[Buildroot] [PATCH 1/1] package/dhcp: add security options to DHCP server
Yann E. MORIN
yann.morin.1998 at free.fr
Thu Apr 28 15:51:12 UTC 2022
Andreas, All,
On 2022-04-28 09:46 +0200, Andreas Ehmanns spake thusly:
> I was trying to make the ISC dhcp daemon more secure by using the
> -user and -group option to let dhcp server run as non-root user.
> Unfortunately these options are not available when building ISC dhcp
> server with buildroot.
> The reason is, that the configure script must be called with the
> option --enable-paranoia to activate these options. But this option
> is not set in the dhcp.mk file.
>
> To be backward compatible I added a new option to the dhcp's Config.in
> file to enable this feature when desired and parse this option in
> dhcp.mk.
>
> Signed-off-by: Andreas Ehmanns <universeiii at gmx.de>
> ---
> package/dhcp/Config.in | 8 ++++++++
> package/dhcp/dhcp.mk | 4 ++++
> 2 files changed, 12 insertions(+)
>
> diff --git a/package/dhcp/Config.in b/package/dhcp/Config.in
> index e0706efafb..5cf7af82de 100644
> --- a/package/dhcp/Config.in
> +++ b/package/dhcp/Config.in
> @@ -25,6 +25,14 @@ config BR2_PACKAGE_DHCP_SERVER_DELAYED_ACK
> help
> Enable delayed ACK feature in the ISC DHCP server.
>
> +config BR2_PACKAGE_DHCP_SERVER_ENABLE_PARANOIA
> + bool "Enable paranoia options"
> + depends on BR2_PACKAGE_DHCP_SERVER
> + help
> + Add option --enable-paranoia to configure script. This activates
> + additional server options (-user, -group and -chroot) to make
> + dhcp server more secure.
$ make check-package
package/dhcp/Config.in:32: help text: <tab><2 spaces><62 chars>
(http://nightly.buildroot.org/#writing-rules-config-in)
Applied to master with that fixed, thanks.
Regards,
Yann E. MORIN.
> +
> config BR2_PACKAGE_DHCP_RELAY
> bool "dhcp relay"
> help
> diff --git a/package/dhcp/dhcp.mk b/package/dhcp/dhcp.mk
> index f815c6c802..b73137506d 100644
> --- a/package/dhcp/dhcp.mk
> +++ b/package/dhcp/dhcp.mk
> @@ -78,6 +78,10 @@ ifeq ($(BR2_PACKAGE_DHCP_SERVER_DELAYED_ACK),y)
> DHCP_CONF_OPTS += --enable-delayed-ack
> endif
>
> +ifeq ($(BR2_PACKAGE_DHCP_SERVER_ENABLE_PARANOIA),y)
> +DHCP_CONF_OPTS += --enable-paranoia
> +endif
> +
> define DHCP_INSTALL_LIBS
> $(MAKE) -C $(@D)/bind install-bind DESTDIR=$(TARGET_DIR)
> $(MAKE) -C $(@D)/common install-exec DESTDIR=$(TARGET_DIR)
> --
> 2.26.2
>
> _______________________________________________
> buildroot mailing list
> buildroot at buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list