From 8fd99ad4d0f514d51a5e15dc384d30832e377159 Mon Sep 17 00:00:00 2001 From: Petr Menšík Date: Jun 27 2018 16:29:45 +0000 Subject: Change named shell to /bin/false Related: rhbz#1569466 Signed-off-by: Petr Menšík (cherry picked from commit 5c4c792b8d3218898989ab2515197c8f39dd11cf) --- diff --git a/bind.spec b/bind.spec index b83b918..fd837e7 100644 --- a/bind.spec +++ b/bind.spec @@ -102,6 +102,9 @@ Requires(preun): systemd Requires(postun): systemd Requires: coreutils Requires(pre): shadow-utils +Requires(post): shadow-utils +Requires(post): glibc-common +Requires(post): grep Requires: bind-libs%{?_isa} = %{epoch}:%{version}-%{release} Obsoletes: bind-config < 30:9.3.2-34.fc6 Provides: bind-config = 30:9.3.2-34.fc6 @@ -697,20 +700,25 @@ install -m 644 %{SOURCE43} ${RPM_BUILD_ROOT}%{_sysconfdir}/rwtab.d/named %pre if [ "$1" -eq 1 ]; then /usr/sbin/groupadd -g %{bind_gid} -f -r named >/dev/null 2>&1 || :; - /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /sbin/nologin -d /var/named -c Named named >/dev/null 2>&1 || :; + /usr/sbin/useradd -u %{bind_uid} -r -N -M -g named -s /bin/false -d /var/named -c Named named >/dev/null 2>&1 || :; fi; :; %post /sbin/ldconfig -%systemd_post named.service if [ "$1" -eq 1 ]; then # Initial installation [ -x /sbin/restorecon ] && /sbin/restorecon /etc/rndc.* /etc/named.* >/dev/null 2>&1 ; # rndc.key has to have correct perms and ownership, CVE-2007-6283 [ -e /etc/rndc.key ] && chown root:named /etc/rndc.key [ -e /etc/rndc.key ] && chmod 0640 /etc/rndc.key +else + # Upgrade, use invalid shell + if getent passwd named | grep ':/sbin/nologin$' >/dev/null; then + usermod -s /bin/false named + fi fi +%systemd_post named.service :; %preun @@ -1144,6 +1152,7 @@ rm -rf ${RPM_BUILD_ROOT} %changelog * Fri May 25 2018 Petr Menšík - 32:9.11.3-5 - Make named home writeable (#1422680) +- Change named shell to /bin/false * Thu Apr 05 2018 Petr Menšík - 32:9.11.3-4 - Do not link libidn2 to all libraries (#1098783)