Disregards my previous email,
On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o@...> wrote:
> It is my understanding that dhcpcd client requires root or a
> privileged user. Am presently running dhcpcd in a chroot jail (ssp and
> grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
> at hotspots, so I think I need to use dhcp).
> Other distributions distribute dhcpcd with a "paranoia" patch incorporated
> which allows the dropping of privilege and changing of user/group after startup.
this patch seems to be for the dhcpd (that is, the dhcp server, not
and its for dhcpd version 2, which is outdated.
But there are other patches for this, for updated versions of dhcpd, see below.
> 1 Does Gentoo have an "official" way to apply this patch.
Gentoo does have a way to run dhcpd (v3) chrooted.
And the chroot is done outside the application (userland/setup).
(IIRC, there's a chroot setup option in /etc/conf.d/dhcp)
But, has far has I know, it doesn't drop privileges.
> 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
> the source manually; ebuild merge !?
> 3. Are there other ways to deal with this potential vulnerability
> (privileged process listening on an open port (68) )? (e.g. using
> selfdhcp and effecting a manual connection?)
> TIA, newbie
> firstname.lastname@example.org mailing list
So, there are 4 diferent issues here:
1) running the dhcp server chrooted (possible in gentoo today.. i'm
running it chrooted)
- no need for any patch
2) have dhcp server drop privileges. (privilege revocation)
- the patch that you provided has this.. this part would be nice to integrate.
- the are other patches for this...:
IMHO, the owl patch looks better...
btw, OpenWall also has a patch to replace sprintfs() for snprintfs()
and the like...(bounds checking..)
3) have a dhclient that drops privileges
- no patch provided, but a good request, and a wanted feature by me also...
(ubuntu & debian seem to have a patch for this...)
(openbsd dhclient does this.. AFAIK)
4) having a dhclient that runs chrooted..
- no patch provided.
Miguel Sousa Filipe
email@example.com mailing list