Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-hardened@g.o
From: 7v5w7go9ub0o <7v5w7go9ub0o@...>
Subject: Re: [gentoo-hardened] Securing dhcpcd (client)
Date: Mon, 09 Oct 2006 14:37:25 -0400
On Mon, 09 Oct 2006 08:45:42 -0400, Miguel Figueiredo Mascarenhas Sousa  
Filipe <miguel.filipe@...> wrote:

<snip>

> this patch seems to be for the dhcpd (that is, the dhcp server, not
> the client)..
> and its for dhcpd version 2, which is outdated.
> But there are other patches for this, for updated versions of dhcpd, see  
> below.

Dang! Thank you...... I screwed up.

>


<snip>


>>
>
> So, there are 4 diferent issues here:
> 1) running the dhcp server chrooted (possible in gentoo today.. i'm
> running it chrooted)
>  - no need for any patch
> 2) have dhcp server drop privileges. (privilege revocation)
>  - the patch that you provided has this.. this part would be nice to  
> integrate.
>  - the are other patches for this...:
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain
> http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch
>
> IMHO, the owl patch looks better...
>
> btw, OpenWall also has a patch to replace sprintfs() for snprintfs()
> and the like...(bounds checking..)
>
> 3) have a dhclient that drops privileges
> - no patch provided, but a good request, and a wanted feature by me  
> also...
>   (ubuntu & debian seem to have a patch for this...)
>   (openbsd dhclient does this.. AFAIK)
> 4) having a dhclient that runs chrooted..
> - no patch provided.

Miguel Figueiredo Mascarenhas Sousa Filipe,

THANK YOU - for your direct responses to my questions; for your analysis  
of  this matter; and for your research!

Given my lack of expertise, I'll work on a patch later, and in the short  
term I'll automate the momentary use of the dhcpcd client in a hardened  
jail to negotiate a connection; then record that information; then  
terminate dhcpcd; then use the recorded info and ifconfig or iproute2 to  
create a direct connection. A script or little C program.

Middle term, I'd like to use the dhcpd patch as a model for patching  
dhcpcd - a learning exercise for this Winter. Should it work I'll post it  
here or in security for further discussion.

I apologize if this seems over the top :-) . As a newbie, I'm not  
confident that I've correctly installed/configured my OS, and therefor  
want to err in favor of more caution. So I presently have everything that  
is connected to the WAN ( and LAN in the case of WIFI hotspots) in a  
hardened jail with no privileges (e.g. browser, mail client, TOR, socat,  
wireshark, etc....... ). That would include dhcpcd (and IMHO dhcpd as well  
were I running a server :-) ) .

(FWIW, I think great caution is necessary when using a laptop at a public  
WIFI, given there is no separate gateway firewall, and given the hotspot  
LANs are the new Wild West for kiddies - numerous new tools designed  
specifically to attack WIFI LANs, APs, and users - for fun and profit. A  
risky environment.)

Thanks Again! Roger

-- 
gentoo-security@g.o mailing list


Replies:
Re: Re: [gentoo-hardened] Securing dhcpcd (client)
-- Brian G. Peterson
References:
Securing dhcpcd (client)
-- 7v5w7go9ub0o
Re: [gentoo-hardened] Securing dhcpcd (client)
-- Miguel Figueiredo Mascarenhas Sousa Filipe
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: [gentoo-hardened] Securing dhcpcd (client)
Next by thread:
Re: Re: [gentoo-hardened] Securing dhcpcd (client)
Previous by date:
Re: Re : Running app-admin/syslog-ng without rootprivileges
Next by date:
Re: Re: [gentoo-hardened] Securing dhcpcd (client)


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.