On Mon, 09 Oct 2006 08:45:42 -0400, Miguel Figueiredo Mascarenhas Sousa
Filipe <miguel.filipe@...> wrote:
> this patch seems to be for the dhcpd (that is, the dhcp server, not
> the client)..
> and its for dhcpd version 2, which is outdated.
> But there are other patches for this, for updated versions of dhcpd, see
Dang! Thank you...... I screwed up.
> So, there are 4 diferent issues here:
> 1) running the dhcp server chrooted (possible in gentoo today.. i'm
> running it chrooted)
> - no need for any patch
> 2) have dhcp server drop privileges. (privilege revocation)
> - the patch that you provided has this.. this part would be nice to
> - the are other patches for this...:
> IMHO, the owl patch looks better...
> btw, OpenWall also has a patch to replace sprintfs() for snprintfs()
> and the like...(bounds checking..)
> 3) have a dhclient that drops privileges
> - no patch provided, but a good request, and a wanted feature by me
> (ubuntu & debian seem to have a patch for this...)
> (openbsd dhclient does this.. AFAIK)
> 4) having a dhclient that runs chrooted..
> - no patch provided.
Miguel Figueiredo Mascarenhas Sousa Filipe,
THANK YOU - for your direct responses to my questions; for your analysis
of this matter; and for your research!
Given my lack of expertise, I'll work on a patch later, and in the short
term I'll automate the momentary use of the dhcpcd client in a hardened
jail to negotiate a connection; then record that information; then
terminate dhcpcd; then use the recorded info and ifconfig or iproute2 to
create a direct connection. A script or little C program.
Middle term, I'd like to use the dhcpd patch as a model for patching
dhcpcd - a learning exercise for this Winter. Should it work I'll post it
here or in security for further discussion.
I apologize if this seems over the top :-) . As a newbie, I'm not
confident that I've correctly installed/configured my OS, and therefor
want to err in favor of more caution. So I presently have everything that
is connected to the WAN ( and LAN in the case of WIFI hotspots) in a
hardened jail with no privileges (e.g. browser, mail client, TOR, socat,
wireshark, etc....... ). That would include dhcpcd (and IMHO dhcpd as well
were I running a server :-) ) .
(FWIW, I think great caution is necessary when using a laptop at a public
WIFI, given there is no separate gateway firewall, and given the hotspot
LANs are the new Wild West for kiddies - numerous new tools designed
specifically to attack WIFI LANs, APs, and users - for fun and profit. A
Thanks Again! Roger
firstname.lastname@example.org mailing list