Hi,
On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> wrote:
> It is my understanding that dhcpcd client requires root or a
> privileged user. Am presently running dhcpcd in a chroot jail (ssp and
> grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
> at hotspots, so I think I need to use dhcp).
Not all dhcp clients run has root.
in ubuntu linux, the dhclient is running with "daemon" user.
I haven't looked carefully how to acomplish this in gentoo.. but I will.
>
> Other distributions distribute dhcpcd with a "paranoia" patch incorporated
>
> <http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch>
>
> which allows the dropping of privilege and changing of user/group after startup.
It would be nice to have that integrated.
>
> Questions:
>
> 1 Does Gentoo have an "official" way to apply this patch.
>
> 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
> the source manually; ebuild merge !?
>
> 3. Are there other ways to deal with this potential vulnerability
> (privileged process listening on an open port (68) )? (e.g. using
> selfdhcp and effecting a manual connection?)
>
privilege revocation/separation on the aplication in case seems the better way.
> TIA, newbie
> --
> gentoo-hardened@gentoo.org mailing list
>
Best regards,
--
Miguel Sousa Filipe
--
gentoo-security@gentoo.org mailing list
On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> wrote:
> It is my understanding that dhcpcd client requires root or a
> privileged user. Am presently running dhcpcd in a chroot jail (ssp and
> grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
> at hotspots, so I think I need to use dhcp).
Not all dhcp clients run has root.
in ubuntu linux, the dhclient is running with "daemon" user.
I haven't looked carefully how to acomplish this in gentoo.. but I will.
>
> Other distributions distribute dhcpcd with a "paranoia" patch incorporated
>
> <http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch>
>
> which allows the dropping of privilege and changing of user/group after startup.
It would be nice to have that integrated.
>
> Questions:
>
> 1 Does Gentoo have an "official" way to apply this patch.
>
> 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
> the source manually; ebuild merge !?
>
> 3. Are there other ways to deal with this potential vulnerability
> (privileged process listening on an open port (68) )? (e.g. using
> selfdhcp and effecting a manual connection?)
>
privilege revocation/separation on the aplication in case seems the better way.
> TIA, newbie
> --
> gentoo-hardened@gentoo.org mailing list
>
Best regards,
--
Miguel Sousa Filipe
--
gentoo-security@gentoo.org mailing list