Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-security
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-hardened@g.o
From: "Miguel Figueiredo Mascarenhas Sousa Filipe" <miguel.filipe@...>
Subject: Re: [gentoo-hardened] Securing dhcpcd (client)
Date: Mon, 9 Oct 2006 13:45:42 +0100
Hi all,

Disregards my previous email,

On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o@...> wrote:
> It is my understanding that dhcpcd client requires root or a
> privileged user. Am presently running dhcpcd in a chroot jail (ssp and
> grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
> at hotspots, so I think I need to use dhcp).
>
> Other distributions distribute dhcpcd with a "paranoia" patch incorporated
>
> <http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch>
>
> which allows the dropping of privilege and changing of user/group after startup.
>

this patch seems to be for the dhcpd (that is, the dhcp server, not
the client)..
and its for dhcpd version 2, which is outdated.
But there are other patches for this, for updated versions of dhcpd, see below.


> Questions:
>
> 1 Does Gentoo have an "official" way to apply this patch.

Gentoo does have a way to run dhcpd (v3) chrooted.
And the chroot is done outside the application (userland/setup).
(IIRC, there's a chroot setup option in /etc/conf.d/dhcp)

But, has far has I know, it doesn't drop privileges.

>
> 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
> the source manually; ebuild merge !?
>
> 3. Are there other ways to deal with this potential vulnerability
> (privileged process listening on an open port (68) )?  (e.g. using
> selfdhcp and effecting a manual connection?)
>
> TIA, newbie
> --
> gentoo-hardened@g.o mailing list
>
>

So, there are 4 diferent issues here:
1) running the dhcp server chrooted (possible in gentoo today.. i'm
running it chrooted)
 - no need for any patch
2) have dhcp server drop privileges. (privilege revocation)
 - the patch that you provided has this.. this part would be nice to integrate.
 - the are other patches for this...:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain
http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch

IMHO, the owl patch looks better...

btw, OpenWall also has a patch to replace sprintfs() for snprintfs()
and the like...(bounds checking..)

3) have a dhclient that drops privileges
- no patch provided, but a good request, and a wanted feature by me also...
  (ubuntu & debian seem to have a patch for this...)
  (openbsd dhclient does this.. AFAIK)
4) having a dhclient that runs chrooted..
- no patch provided.

best regards,


-- 
Miguel Sousa Filipe
-- 
gentoo-security@g.o mailing list


Replies:
Re: [gentoo-hardened] Securing dhcpcd (client)
-- 7v5w7go9ub0o
References:
Securing dhcpcd (client)
-- 7v5w7go9ub0o
Navigation:
Lists: gentoo-security: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: [gentoo-hardened] Securing dhcpcd (client)
Next by thread:
Re: [gentoo-hardened] Securing dhcpcd (client)
Previous by date:
Re: [gentoo-hardened] Securing dhcpcd (client)
Next by date:
Re: Re : Running app-admin/syslog-ng without rootprivileges


Updated Jun 17, 2009

Summary: Archive of the gentoo-security mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.