| 1 |
On Mon, 09 Oct 2006 08:45:42 -0400, Miguel Figueiredo Mascarenhas Sousa |
| 2 |
Filipe <miguel.filipe@×××××.com> wrote: |
| 3 |
|
| 4 |
<snip> |
| 5 |
|
| 6 |
> this patch seems to be for the dhcpd (that is, the dhcp server, not |
| 7 |
> the client).. |
| 8 |
> and its for dhcpd version 2, which is outdated. |
| 9 |
> But there are other patches for this, for updated versions of dhcpd, see |
| 10 |
> below. |
| 11 |
|
| 12 |
Dang! Thank you...... I screwed up. |
| 13 |
|
| 14 |
> |
| 15 |
|
| 16 |
|
| 17 |
<snip> |
| 18 |
|
| 19 |
|
| 20 |
>> |
| 21 |
> |
| 22 |
> So, there are 4 diferent issues here: |
| 23 |
> 1) running the dhcp server chrooted (possible in gentoo today.. i'm |
| 24 |
> running it chrooted) |
| 25 |
> - no need for any patch |
| 26 |
> 2) have dhcp server drop privileges. (privilege revocation) |
| 27 |
> - the patch that you provided has this.. this part would be nice to |
| 28 |
> integrate. |
| 29 |
> - the are other patches for this...: |
| 30 |
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain |
| 31 |
> http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch |
| 32 |
> |
| 33 |
> IMHO, the owl patch looks better... |
| 34 |
> |
| 35 |
> btw, OpenWall also has a patch to replace sprintfs() for snprintfs() |
| 36 |
> and the like...(bounds checking..) |
| 37 |
> |
| 38 |
> 3) have a dhclient that drops privileges |
| 39 |
> - no patch provided, but a good request, and a wanted feature by me |
| 40 |
> also... |
| 41 |
> (ubuntu & debian seem to have a patch for this...) |
| 42 |
> (openbsd dhclient does this.. AFAIK) |
| 43 |
> 4) having a dhclient that runs chrooted.. |
| 44 |
> - no patch provided. |
| 45 |
|
| 46 |
Miguel Figueiredo Mascarenhas Sousa Filipe, |
| 47 |
|
| 48 |
THANK YOU - for your direct responses to my questions; for your analysis |
| 49 |
of this matter; and for your research! |
| 50 |
|
| 51 |
Given my lack of expertise, I'll work on a patch later, and in the short |
| 52 |
term I'll automate the momentary use of the dhcpcd client in a hardened |
| 53 |
jail to negotiate a connection; then record that information; then |
| 54 |
terminate dhcpcd; then use the recorded info and ifconfig or iproute2 to |
| 55 |
create a direct connection. A script or little C program. |
| 56 |
|
| 57 |
Middle term, I'd like to use the dhcpd patch as a model for patching |
| 58 |
dhcpcd - a learning exercise for this Winter. Should it work I'll post it |
| 59 |
here or in security for further discussion. |
| 60 |
|
| 61 |
I apologize if this seems over the top :-) . As a newbie, I'm not |
| 62 |
confident that I've correctly installed/configured my OS, and therefor |
| 63 |
want to err in favor of more caution. So I presently have everything that |
| 64 |
is connected to the WAN ( and LAN in the case of WIFI hotspots) in a |
| 65 |
hardened jail with no privileges (e.g. browser, mail client, TOR, socat, |
| 66 |
wireshark, etc....... ). That would include dhcpcd (and IMHO dhcpd as well |
| 67 |
were I running a server :-) ) . |
| 68 |
|
| 69 |
(FWIW, I think great caution is necessary when using a laptop at a public |
| 70 |
WIFI, given there is no separate gateway firewall, and given the hotspot |
| 71 |
LANs are the new Wild West for kiddies - numerous new tools designed |
| 72 |
specifically to attack WIFI LANs, APs, and users - for fun and profit. A |
| 73 |
risky environment.) |
| 74 |
|
| 75 |
Thanks Again! Roger |
| 76 |
|
| 77 |
-- |
| 78 |
gentoo-security@g.o mailing list |
Archives