1 |
On Mon, 09 Oct 2006 08:45:42 -0400, Miguel Figueiredo Mascarenhas Sousa |
2 |
Filipe <miguel.filipe@×××××.com> wrote: |
3 |
|
4 |
<snip> |
5 |
|
6 |
> this patch seems to be for the dhcpd (that is, the dhcp server, not |
7 |
> the client).. |
8 |
> and its for dhcpd version 2, which is outdated. |
9 |
> But there are other patches for this, for updated versions of dhcpd, see |
10 |
> below. |
11 |
|
12 |
Dang! Thank you...... I screwed up. |
13 |
|
14 |
> |
15 |
|
16 |
|
17 |
<snip> |
18 |
|
19 |
|
20 |
>> |
21 |
> |
22 |
> So, there are 4 diferent issues here: |
23 |
> 1) running the dhcp server chrooted (possible in gentoo today.. i'm |
24 |
> running it chrooted) |
25 |
> - no need for any patch |
26 |
> 2) have dhcp server drop privileges. (privilege revocation) |
27 |
> - the patch that you provided has this.. this part would be nice to |
28 |
> integrate. |
29 |
> - the are other patches for this...: |
30 |
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain |
31 |
> http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch |
32 |
> |
33 |
> IMHO, the owl patch looks better... |
34 |
> |
35 |
> btw, OpenWall also has a patch to replace sprintfs() for snprintfs() |
36 |
> and the like...(bounds checking..) |
37 |
> |
38 |
> 3) have a dhclient that drops privileges |
39 |
> - no patch provided, but a good request, and a wanted feature by me |
40 |
> also... |
41 |
> (ubuntu & debian seem to have a patch for this...) |
42 |
> (openbsd dhclient does this.. AFAIK) |
43 |
> 4) having a dhclient that runs chrooted.. |
44 |
> - no patch provided. |
45 |
|
46 |
Miguel Figueiredo Mascarenhas Sousa Filipe, |
47 |
|
48 |
THANK YOU - for your direct responses to my questions; for your analysis |
49 |
of this matter; and for your research! |
50 |
|
51 |
Given my lack of expertise, I'll work on a patch later, and in the short |
52 |
term I'll automate the momentary use of the dhcpcd client in a hardened |
53 |
jail to negotiate a connection; then record that information; then |
54 |
terminate dhcpcd; then use the recorded info and ifconfig or iproute2 to |
55 |
create a direct connection. A script or little C program. |
56 |
|
57 |
Middle term, I'd like to use the dhcpd patch as a model for patching |
58 |
dhcpcd - a learning exercise for this Winter. Should it work I'll post it |
59 |
here or in security for further discussion. |
60 |
|
61 |
I apologize if this seems over the top :-) . As a newbie, I'm not |
62 |
confident that I've correctly installed/configured my OS, and therefor |
63 |
want to err in favor of more caution. So I presently have everything that |
64 |
is connected to the WAN ( and LAN in the case of WIFI hotspots) in a |
65 |
hardened jail with no privileges (e.g. browser, mail client, TOR, socat, |
66 |
wireshark, etc....... ). That would include dhcpcd (and IMHO dhcpd as well |
67 |
were I running a server :-) ) . |
68 |
|
69 |
(FWIW, I think great caution is necessary when using a laptop at a public |
70 |
WIFI, given there is no separate gateway firewall, and given the hotspot |
71 |
LANs are the new Wild West for kiddies - numerous new tools designed |
72 |
specifically to attack WIFI LANs, APs, and users - for fun and profit. A |
73 |
risky environment.) |
74 |
|
75 |
Thanks Again! Roger |
76 |
|
77 |
-- |
78 |
gentoo-security@g.o mailing list |