extern const isc::log::MessageID DHCP4_RESPONSE_FQDN_DATA = "DHCP4_RESPONSE_FQDN_DATA";
extern const isc::log::MessageID DHCP4_RESPONSE_HOSTNAME_DATA = "DHCP4_RESPONSE_HOSTNAME_DATA";
extern const isc::log::MessageID DHCP4_RESPONSE_HOSTNAME_GENERATE = "DHCP4_RESPONSE_HOSTNAME_GENERATE";
+extern const isc::log::MessageID DHCP4_ROOT_USER_SECURITY_WARN = "DHCP4_ROOT_USER_SECURITY_WARN";
extern const isc::log::MessageID DHCP4_SECURITY_CHECKS_DISABLED = "DHCP4_SECURITY_CHECKS_DISABLED";
extern const isc::log::MessageID DHCP4_SERVER_FAILED = "DHCP4_SERVER_FAILED";
extern const isc::log::MessageID DHCP4_SERVER_INITIATED_DECLINE = "DHCP4_SERVER_INITIATED_DECLINE";
"DHCP4_RESPONSE_FQDN_DATA", "%1: including FQDN option in the server's response: %2",
"DHCP4_RESPONSE_HOSTNAME_DATA", "%1: including Hostname option in the server's response: %2",
"DHCP4_RESPONSE_HOSTNAME_GENERATE", "%1: server has generated hostname %2 for the client",
+ "DHCP4_ROOT_USER_SECURITY_WARN", "kea-dhcp4 running as root user!",
"DHCP4_SECURITY_CHECKS_DISABLED", "Invoked with command line option -X, Security checks are disabled!!",
"DHCP4_SERVER_FAILED", "server failed: %1",
"DHCP4_SERVER_INITIATED_DECLINE", "%1: Lease for addr %2 has been found to be already in use. The lease will be unavailable for %3 seconds.",
extern const isc::log::MessageID DHCP4_RESPONSE_FQDN_DATA;
extern const isc::log::MessageID DHCP4_RESPONSE_HOSTNAME_DATA;
extern const isc::log::MessageID DHCP4_RESPONSE_HOSTNAME_GENERATE;
+extern const isc::log::MessageID DHCP4_ROOT_USER_SECURITY_WARN;
extern const isc::log::MessageID DHCP4_SECURITY_CHECKS_DISABLED;
extern const isc::log::MessageID DHCP4_SERVER_FAILED;
extern const isc::log::MessageID DHCP4_SERVER_INITIATED_DECLINE;
An DHCPOFFER for the 0.0.0.0 address was generated for a client requesting
the v6-only-preferred (108) option but the option is not in the response as
expected: the erroneous response is dropped, the discover query is displayed.
+
+% DHCP4_SECURITY_CHECKS_DISABLED Invoked with command line option -X, Security checks are disabled!!
+This warning is emitted when internal security checks normally
+performed by kea-dhcp4 have been disabled via command line option '-X'.
+This means the server is not enforcing restrictions on resource
+paths or permissions. This mode of operation may expose your
+environment to security vulnerabilities and should only be used
+after careful consideration.
+
+% DHCP4_ROOT_USER_SECURITY_WARN kea-dhcp4 running as root user!
+This warning is emitted when kea-dhcp4 is running as a root user.
+While the server will function fully, this mode of operation may
+expose your environment to security vulnerabilities and should
+only be used after careful consideration.
LOG_WARN(dhcp4_logger, DHCP4_DEVELOPMENT_VERSION);
}
+ if (amRoot()) {
+ LOG_WARN(dhcp4_logger, DHCP4_ROOT_USER_SECURITY_WARN);
+ }
+
if (!PathChecker::shouldEnforceSecurity()) {
LOG_WARN(dhcp4_logger, DHCP4_SECURITY_CHECKS_DISABLED);
}
extern const isc::log::MessageID DHCP6_REQUIRED_OPTIONS_CHECK_FAIL = "DHCP6_REQUIRED_OPTIONS_CHECK_FAIL";
extern const isc::log::MessageID DHCP6_RESERVATIONS_LOOKUP_FIRST_ENABLED = "DHCP6_RESERVATIONS_LOOKUP_FIRST_ENABLED";
extern const isc::log::MessageID DHCP6_RESPONSE_DATA = "DHCP6_RESPONSE_DATA";
+extern const isc::log::MessageID DHCP6_ROOT_USER_SECURITY_WARN = "DHCP6_ROOT_USER_SECURITY_WARN";
extern const isc::log::MessageID DHCP6_SECURITY_CHECKS_DISABLED = "DHCP6_SECURITY_CHECKS_DISABLED";
extern const isc::log::MessageID DHCP6_SERVER_FAILED = "DHCP6_SERVER_FAILED";
extern const isc::log::MessageID DHCP6_SHUTDOWN = "DHCP6_SHUTDOWN";
"DHCP6_REQUIRED_OPTIONS_CHECK_FAIL", "%1: %2 message received from %3 failed the following check: %4",
"DHCP6_RESERVATIONS_LOOKUP_FIRST_ENABLED", "Multi-threading is enabled and host reservations lookup is always performed first.",
"DHCP6_RESPONSE_DATA", "%1: responding with packet %2 (type %3), packet details: %4",
+ "DHCP6_ROOT_USER_SECURITY_WARN", "kea-dhcp6 running as root user!",
"DHCP6_SECURITY_CHECKS_DISABLED", "Invoked with command line option -X, Security checks are disabled!!",
"DHCP6_SERVER_FAILED", "server failed: %1",
"DHCP6_SHUTDOWN", "server shutdown",
extern const isc::log::MessageID DHCP6_REQUIRED_OPTIONS_CHECK_FAIL;
extern const isc::log::MessageID DHCP6_RESERVATIONS_LOOKUP_FIRST_ENABLED;
extern const isc::log::MessageID DHCP6_RESPONSE_DATA;
+extern const isc::log::MessageID DHCP6_ROOT_USER_SECURITY_WARN;
extern const isc::log::MessageID DHCP6_SECURITY_CHECKS_DISABLED;
extern const isc::log::MessageID DHCP6_SERVER_FAILED;
extern const isc::log::MessageID DHCP6_SHUTDOWN;
use it to extend their leases. As a result, they will have to go through
a rebinding phase to re-acquire their leases and associate them with a
new server id.
+
+% DHCP6_SECURITY_CHECKS_DISABLED Invoked with command line option -X, Security checks are disabled!!
+This warning is emitted when internal security checks normally
+performed by kea-dhcp6 have been disabled via command line option '-X'.
+This means the server is not enforcing restrictions on resource
+paths or permissions. This mode of operation may expose your
+environment to security vulnerabilities and should only be used
+after careful consideration.
+
+% DHCP6_ROOT_USER_SECURITY_WARN kea-dhcp6 running as root user!
+This warning is emitted when kea-dhcp6 is running as a root user.
+While the server will function fully, this mode of operation may
+expose your environment to security vulnerabilities and should
+only be used after careful consideration
LOG_WARN(dhcp6_logger, DHCP6_DEVELOPMENT_VERSION);
}
+ if (amRoot()) {
+ LOG_WARN(dhcp6_logger, DHCP6_ROOT_USER_SECURITY_WARN);
+ }
+
if (!PathChecker::shouldEnforceSecurity()) {
LOG_WARN(dhcp6_logger, DHCP6_SECURITY_CHECKS_DISABLED);
}
.arg(getpid())
.arg(VERSION)
.arg(PACKAGE_VERSION_TYPE);
+
// When it is not a stable version dissuade use in production.
if (std::string(PACKAGE_VERSION_TYPE) == "development") {
LOG_WARN(dctl_logger, DCTL_DEVELOPMENT_VERSION);
}
+
+ if (file::amRoot()) {
+ LOG_WARN(dctl_logger, DCTL_ROOT_USER_SECURITY_WARN)
+ .arg(app_name_);
+ }
+
try {
// Step 2 is to create and initialize the application process object.
initProcess();
extern const isc::log::MessageID DCTL_PARSER_FAIL = "DCTL_PARSER_FAIL";
extern const isc::log::MessageID DCTL_PID_FILE_ERROR = "DCTL_PID_FILE_ERROR";
extern const isc::log::MessageID DCTL_PROCESS_FAILED = "DCTL_PROCESS_FAILED";
+extern const isc::log::MessageID DCTL_ROOT_USER_SECURITY_WARN = "DCTL_ROOT_USER_SECURITY_WARN";
extern const isc::log::MessageID DCTL_RUN_PROCESS = "DCTL_RUN_PROCESS";
extern const isc::log::MessageID DCTL_SHUTDOWN = "DCTL_SHUTDOWN";
extern const isc::log::MessageID DCTL_SHUTDOWN_SIGNAL_RECVD = "DCTL_SHUTDOWN_SIGNAL_RECVD";
"DCTL_PARSER_FAIL", "Parser error: %1",
"DCTL_PID_FILE_ERROR", "%1 could not create a PID file: %2",
"DCTL_PROCESS_FAILED", "%1 application execution failed: %2",
+ "DCTL_ROOT_USER_SECURITY_WARN", "%1 running as root user!",
"DCTL_RUN_PROCESS", "%1 starting application event loop",
"DCTL_SHUTDOWN", "%1 has shut down, pid: %2, version: %3",
"DCTL_SHUTDOWN_SIGNAL_RECVD", "OS signal %1 received, starting shutdown",
extern const isc::log::MessageID DCTL_PARSER_FAIL;
extern const isc::log::MessageID DCTL_PID_FILE_ERROR;
extern const isc::log::MessageID DCTL_PROCESS_FAILED;
+extern const isc::log::MessageID DCTL_ROOT_USER_SECURITY_WARN;
extern const isc::log::MessageID DCTL_RUN_PROCESS;
extern const isc::log::MessageID DCTL_SHUTDOWN;
extern const isc::log::MessageID DCTL_SHUTDOWN_SIGNAL_RECVD;
not comply with the supported path. The server will still
use the specified path but is warning that doing so may pose a
security risk.
+
+% DCTL_ROOT_USER_SECURITY_WARN %1 running as root user!
+This warning is emitted when the server is running as a root user.
+While the server will function fully, this mode of operation may
+expose your environment to security vulnerabilities and should
+only be used after careful consideration.
}
}
+bool amRoot() {
+ return (getuid() == 0 || geteuid() == 0);
+}
+
Path::Path(string const& full_name) {
dir_present_ = false;
if (!full_name.empty()) {
void
setUmask();
+/// @brief Indicates if current user is root
+///
+/// @return True if either the uid or the effective
+/// uid is root.
+bool
+amRoot();
+
/// @brief Paths on a filesystem
struct Path {
/// @brief Constructor
projects / thirdparty / kea.git / commitdiff
