644
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@@ -112,7 +112,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
@ -64,7 +64,7 @@ index c8f095e..7db98f6 100644
hotplugfd = sensor_hotplugfd();
close(pipe_prnt[0]);
@@ -166,10 +166,10 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
@@ -160,10 +160,10 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
signal(SIGCHLD, SIG_DFL);
if ((ibuf_main = malloc(sizeof(struct imsgbuf))) == NULL)
@ -77,7 +77,7 @@ index c8f095e..7db98f6 100644
imsg_init(ibuf_dns, pipe_dns[0]);
TAILQ_FOREACH(p, &conf->ntp_peers, entry)
@@ -508,7 +508,7 @@ ntp_dispatch_imsg_dns(void)
@@ -502,7 +502,7 @@ ntp_dispatch_imsg_dns(void)
while (dlen >= sizeof(struct sockaddr_storage)) {
if ((h = calloc(1, sizeof(struct ntp_addr))) ==
NULL)

Write Preview
Loading…
Cancel
Save