kea-packaging issueshttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues2024-03-28T14:59:24Zhttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/23kea-dhcp4 changes filesystem access permissions on log directory2024-03-28T14:59:24ZCarsten Strotmannkea-dhcp4 changes filesystem access permissions on log directory---
name: kea-dhcp4 changes filesystem access permissions on log directory
about: Create a report to help us improve
---
**Describe the bug**
Kea-DHCP4 changes the access permissions on the directory for logfiles in the logger stateme...---
name: kea-dhcp4 changes filesystem access permissions on log directory
about: Create a report to help us improve
---
**Describe the bug**
Kea-DHCP4 changes the access permissions on the directory for logfiles in the logger statement. It removes "read" and "execute/list" (r-x) permissions for "other"
**To Reproduce**
* Change the access permissions on the log directory so that all users/processes can read/list the log directory
* Restart Kea-DHCP
* List the access permissions on the log directory. The access permissions for "other" are removed
**Expected behavior**
Kea-DHCP4 (possible other Kea processes as well) will not touch the access permissions on the log directory
**Environment:**
- Kea version:
2.4.1
tarball
linked with:
log4cplus 1.2.0
OpenSSL 1.1.1k FIPS 25 Mar 2021
database:
MySQL backend 19.0, library 10.5.5
PostgreSQL backend 18.0, library 130011
Memfile backend 3.0
- Red Hat EL 8 x86_64 (ISC Open Source Packages)
**Additional Information**
Use case: Stork agent cannot read the Kea-DHCP4 logfile in the standard configuration (as delivered in the ISC provided open source RPM packages).
This issue have been found while trying to give the stork-agent access to the Kea-DHCP4 logfile.
**Workaround:**
Change the group ownership of the logfile to group name "kea", then change the systemd-unit for "isc-stork-agent" to start the stork-agent as group "kea".
```
[Service]
Group=kea
...
```
If the removal of the access permissions for "other" is to be expected (no bug), then I recommend to adjust the stork-agent systemd unit to have stork-agent started with permissions that allow access to the Kea log files.https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/22ownership and privileges in deb and rpm2024-02-14T13:30:51ZWlodzimierz Wencelownership and privileges in deb and rpmThere are some things we probably should do in all packages.
- [ ] installed config files should be owned by kea, but should it be also owned by group kea, or root?
- [ ] remove all x (other) privileges from binaries in rpm/deb
- [ ] che...There are some things we probably should do in all packages.
- [ ] installed config files should be owned by kea, but should it be also owned by group kea, or root?
- [ ] remove all x (other) privileges from binaries in rpm/deb
- [ ] check if all created directories have ownership set to `kea` (`_kea` user) otherwise it may have problems to start/exithttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/21kea-dhcp4 from deb can't open raw sockets under _kea user2023-10-25T08:01:16ZWlodzimierz Wencelkea-dhcp4 from deb can't open raw sockets under _kea userWork on docker revealed another issue with our packages, kea-dhcp4 service in deb package can't open RAW socket under `_kea` user it suppose to use.Work on docker revealed another issue with our packages, kea-dhcp4 service in deb package can't open RAW socket under `_kea` user it suppose to use.https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/20move radius hook based on freeradius to old_radius hook and introduce new pkg...2023-09-25T13:53:29ZWlodzimierz Wencelmove radius hook based on freeradius to old_radius hook and introduce new pkg for new radiusiiWlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/19backport fixes to v2_42023-10-02T12:03:52ZWlodzimierz Wencelbackport fixes to v2_4Backport fixes included in:
* isc-projects/kea-packaging!52
* isc-projects/kea-packaging!50
* isc-projects/kea-packaging!45Backport fixes included in:
* isc-projects/kea-packaging!52
* isc-projects/kea-packaging!50
* isc-projects/kea-packaging!45Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/18deb packages can't be upgraded from older versions to new names (post 2.3.3)2023-09-21T10:55:02ZWlodzimierz Wenceldeb packages can't be upgraded from older versions to new names (post 2.3.3)```
Unpacking isc-kea-admin (2.4.0-isc20230630120747) over (1.8.2-isc0001520201206093433) ...
dpkg: error processing archive /var/cache/apt/archives/isc-kea-admin_2.4.0-isc20230630120747_amd64.deb (--unpack):
trying to overwrite '/usr/s...```
Unpacking isc-kea-admin (2.4.0-isc20230630120747) over (1.8.2-isc0001520201206093433) ...
dpkg: error processing archive /var/cache/apt/archives/isc-kea-admin_2.4.0-isc20230630120747_amd64.deb (--unpack):
trying to overwrite '/usr/sbin/kea-shell', which is also in package isc-kea-ctrl-agent 1.8.2-isc0001520201206093433
dpkg-deb: error: paste subprocess was killed by signal (Broken pipe)
Errors were encountered while processing:
/var/cache/apt/archives/isc-kea-admin_2.4.0-isc20230630120747_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
```
* First issue:
`kea-shell` was moved from `isc-kea-ctrl-agent` to `isc-kea-admin`. New `isc-kea-admin` package do not set `Breakes` statement correctly.
* Second issue:
Services are getting masked after upgrade.
Workarounds:
Before kea upgrade, remove `isc-kea-ctrl-agent` pkg
```
sudo apt update
sudo apt remove isc-kea-ctrl-agent
sudo apt dist-upgrade
sudo apt install isc-kea-ctrl-agent
```
Unmask services:
```
sudo systemctl unmask isc-kea-dhcp-ddns-server && \
sudo systemctl enable isc-kea-dhcp-ddns-server && \
sudo systemctl start isc-kea-dhcp-ddns-server && \
sudo systemctl status isc-kea-dhcp-ddns-server && \
sudo systemctl unmask isc-kea-dhcp4-server && \
sudo systemctl enable isc-kea-dhcp4-server && \
sudo systemctl start isc-kea-dhcp4-server && \
sudo systemctl status isc-kea-dhcp4-server && \
sudo systemctl unmask isc-kea-dhcp6-server && \
sudo systemctl enable isc-kea-dhcp6-server && \
sudo systemctl start isc-kea-dhcp6-server && \
sudo systemctl status isc-kea-dhcp6-server
```Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/17Post audit: tighten access permissions for configs2023-09-07T08:31:44ZTomek MrugalskiPost audit: tighten access permissions for configsAnother point after @manu's [audit](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023#9-limiting-permission-of-the-kea-configuration-files):
I would propose considering the following:
* [ ] put a WARNING sectio...Another point after @manu's [audit](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023#9-limiting-permission-of-the-kea-configuration-files):
I would propose considering the following:
* [ ] put a WARNING section to the config files (close to the sections where password/key is configured) with a link to guide how to setup it up correctly so the administrator has at least a chance to notice it and follow the recommendation
* [ ] let service during startup/reload if the password or key secret is present and display/log warning (?with link to the guide?)
* [ ] change access permissions to 0640 by default (instead of 0644); in other words, remove read rights for 'other'. Note: User/group ownership should be 'root' or the 'user' under which kea is running.
While the second would probably be tricky to implement, so we might skip it, proposals 1 and 3 are solid and we should do it.
This ticket is about updating the packages. Some might argue that similar action should be done for Kea sources (e.g. make sure the make install install the sources with more restrictive permissions).Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/16Post audit: review packages for running as root2023-09-21T10:10:53ZTomek MrugalskiPost audit: review packages for running as root@manu's [audit reported](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023#8-run-kea-from-an-unprivileged-account) the following issue:
Kea should run from unprivileged user, when possible. At the time of his au...@manu's [audit reported](https://gitlab.isc.org/isc-private/kea/-/wikis/Kea-Security-Review-02-2023#8-run-kea-from-an-unprivileged-account) the following issue:
Kea should run from unprivileged user, when possible. At the time of his audit, Ubuntu did that. The goal of this ticket is to check all packages to see if they're running kea as non-root. If any of them still run as root, they should be updated or a good explanation why it can't be done should be described here.Wlodzimierz WencelWlodzimierz Wencelhttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/10Errors in alpine init.d file2023-04-19T15:52:28ZMarcin GodzinaErrors in alpine init.d filehttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/9package radius hook for alpine2023-10-18T16:52:35ZWlodzimierz Wencelpackage radius hook for alpineWe do not provide package for radius package for alpine. Let's change it:
* make freeradius package
* make radius hook packageWe do not provide package for radius package for alpine. Let's change it:
* make freeradius package
* make radius hook packagehttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/8Unable to build Debian packages using the content in this repo2023-03-10T19:29:32ZKevin FlemingUnable to build Debian packages using the content in this repoI'm trying to build Kea packages locally, on an arm64 machine since I need packages for that architecture and they aren't available in the Cloudsmith repositories.
While this repo's description says it is 'private', it's not actually pr...I'm trying to build Kea packages locally, on an arm64 machine since I need packages for that architecture and they aren't available in the Cloudsmith repositories.
While this repo's description says it is 'private', it's not actually private so I decided to try to use it.
Unfortunately dropping the `debian` directory from this repository into a Kea source tree and then trying to build the packages failed, because the `debian` directory contains patches which cannot be applied to Kea 2.2.x sources.
Is this repository actively in use for building Kea packages?https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/7review alpine packages2022-10-17T14:55:51ZWlodzimierz Wencelreview alpine packagesgenerally check if we are doing everything ok or if we can do something better :)generally check if we are doing everything ok or if we can do something better :)Dan TheisenDan Theisenhttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/6Add gss-tsig hook2021-10-07T12:17:14ZFrancis DupontAdd gss-tsig hookAdding a package for the gss-tsig hook.Adding a package for the gss-tsig hook.Francis DupontFrancis Duponthttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/5Add new d2srv library2021-08-10T15:06:43ZFrancis DupontAdd new d2srv libraryThere is a new d2srv library.There is a new d2srv library.https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/4kea-admin - Scripts installed in /usr/share/kea/kea/scripts/2021-05-20T11:59:03ZTuran Asikoglukea-admin - Scripts installed in /usr/share/kea/kea/scripts/Can I please direct your attention to this issue? The kea-admin scripts are installed in the wrong location and is preventing many of the kea-admin commands to fail.
Alpine 3.11 and 3.12 are affected.
https://gitlab.isc.org/isc-project...Can I please direct your attention to this issue? The kea-admin scripts are installed in the wrong location and is preventing many of the kea-admin commands to fail.
Alpine 3.11 and 3.12 are affected.
https://gitlab.isc.org/isc-projects/kea/-/issues/1668
Willing to give it a go myself if the project is open to merge requests.https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/3update packages for api files.2020-09-21T11:35:27ZFrancis Dupontupdate packages for api files.Implementation of https://gitlab.isc.org/isc-projects/kea/-/issues/1268Implementation of https://gitlab.isc.org/isc-projects/kea/-/issues/1268https://gitlab.isc.org/isc-projects/kea-packaging/-/issues/1adapt changes to alpine packages from contributors2021-10-14T10:24:40ZMichal Nowikowskiadapt changes to alpine packages from contributorshttps://github.com/jirutka/user-aports/tree/v3.10/backports/keahttps://github.com/jirutka/user-aports/tree/v3.10/backports/keaMichal NowikowskiMichal Nowikowskihttps://gitlab.isc.org/isc-projects/kea-packaging/-/issues/2log pattern should be uncommented kea*.conf files in RPM packages2020-02-04T12:19:47ZMichal Nowikowskilog pattern should be uncommented kea*.conf files in RPM packagesin kea.spec there should be added uncommenting of the pattern the same way as it is made in deb rules filein kea.spec there should be added uncommenting of the pattern the same way as it is made in deb rules fileMichal NowikowskiMichal Nowikowski