upd ROSA-NEWS

ROSA-NEWS

@@ -1,22 +1,31 @@
 dhcp v4.4.1
-05.10.2018
+08.10.2018
 by mikhailnov
 
+* Dropped old patches
+* Now upstream uses built-in bind libraries, we also use them for now (they are linked statically)
+* Now it's built with KerberOS support
+
 * Removed 'After=syslog.target' from systemd service dhcpd.service
 https://www.freedesktop.org/wiki/Software/systemd/syslog/ says:
 "we do no longer recommend people to order their units after syslog.target"
-
 * Merged old ROSA's dhcpd(6).service and Arch's dhcpd{4|6}.service
+* dhclient@.service from Arch Linux, modified a bit to improve secutrity (e.g. usage: systemctl enable dhclient@enp1s0)
+* Improved security of dhcpd.service and dhcpd6.service by setting and dropping some capabilities(7)
 
 * dhcpd user was added on package installation (dhcp-server), but dhcpd was actually ran from root, not dhcpd
 * use sysusers.d(5) (config isc-dhcpd.conf) instaed of manually created dhcpd user
 * migration: delete dhcpd user on package uninstallation
 
 * /etc/sysconfig/dhcp6 called in dhcpd6.service did not exist (dhcpd6.service was broken);
-let's use copy /etc/sysconfig/dhcpd to /etc/sysconfig/dhcpd6 
-
-* TODO: Fedora's patch dhcp-paths.patch
+let's use /etc/sysconfig/dhcpd for both IPv4 and IPv6
 
 * /var/lib/dhcpd and /var/lib/dhclient are now defined as variables in the RPM spec
+Note: they are hardcoded in systemd units
 
-* dhclient@.service from Arch Linux, added: 'User=isc-dhcp-client', - to run dhclient from not root (requires testing)
+* TODO(?): Fedora's patch dhcp-paths.patch
+* TODO: should we ship a separate config of systemd tmpfiles for '/run/dhcpd'?
+Probable no, it's created automatically (https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing) 
+$ stat /run/dhcpd | grep Доступ
+Доступ: (0755/drwxr-xr-x)  Uid: (  997/isc-dhcpd)   Gid: (  997/isc-dhcpd)
+Доступ: 2018-10-08 15:15:23.618806764 +0300