Gentoo Archives: gentoo-security

From: Miguel Figueiredo Mascarenhas Sousa Filipe <miguel.filipe@×××××.com>
To: gentoo-hardened@l.g.o
Cc: gentoo-security@l.g.o
Subject: [gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client)
Date: Mon, 09 Oct 2006 12:55:10
Message-Id: f058a9c30610090545r75a793c5wc575a1e6b6ef5d69@mail.gmail.com
In Reply to: [gentoo-security] Securing dhcpcd (client) by 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com>
Hi all,

Disregards my previous email,

On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com> wrote:
> It is my understanding that dhcpcd client requires root or a > privileged user. Am presently running dhcpcd in a chroot jail (ssp and > grsecurity-hardened kernel) as user root (ugh). (This is a laptop used > at hotspots, so I think I need to use dhcp). > > Other distributions distribute dhcpcd with a "paranoia" patch incorporated > > <http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch> > > which allows the dropping of privilege and changing of user/group after startup. >
this patch seems to be for the dhcpd (that is, the dhcp server, not the client).. and its for dhcpd version 2, which is outdated. But there are other patches for this, for updated versions of dhcpd, see below.
> Questions: > > 1 Does Gentoo have an "official" way to apply this patch.
Gentoo does have a way to run dhcpd (v3) chrooted. And the chroot is done outside the application (userland/setup). (IIRC, there's a chroot setup option in /etc/conf.d/dhcp) But, has far has I know, it doesn't drop privileges.
> > 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch > the source manually; ebuild merge !? > > 3. Are there other ways to deal with this potential vulnerability > (privileged process listening on an open port (68) )? (e.g. using > selfdhcp and effecting a manual connection?) > > TIA, newbie > -- > gentoo-hardened@g.o mailing list > >
So, there are 4 diferent issues here: 1) running the dhcp server chrooted (possible in gentoo today.. i'm running it chrooted) - no need for any patch 2) have dhcp server drop privileges. (privilege revocation) - the patch that you provided has this.. this part would be nice to integrate. - the are other patches for this...: http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch IMHO, the owl patch looks better... btw, OpenWall also has a patch to replace sprintfs() for snprintfs() and the like...(bounds checking..) 3) have a dhclient that drops privileges - no patch provided, but a good request, and a wanted feature by me also... (ubuntu & debian seem to have a patch for this...) (openbsd dhclient does this.. AFAIK) 4) having a dhclient that runs chrooted.. - no patch provided. best regards, -- Miguel Sousa Filipe -- gentoo-security@g.o mailing list

Replies

Subject Author
[gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client) 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com>