Gentoo Archives: gentoo-security

From: Miguel Figueiredo Mascarenhas Sousa Filipe <miguel.filipe@×××××.com>
To: gentoo-hardened@l.g.o
Cc: gentoo-security@l.g.o
Subject: [gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client)
Date: Mon, 09 Oct 2006 12:55:10
Message-Id: f058a9c30610090545r75a793c5wc575a1e6b6ef5d69@mail.gmail.com
In Reply to: [gentoo-security] Securing dhcpcd (client) by 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com>
1 Hi all,
2
3 Disregards my previous email,
4
5 On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com> wrote:
6 > It is my understanding that dhcpcd client requires root or a
7 > privileged user. Am presently running dhcpcd in a chroot jail (ssp and
8 > grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
9 > at hotspots, so I think I need to use dhcp).
10 >
11 > Other distributions distribute dhcpcd with a "paranoia" patch incorporated
12 >
13 > <http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch>
14 >
15 > which allows the dropping of privilege and changing of user/group after startup.
16 >
17
18 this patch seems to be for the dhcpd (that is, the dhcp server, not
19 the client)..
20 and its for dhcpd version 2, which is outdated.
21 But there are other patches for this, for updated versions of dhcpd, see below.
22
23
24 > Questions:
25 >
26 > 1 Does Gentoo have an "official" way to apply this patch.
27
28 Gentoo does have a way to run dhcpd (v3) chrooted.
29 And the chroot is done outside the application (userland/setup).
30 (IIRC, there's a chroot setup option in /etc/conf.d/dhcp)
31
32 But, has far has I know, it doesn't drop privileges.
33
34 >
35 > 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
36 > the source manually; ebuild merge !?
37 >
38 > 3. Are there other ways to deal with this potential vulnerability
39 > (privileged process listening on an open port (68) )? (e.g. using
40 > selfdhcp and effecting a manual connection?)
41 >
42 > TIA, newbie
43 > --
44 > gentoo-hardened@g.o mailing list
45 >
46 >
47
48 So, there are 4 diferent issues here:
49 1) running the dhcp server chrooted (possible in gentoo today.. i'm
50 running it chrooted)
51 - no need for any patch
52 2) have dhcp server drop privileges. (privilege revocation)
53 - the patch that you provided has this.. this part would be nice to integrate.
54 - the are other patches for this...:
55 http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain
56 http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch
57
58 IMHO, the owl patch looks better...
59
60 btw, OpenWall also has a patch to replace sprintfs() for snprintfs()
61 and the like...(bounds checking..)
62
63 3) have a dhclient that drops privileges
64 - no patch provided, but a good request, and a wanted feature by me also...
65 (ubuntu & debian seem to have a patch for this...)
66 (openbsd dhclient does this.. AFAIK)
67 4) having a dhclient that runs chrooted..
68 - no patch provided.
69
70 best regards,
71
72
73 --
74 Miguel Sousa Filipe
75 --
76 gentoo-security@g.o mailing list

Replies

Subject Author
[gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client) 7v5w7go9ub0o <7v5w7go9ub0o@×××××.com>