Gentoo Archives: gentoo-security

From: 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com>
To: gentoo-hardened@l.g.o
Cc: "gentoo-security@l.g.o" <gentoo-security@l.g.o>
Subject: [gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client)
Date: Mon, 09 Oct 2006 18:47:38
Message-Id: op.tg53cnzlyguj3e@you.and.your.horse
In Reply to: [gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client) by Miguel Figueiredo Mascarenhas Sousa Filipe
On Mon, 09 Oct 2006 08:45:42 -0400, Miguel Figueiredo Mascarenhas Sousa  
Filipe <miguel.filipe@×××××.com> wrote:

<snip>

> this patch seems to be for the dhcpd (that is, the dhcp server, not > the client).. > and its for dhcpd version 2, which is outdated. > But there are other patches for this, for updated versions of dhcpd, see > below.
Dang! Thank you...... I screwed up.
>
<snip>
>> > > So, there are 4 diferent issues here: > 1) running the dhcp server chrooted (possible in gentoo today.. i'm > running it chrooted) > - no need for any patch > 2) have dhcp server drop privileges. (privilege revocation) > - the patch that you provided has this.. this part would be nice to > integrate. > - the are other patches for this...: > http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain > http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch > > IMHO, the owl patch looks better... > > btw, OpenWall also has a patch to replace sprintfs() for snprintfs() > and the like...(bounds checking..) > > 3) have a dhclient that drops privileges > - no patch provided, but a good request, and a wanted feature by me > also... > (ubuntu & debian seem to have a patch for this...) > (openbsd dhclient does this.. AFAIK) > 4) having a dhclient that runs chrooted.. > - no patch provided.
Miguel Figueiredo Mascarenhas Sousa Filipe, THANK YOU - for your direct responses to my questions; for your analysis of this matter; and for your research! Given my lack of expertise, I'll work on a patch later, and in the short term I'll automate the momentary use of the dhcpcd client in a hardened jail to negotiate a connection; then record that information; then terminate dhcpcd; then use the recorded info and ifconfig or iproute2 to create a direct connection. A script or little C program. Middle term, I'd like to use the dhcpd patch as a model for patching dhcpcd - a learning exercise for this Winter. Should it work I'll post it here or in security for further discussion. I apologize if this seems over the top :-) . As a newbie, I'm not confident that I've correctly installed/configured my OS, and therefor want to err in favor of more caution. So I presently have everything that is connected to the WAN ( and LAN in the case of WIFI hotspots) in a hardened jail with no privileges (e.g. browser, mail client, TOR, socat, wireshark, etc....... ). That would include dhcpcd (and IMHO dhcpd as well were I running a server :-) ) . (FWIW, I think great caution is necessary when using a laptop at a public WIFI, given there is no separate gateway firewall, and given the hotspot LANs are the new Wild West for kiddies - numerous new tools designed specifically to attack WIFI LANs, APs, and users - for fun and profit. A risky environment.) Thanks Again! Roger -- gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client) "Brian G. Peterson" <brian@×××××××××.com>