Mailing List Archive

Securing dhcpcd (client)
It is my understanding that dhcpcd client requires root or a
privileged user. Am presently running dhcpcd in a chroot jail (ssp and
grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
at hotspots, so I think I need to use dhcp).

Other distributions distribute dhcpcd with a "paranoia" patch incorporated

<http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch>

which allows the dropping of privilege and changing of user/group after startup.

Questions:

1 Does Gentoo have an "official" way to apply this patch.

2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
the source manually; ebuild merge !?

3. Are there other ways to deal with this potential vulnerability
(privileged process listening on an open port (68) )? (e.g. using
selfdhcp and effecting a manual connection?)

TIA, newbie
--
gentoo-security@gentoo.org mailing list
Re: Securing dhcpcd (client) [ In reply to ]
On Sunday 08 October 2006 16:26, 7v5w7go9ub0o wrote:
> It is my understanding that dhcpcd client requires root or a
> privileged user.

Standard gentoo net scripts offer multiple dhcp options, not all of them
require maintaing root privileges.

Regards,

- Brian
--
gentoo-security@gentoo.org mailing list
Re: Securing dhcpcd (client) [ In reply to ]
On Sun, 08 Oct 2006 18:51:01 -0400, Brian G. Peterson
<brian@braverock.com> wrote:

> On Sunday 08 October 2006 16:26, 7v5w7go9ub0o wrote:
>> It is my understanding that dhcpcd client requires root or a
>> privileged user.
>
> Standard gentoo net scripts offer multiple dhcp options, not all of them
> require maintaing root privileges.
>
> Regards,
>
> - Brian

Great! Thanks for the reply!

Where do I get standard gentoo net scripts?

--
gentoo-security@gentoo.org mailing list
Re: Re: Securing dhcpcd (client) [ In reply to ]
On Sunday 08 October 2006 19:10, 7v5w7go9ub0o wrote:
> On Sun, 08 Oct 2006 18:51:01 -0400, Brian G. Peterson wrote:
> > On Sunday 08 October 2006 16:26, 7v5w7go9ub0o wrote:
> >> It is my understanding that dhcpcd client requires root or a
> >> privileged user.
> >
> > Standard gentoo net scripts offer multiple dhcp options, not all of
> > them require maintaing root privileges.
>
> Great! Thanks for the reply!
>
> Where do I get standard gentoo net scripts?

Try looking at /etc/conf.d/net and all the options in there.

If you have an old or truncated net script, re-emerge sys-apps/baselayout

Regards,

- Brian
--
gentoo-security@gentoo.org mailing list
Re: Re: Securing dhcpcd (client) [ In reply to ]
On Monday 09 October 2006 02:10, 7v5w7go9ub0o wrote:
> On Sun, 08 Oct 2006 18:51:01 -0400, Brian G. Peterson
>
> <brian@braverock.com> wrote:
> > On Sunday 08 October 2006 16:26, 7v5w7go9ub0o wrote:
> >> It is my understanding that dhcpcd client requires root or a
> >> privileged user.
> >
> > Standard gentoo net scripts offer multiple dhcp options, not all of them
> > require maintaing root privileges.
> >
> > Regards,
> >
> > - Brian
>
> Great! Thanks for the reply!
>
> Where do I get standard gentoo net scripts?

you'll find them in /etc/conf.d
--
gentoo-security@gentoo.org mailing list
Re: Re: Securing dhcpcd (client) [ In reply to ]
On Sun, 08 Oct 2006 20:27:23 -0400, Brian G. Peterson
<brian@braverock.com> wrote:

> On Sunday 08 October 2006 19:10, 7v5w7go9ub0o wrote:
>> On Sun, 08 Oct 2006 18:51:01 -0400, Brian G. Peterson wrote:
>> > On Sunday 08 October 2006 16:26, 7v5w7go9ub0o wrote:
>> >> It is my understanding that dhcpcd client requires root or a
>> >> privileged user.
>> >
>> > Standard gentoo net scripts offer multiple dhcp options, not all of
>> > them require maintaing root privileges.
>>
>> Great! Thanks for the reply!
>>
>> Where do I get standard gentoo net scripts?
>
> Try looking at /etc/conf.d/net and all the options in there.
>
> If you have an old or truncated net script, re-emerge sys-apps/baselayout
>

Ah..... /etc/conf.d/net....... been there often. Sorry ... didn't know
that it was
referred to as net scripts (duh).

I've looked through net and have found some interesting options for both
dhcpcd (e.g. dhcpcd_eth0="-t 10", which seems to be a dhcpcd command line
parameter), and for
"generic" dhcp (e.g. dhcp_eth0="release nodns nontp nonis nogateway
nosendhost")..

1. Have seen nothing that lowers dhcpcd privilege!? What am I missing?
(dhcpcd starts fine, but sits out there as a root process)

2. Where can I get a list of other "generic" dhcp commands, please.

Thanks for your (patient) help! (newbie)

--
gentoo-security@gentoo.org mailing list
Re: Re: Securing dhcpcd (client) [ In reply to ]
On Sunday 08 October 2006 20:24, 7v5w7go9ub0o wrote:
> 2. Where can I get a list of other "generic" dhcp commands

look here in /etc/conf.d/net:

#-----------------------------------------------------------------------------
# DHCP
# DHCP can be provided by dhcpcd, dhclient, udhcpc or pump
#
# dhclient: emerge net-misc/dhcp
# dhcpcd: emerge net-misc/dhcpcd
# pump: emerge net-misc/pump
# udhcpc: emerge net-misc/udhcp

and then research your options and use something more appropriate to your
needs than dhcpcd as your dhcp client.

Regards,

- Brian
--
gentoo-security@gentoo.org mailing list