diff --git a/ROSA-NEWS b/ROSA-NEWS index 06882c8..eb924ee 100644 --- a/ROSA-NEWS +++ b/ROSA-NEWS @@ -11,7 +11,6 @@ https://www.freedesktop.org/wiki/Software/systemd/syslog/ says: * dhcpd user was added on package installation (dhcp-server), but dhcpd was actually ran from root, not dhcpd * use sysusers.d(5) (config isc-dhcpd.conf) instaed of manually created dhcpd user * migration: delete dhcpd user on package uninstallation -* the same for dhclient (isc-dhcp-client.conf) (will it work from not root?) * /etc/sysconfig/dhcp6 called in dhcpd6.service did not exist (dhcpd6.service was broken); let's use copy /etc/sysconfig/dhcpd to /etc/sysconfig/dhcpd6 diff --git a/dhclient@.service b/dhclient@.service index 76f4923..de70b16 100644 --- a/dhclient@.service +++ b/dhclient@.service @@ -6,12 +6,15 @@ Before=network.target [Service] ExecStart=/usr/sbin/dhclient -lf /var/lib/dhclient/dhclient.leases -pf /run/dhclient@%i/dhclient.pid -d %I RuntimeDirectory=dhclient@%i -User=isc-dhcp-client -ProtectSystem=yes -ProtectHome=yes -ReadWritePaths=/var/lib/dhclient/ +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectSystem= +# /var is not read-only +ProtectSystem=true +ProtectHome=true RestartSec=2s Restart=on-failure +AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW +# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ReadWritePaths= +CapabilityBoundingSet=~CAP_SYS_ADMIN [Install] -WantedBy=multi-user.target +WantedBy=multi-user.target diff --git a/dhcp.spec b/dhcp.spec index 8d301db..45088a0 100644 --- a/dhcp.spec +++ b/dhcp.spec @@ -28,7 +28,7 @@ Source18: dhclient.tmpfiles Source19: dhcrelay.tmpfiles # sysusers.d(5) (systemd-sysusers) Source20: isc-dhcpd.conf -Source21: isc-dhcp-client.conf +#Source21: isc-dhcp-client.conf # Per-interface dhclient service from Arch Linux (modified) Source22: dhclient@.service Source100: ROSA-NEWS @@ -209,7 +209,7 @@ install -D -p -m 644 %{SOURCE19} %{buildroot}%{_tmpfilesdir}/dhcrelay.conf install -d %{buildroot}%{_sysusersdir} install -m 644 %{SOURCE20} %{buildroot}%{_sysusersdir}/ -install -m 644 %{SOURCE21} %{buildroot}%{_sysusersdir}/ +#install -m 644 %{SOURCE21} %{buildroot}%{_sysusersdir}/ install -m 755 %{SOURCE7} %{SOURCE8} %{buildroot}%{_sbindir} install -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir} @@ -313,10 +313,10 @@ EOF %post client # migrate from root:root as it was before ROSA package v4.4.1 # create this directory if it does not esist and then chmod it to allow dhcpd to work properly -%sysusers_create isc-dhcp-client.conf +#%sysusers_create isc-dhcp-client.conf [ ! -d %{var_dhclient}/ ] && mkdir -p %{var_dhclient}/ touch %{var_dhclient}/dhclient.leases || true -[ -d %{var_dhclient} ] && chown -R isc-dhcp-client:isc-dhcp-client %{var_dhclient}/ +#[ -d %{var_dhclient} ] && chown -R isc-dhcp-client:isc-dhcp-client %{var_dhclient}/ %tmpfiles_create dhclient.conf %postun client diff --git a/dhcpd.service b/dhcpd.service index 4bacf76..1ed184e 100644 --- a/dhcpd.service +++ b/dhcpd.service @@ -14,7 +14,7 @@ PIDFile=/run/dhcpd/dhcpd.pid User=isc-dhcpd AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_RAW ProtectSystem=full -ProtectHome=on +ProtectHome=true KillSignal=SIGINT # We pull in network-online.target for a configured network connection. # However this is not guaranteed to be the network connection our