1 |
Hi all, |
2 |
|
3 |
Disregards my previous email, |
4 |
|
5 |
On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com> wrote: |
6 |
> It is my understanding that dhcpcd client requires root or a |
7 |
> privileged user. Am presently running dhcpcd in a chroot jail (ssp and |
8 |
> grsecurity-hardened kernel) as user root (ugh). (This is a laptop used |
9 |
> at hotspots, so I think I need to use dhcp). |
10 |
> |
11 |
> Other distributions distribute dhcpcd with a "paranoia" patch incorporated |
12 |
> |
13 |
> <http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch> |
14 |
> |
15 |
> which allows the dropping of privilege and changing of user/group after startup. |
16 |
> |
17 |
|
18 |
this patch seems to be for the dhcpd (that is, the dhcp server, not |
19 |
the client).. |
20 |
and its for dhcpd version 2, which is outdated. |
21 |
But there are other patches for this, for updated versions of dhcpd, see below. |
22 |
|
23 |
|
24 |
> Questions: |
25 |
> |
26 |
> 1 Does Gentoo have an "official" way to apply this patch. |
27 |
|
28 |
Gentoo does have a way to run dhcpd (v3) chrooted. |
29 |
And the chroot is done outside the application (userland/setup). |
30 |
(IIRC, there's a chroot setup option in /etc/conf.d/dhcp) |
31 |
|
32 |
But, has far has I know, it doesn't drop privileges. |
33 |
|
34 |
> |
35 |
> 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch |
36 |
> the source manually; ebuild merge !? |
37 |
> |
38 |
> 3. Are there other ways to deal with this potential vulnerability |
39 |
> (privileged process listening on an open port (68) )? (e.g. using |
40 |
> selfdhcp and effecting a manual connection?) |
41 |
> |
42 |
> TIA, newbie |
43 |
> -- |
44 |
> gentoo-hardened@g.o mailing list |
45 |
> |
46 |
> |
47 |
|
48 |
So, there are 4 diferent issues here: |
49 |
1) running the dhcp server chrooted (possible in gentoo today.. i'm |
50 |
running it chrooted) |
51 |
- no need for any patch |
52 |
2) have dhcp server drop privileges. (privilege revocation) |
53 |
- the patch that you provided has this.. this part would be nice to integrate. |
54 |
- the are other patches for this...: |
55 |
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain |
56 |
http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch |
57 |
|
58 |
IMHO, the owl patch looks better... |
59 |
|
60 |
btw, OpenWall also has a patch to replace sprintfs() for snprintfs() |
61 |
and the like...(bounds checking..) |
62 |
|
63 |
3) have a dhclient that drops privileges |
64 |
- no patch provided, but a good request, and a wanted feature by me also... |
65 |
(ubuntu & debian seem to have a patch for this...) |
66 |
(openbsd dhclient does this.. AFAIK) |
67 |
4) having a dhclient that runs chrooted.. |
68 |
- no patch provided. |
69 |
|
70 |
best regards, |
71 |
|
72 |
|
73 |
-- |
74 |
Miguel Sousa Filipe |
75 |
-- |
76 |
gentoo-security@g.o mailing list |