Browse Source

rebase patches

OPENBSD_5_7
Brent Cook 10 years ago
parent
commit
2b3c9bfe49
13 changed files with 32 additions and 99 deletions
  1. +2
    -2
      patches/0001-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch
  2. +0
    -36
      patches/0001-be-more-verbose-when-logging-privsep-errors.patch
  3. +5
    -5
      patches/0002-EAI_NODATA-does-not-exist-everywhere.patch
  4. +0
    -31
      patches/0002-do-not-allow-privsep-user-to-be-a-privileged-user.patch
  5. +2
    -2
      patches/0003-Use-LOG_NTP-syslog-facility-if-it-is-available.patch
  6. +4
    -4
      patches/0004-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch
  7. +2
    -2
      patches/0005-check-if-rdomain-support-is-available.patch
  8. +2
    -2
      patches/0006-update-ntpd.conf-to-indicate-OS-dependent-options.patch
  9. +2
    -2
      patches/0007-allow-overriding-default-user-and-file-locations.patch
  10. +2
    -2
      patches/0008-add-p-option-to-create-a-pid-file.patch
  11. +2
    -2
      patches/0009-initialize-setproctitle-where-needed.patch
  12. +2
    -2
      patches/0010-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch
  13. +7
    -7
      patches/0011-log-context-of-all-fatal-allocations.patch

patches/0003-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch → patches/0001-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch View File

@ -1,7 +1,7 @@
From be2634a7df434a90896a8678da308734943f69bb Mon Sep 17 00:00:00 2001
From c1965168591c557f8eca31399553c0988cffb18f Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Tue, 30 Dec 2014 09:10:22 -0600 Date: Tue, 30 Dec 2014 09:10:22 -0600
Subject: [PATCH 03/13] Handle IPv6 DNS records on IPv4 networks more liberally
Subject: [PATCH 01/11] Handle IPv6 DNS records on IPv4 networks more liberally
Rather than fail on IPv4 only networks when seeing an IPv6 DNS record, Rather than fail on IPv4 only networks when seeing an IPv6 DNS record,
just give a warning. just give a warning.

+ 0
- 36
patches/0001-be-more-verbose-when-logging-privsep-errors.patch View File

@ -1,36 +0,0 @@
From c214bf6eca6de29239d00b4a9ce6528f82b25bec Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Thu, 1 Jan 2015 13:06:38 -0600
Subject: [PATCH 01/13] be more verbose when logging privsep errors
Make it easy for a sysadmin to diagnose a privilege separation path
problem without looking at the source code.
---
src/usr.sbin/ntpd/ntp.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index 87b769b..625364a 100644
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@@ -121,10 +121,13 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
ntp_dns(pipe_dns, nconf, pw);
close(pipe_dns[1]);
- if (stat(pw->pw_dir, &stb) == -1)
- fatal("stat");
- if (stb.st_uid != 0 || (stb.st_mode & (S_IWGRP|S_IWOTH)) != 0)
- fatalx("bad privsep dir permissions");
+ if (stat(pw->pw_dir, &stb) == -1) {
+ fatal("privsep dir %s could not be opened", pw->pw_dir);
+ }
+ if (stb.st_uid != 0 || (stb.st_mode & (S_IWGRP|S_IWOTH)) != 0) {
+ fatalx("bad privsep dir %s permissions: %o",
+ pw->pw_dir, stb.st_mode);
+ }
if (chroot(pw->pw_dir) == -1)
fatal("chroot");
if (chdir("/") == -1)
--
1.9.1

patches/0004-EAI_NODATA-does-not-exist-everywhere.patch → patches/0002-EAI_NODATA-does-not-exist-everywhere.patch View File

@ -1,7 +1,7 @@
From 266265a2ac85afe947b787e0c991168fa0c4adc0 Mon Sep 17 00:00:00 2001
From c6101d58f26d67ea731745592b35fcb4b05f1ab3 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Tue, 30 Dec 2014 09:04:08 -0600 Date: Tue, 30 Dec 2014 09:04:08 -0600
Subject: [PATCH 04/13] EAI_NODATA does not exist everywhere
Subject: [PATCH 02/11] EAI_NODATA does not exist everywhere
FreeBSD says it is deprecated #ifdef's it out. FreeBSD says it is deprecated #ifdef's it out.
@ -15,12 +15,12 @@ portable software now has to have a special check instead.
1 file changed, 8 insertions(+), 2 deletions(-) 1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index 8904bc4..677139e 100644
index cee0a12..45f2d87 100644
--- a/src/usr.sbin/ntpd/config.c --- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c +++ b/src/usr.sbin/ntpd/config.c
@@ -131,8 +131,14 @@ host_dns(const char *s, struct ntp_addr **hn)
hints.ai_family = PF_UNSPEC;
@@ -132,8 +132,14 @@ host_dns(const char *s, struct ntp_addr **hn)
hints.ai_socktype = SOCK_DGRAM; /* DUMMY */ hints.ai_socktype = SOCK_DGRAM; /* DUMMY */
/* ntpd MUST NOT use AI_ADDRCONFIG here */
error = getaddrinfo(s, NULL, &hints, &res0); error = getaddrinfo(s, NULL, &hints, &res0);
- if (error == EAI_AGAIN || error == EAI_NODATA || error == EAI_NONAME) - if (error == EAI_AGAIN || error == EAI_NODATA || error == EAI_NONAME)
- return (0); - return (0);

+ 0
- 31
patches/0002-do-not-allow-privsep-user-to-be-a-privileged-user.patch View File

@ -1,31 +0,0 @@
From 38bb78974653ef6e791f986cab561c3194f84297 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Thu, 1 Jan 2015 13:26:29 -0600
Subject: [PATCH 02/13] do not allow privsep user to be a privileged user
This may need to be a function call for different platforms with
different capability / privilege mechanisms.
---
src/usr.sbin/ntpd/ntp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index 625364a..c8f095e 100644
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@@ -145,6 +145,12 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
conf = nconf;
setup_listeners(se, conf, &listener_cnt);
+ if (pw->pw_uid == 0 || pw->pw_gid == 0)
+ fatal("privsep user cannot be root");
+
+ if (pw->pw_uid == geteuid() || pw->pw_gid == getegid())
+ fatal("privsep user cannot be the privileged user");
+
if (setgroups(1, &pw->pw_gid) ||
setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) ||
setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid))
--
1.9.1

patches/0005-Use-LOG_NTP-syslog-facility-if-it-is-available.patch → patches/0003-Use-LOG_NTP-syslog-facility-if-it-is-available.patch View File

@ -1,7 +1,7 @@
From 125039fad99de2ad2ac0c0738c692dae14c48bfb Mon Sep 17 00:00:00 2001
From 5ff8767d8c59f65d4e2706cdb2a241e031f204f5 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Mon, 12 Jan 2015 21:16:54 -0600 Date: Mon, 12 Jan 2015 21:16:54 -0600
Subject: [PATCH 05/13] Use LOG_NTP syslog facility if it is available
Subject: [PATCH 03/11] Use LOG_NTP syslog facility if it is available
FreeBSD PR: 114191 FreeBSD PR: 114191
Submitted by: Robert Archer <freebsd@deathbeforedecaf.net> Submitted by: Robert Archer <freebsd@deathbeforedecaf.net>

patches/0006-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch → patches/0004-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch View File

@ -1,14 +1,14 @@
From c7bfa2373a06fbed91ca35cac664b1b92cf6a8d0 Mon Sep 17 00:00:00 2001
From b670f88c2b3aebb8b338aa855193ddd8c06d6319 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Tue, 30 Dec 2014 09:02:50 -0600 Date: Tue, 30 Dec 2014 09:02:50 -0600
Subject: [PATCH 06/13] conditionally fill in sin_len/sin6_len if they exist
Subject: [PATCH 04/11] conditionally fill in sin_len/sin6_len if they exist
--- ---
src/usr.sbin/ntpd/config.c | 8 ++++++++ src/usr.sbin/ntpd/config.c | 8 ++++++++
1 file changed, 8 insertions(+) 1 file changed, 8 insertions(+)
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index 677139e..9777110 100644
index 45f2d87..b3d198e 100644
--- a/src/usr.sbin/ntpd/config.c --- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c +++ b/src/usr.sbin/ntpd/config.c
@@ -71,7 +71,9 @@ host_v4(const char *s) @@ -71,7 +71,9 @@ host_v4(const char *s)
@ -31,7 +31,7 @@ index 677139e..9777110 100644
sa_in6->sin6_family = AF_INET6; sa_in6->sin6_family = AF_INET6;
memcpy(&sa_in6->sin6_addr, memcpy(&sa_in6->sin6_addr,
&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr,
@@ -154,12 +158,16 @@ host_dns(const char *s, struct ntp_addr **hn)
@@ -155,12 +159,16 @@ host_dns(const char *s, struct ntp_addr **hn)
h->ss.ss_family = res->ai_family; h->ss.ss_family = res->ai_family;
if (res->ai_family == AF_INET) { if (res->ai_family == AF_INET) {
sa_in = (struct sockaddr_in *)&h->ss; sa_in = (struct sockaddr_in *)&h->ss;

patches/0007-check-if-rdomain-support-is-available.patch → patches/0005-check-if-rdomain-support-is-available.patch View File

@ -1,7 +1,7 @@
From c8bac970282975fd81542dcf5173e5ffdad545c3 Mon Sep 17 00:00:00 2001
From b911b4bf173e66a3d8c4a1323e89343d2957eb61 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Tue, 30 Dec 2014 09:05:46 -0600 Date: Tue, 30 Dec 2014 09:05:46 -0600
Subject: [PATCH 07/13] check if rdomain support is available.
Subject: [PATCH 05/11] check if rdomain support is available.
Handle FreeBSD's calling rdomain 'FIB'. Handle FreeBSD's calling rdomain 'FIB'.
- from naddy@openbsd.org - from naddy@openbsd.org

patches/0008-update-ntpd.conf-to-indicate-OS-dependent-options.patch → patches/0006-update-ntpd.conf-to-indicate-OS-dependent-options.patch View File

@ -1,7 +1,7 @@
From 9a2a22b3714bdb398f9b03a64d91aecbdd9b5fc0 Mon Sep 17 00:00:00 2001
From f6ca535f9c7d8094633465d44d974495a0d3a5c6 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Tue, 30 Dec 2014 09:20:03 -0600 Date: Tue, 30 Dec 2014 09:20:03 -0600
Subject: [PATCH 08/13] update ntpd.conf to indicate OS-dependent options
Subject: [PATCH 06/11] update ntpd.conf to indicate OS-dependent options
Also, clarify listening behavior based on a patch from Also, clarify listening behavior based on a patch from
Dererk <dererk@debian.org> Dererk <dererk@debian.org>

patches/0009-allow-overriding-default-user-and-file-locations.patch → patches/0007-allow-overriding-default-user-and-file-locations.patch View File

@ -1,7 +1,7 @@
From 2e60189298e177d811c4574bf07b4721361d306b Mon Sep 17 00:00:00 2001
From 8cfcaaf084e9969730f3291733430098de80c3ec Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Thu, 1 Jan 2015 07:18:11 -0600 Date: Thu, 1 Jan 2015 07:18:11 -0600
Subject: [PATCH 09/13] allow overriding default user and file locations
Subject: [PATCH 07/11] allow overriding default user and file locations
Allow the build process to override the default ntpd file paths and Allow the build process to override the default ntpd file paths and
default user. default user.

patches/0010-add-p-option-to-create-a-pid-file.patch → patches/0008-add-p-option-to-create-a-pid-file.patch View File

@ -1,7 +1,7 @@
From ff82cc8278eafc04ee00f1e847c7424d857b2907 Mon Sep 17 00:00:00 2001
From f284fcbe288ed0a227a44cdd715b1c5668d4b112 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Wed, 31 Dec 2014 08:26:41 -0600 Date: Wed, 31 Dec 2014 08:26:41 -0600
Subject: [PATCH 10/13] add -p option to create a pid file
Subject: [PATCH 08/11] add -p option to create a pid file
This is used in both the Gentoo and Debian ports. This is used in both the Gentoo and Debian ports.

patches/0011-initialize-setproctitle-where-needed.patch → patches/0009-initialize-setproctitle-where-needed.patch View File

@ -1,7 +1,7 @@
From 026e34d46265334276120711dc80f42ea20c3b82 Mon Sep 17 00:00:00 2001
From 3208d0b0529a09765c0674cbc4c57ab26ab30fc9 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Mon, 12 Jan 2015 06:18:31 -0600 Date: Mon, 12 Jan 2015 06:18:31 -0600
Subject: [PATCH 11/13] initialize setproctitle where needed
Subject: [PATCH 09/11] initialize setproctitle where needed
We need to save a copy of argv and __progname to avoid setproctitle We need to save a copy of argv and __progname to avoid setproctitle
clobbering them. clobbering them.

patches/0012-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch → patches/0010-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch View File

@ -1,7 +1,7 @@
From 0763f9baeb5f915dce6da779cc57a6e374f92cf7 Mon Sep 17 00:00:00 2001
From 51d62c2c4c019ee1e5db2fef7a53df602b76d646 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Mon, 12 Jan 2015 21:17:35 -0600 Date: Mon, 12 Jan 2015 21:17:35 -0600
Subject: [PATCH 12/13] document SIGUSR1 fallback if SIGINFO is not
Subject: [PATCH 10/11] document SIGUSR1 fallback if SIGINFO is not
implemented. implemented.
--- ---

patches/0013-log-context-of-all-fatal-allocations.patch → patches/0011-log-context-of-all-fatal-allocations.patch View File

@ -1,7 +1,7 @@
From a53fb3d0ccb42e59b0ce2e3fa6f141da106a7294 Mon Sep 17 00:00:00 2001
From 707c861ce1cb0168aced9d796d44dafb95a841ab Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Mon, 19 Jan 2015 04:37:59 -0600 Date: Mon, 19 Jan 2015 04:37:59 -0600
Subject: [PATCH 13/13] log context of all fatal allocations
Subject: [PATCH 11/11] log context of all fatal allocations
--- ---
src/usr.sbin/ntpd/config.c | 8 ++++---- src/usr.sbin/ntpd/config.c | 8 ++++----
@ -12,7 +12,7 @@ Subject: [PATCH 13/13] log context of all fatal allocations
5 files changed, 15 insertions(+), 15 deletions(-) 5 files changed, 15 insertions(+), 15 deletions(-)
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index 9777110..56b50d2 100644
index b3d198e..77af63c 100644
--- a/src/usr.sbin/ntpd/config.c --- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c +++ b/src/usr.sbin/ntpd/config.c
@@ -41,7 +41,7 @@ host(const char *s, struct ntp_addr **hn) @@ -41,7 +41,7 @@ host(const char *s, struct ntp_addr **hn)
@ -42,7 +42,7 @@ index 9777110..56b50d2 100644
sa_in6 = (struct sockaddr_in6 *)&h->ss; sa_in6 = (struct sockaddr_in6 *)&h->ss;
#ifdef SIN6_LEN #ifdef SIN6_LEN
sa_in6->sin6_len = sizeof(struct sockaddr_in6); sa_in6->sin6_len = sizeof(struct sockaddr_in6);
@@ -154,7 +154,7 @@ host_dns(const char *s, struct ntp_addr **hn)
@@ -155,7 +155,7 @@ host_dns(const char *s, struct ntp_addr **hn)
res->ai_family != AF_INET6) res->ai_family != AF_INET6)
continue; continue;
if ((h = calloc(1, sizeof(struct ntp_addr))) == NULL) if ((h = calloc(1, sizeof(struct ntp_addr))) == NULL)
@ -52,7 +52,7 @@ index 9777110..56b50d2 100644
if (res->ai_family == AF_INET) { if (res->ai_family == AF_INET) {
sa_in = (struct sockaddr_in *)&h->ss; sa_in = (struct sockaddr_in *)&h->ss;
diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
index c8f095e..7db98f6 100644
index 4a0d09b..3558ec6 100644
--- a/src/usr.sbin/ntpd/ntp.c --- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c +++ b/src/usr.sbin/ntpd/ntp.c
@@ -112,7 +112,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf, @@ -112,7 +112,7 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
@ -64,7 +64,7 @@ index c8f095e..7db98f6 100644
hotplugfd = sensor_hotplugfd(); hotplugfd = sensor_hotplugfd();
close(pipe_prnt[0]); close(pipe_prnt[0]);
@@ -166,10 +166,10 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
@@ -160,10 +160,10 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
signal(SIGCHLD, SIG_DFL); signal(SIGCHLD, SIG_DFL);
if ((ibuf_main = malloc(sizeof(struct imsgbuf))) == NULL) if ((ibuf_main = malloc(sizeof(struct imsgbuf))) == NULL)
@ -77,7 +77,7 @@ index c8f095e..7db98f6 100644
imsg_init(ibuf_dns, pipe_dns[0]); imsg_init(ibuf_dns, pipe_dns[0]);
TAILQ_FOREACH(p, &conf->ntp_peers, entry) TAILQ_FOREACH(p, &conf->ntp_peers, entry)
@@ -508,7 +508,7 @@ ntp_dispatch_imsg_dns(void)
@@ -502,7 +502,7 @@ ntp_dispatch_imsg_dns(void)
while (dlen >= sizeof(struct sockaddr_storage)) { while (dlen >= sizeof(struct sockaddr_storage)) {
if ((h = calloc(1, sizeof(struct ntp_addr))) == if ((h = calloc(1, sizeof(struct ntp_addr))) ==
NULL) NULL)

Loading…
Cancel
Save