Mailing List Archive: Gentoo: Security

Re: [gentoo-hardened] Securing dhcpcd (client)

Index | Next | Previous | View Threaded

miguel.filipe at gmail

Oct 9, 2006, 4:18 AM

Post #1 of 5 (623 views)
Permalink

Re: [gentoo-hardened] Securing dhcpcd (client)

Hi,

On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o [at] gmail> wrote:
> It is my understanding that dhcpcd client requires root or a
> privileged user. Am presently running dhcpcd in a chroot jail (ssp and
> grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
> at hotspots, so I think I need to use dhcp).

Not all dhcp clients run has root.

in ubuntu linux, the dhclient is running with "daemon" user.
I haven't looked carefully how to acomplish this in gentoo.. but I will.

>
> Other distributions distribute dhcpcd with a "paranoia" patch incorporated
>
> <http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch>
>
> which allows the dropping of privilege and changing of user/group after startup.

It would be nice to have that integrated.

>
> Questions:
>
> 1 Does Gentoo have an "official" way to apply this patch.
>
> 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
> the source manually; ebuild merge !?
>
> 3. Are there other ways to deal with this potential vulnerability
> (privileged process listening on an open port (68) )? (e.g. using
> selfdhcp and effecting a manual connection?)
>

privilege revocation/separation on the aplication in case seems the better way.

> TIA, newbie
> --
> gentoo-hardened [at] gentoo mailing list
>

Best regards,

--
Miguel Sousa Filipe
--
gentoo-security [at] gentoo mailing list

miguel.filipe at gmail

Oct 9, 2006, 5:45 AM

Post #2 of 5 (593 views)
Permalink

Re: [gentoo-hardened] Securing dhcpcd (client) [In reply to]

Hi all,

Disregards my previous email,

On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o [at] gmail> wrote:
> It is my understanding that dhcpcd client requires root or a
> privileged user. Am presently running dhcpcd in a chroot jail (ssp and
> grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
> at hotspots, so I think I need to use dhcp).
>
> Other distributions distribute dhcpcd with a "paranoia" patch incorporated
>
> <http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch>
>
> which allows the dropping of privilege and changing of user/group after startup.
>

this patch seems to be for the dhcpd (that is, the dhcp server, not
the client)..
and its for dhcpd version 2, which is outdated.
But there are other patches for this, for updated versions of dhcpd, see below.

> Questions:
>
> 1 Does Gentoo have an "official" way to apply this patch.

Gentoo does have a way to run dhcpd (v3) chrooted.
And the chroot is done outside the application (userland/setup).
(IIRC, there's a chroot setup option in /etc/conf.d/dhcp)

But, has far has I know, it doesn't drop privileges.

>
> 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
> the source manually; ebuild merge !?
>
> 3. Are there other ways to deal with this potential vulnerability
> (privileged process listening on an open port (68) )? (e.g. using
> selfdhcp and effecting a manual connection?)
>
> TIA, newbie
> --
> gentoo-hardened [at] gentoo mailing list
>
>

So, there are 4 diferent issues here:
1) running the dhcp server chrooted (possible in gentoo today.. i'm
running it chrooted)
- no need for any patch
2) have dhcp server drop privileges. (privilege revocation)
- the patch that you provided has this.. this part would be nice to integrate.
- the are other patches for this...:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain
http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch

IMHO, the owl patch looks better...

btw, OpenWall also has a patch to replace sprintfs() for snprintfs()
and the like...(bounds checking..)

3) have a dhclient that drops privileges
- no patch provided, but a good request, and a wanted feature by me also...
(ubuntu & debian seem to have a patch for this...)
(openbsd dhclient does this.. AFAIK)
4) having a dhclient that runs chrooted..
- no patch provided.

best regards,

--
Miguel Sousa Filipe
--
gentoo-security [at] gentoo mailing list

7v5w7go9ub0o at gmail

Oct 9, 2006, 11:37 AM

Post #3 of 5 (593 views)
Permalink

Re: [gentoo-hardened] Securing dhcpcd (client) [In reply to]

On Mon, 09 Oct 2006 08:45:42 -0400, Miguel Figueiredo Mascarenhas Sousa
Filipe <miguel.filipe [at] gmail> wrote:

<snip>

> this patch seems to be for the dhcpd (that is, the dhcp server, not
> the client)..
> and its for dhcpd version 2, which is outdated.
> But there are other patches for this, for updated versions of dhcpd, see
> below.

Dang! Thank you...... I screwed up.

>

<snip>

>>
>
> So, there are 4 diferent issues here:
> 1) running the dhcp server chrooted (possible in gentoo today.. i'm
> running it chrooted)
> - no need for any patch
> 2) have dhcp server drop privileges. (privilege revocation)
> - the patch that you provided has this.. this part would be nice to
> integrate.
> - the are other patches for this...:
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain
> http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch
>
> IMHO, the owl patch looks better...
>
> btw, OpenWall also has a patch to replace sprintfs() for snprintfs()
> and the like...(bounds checking..)
>
> 3) have a dhclient that drops privileges
> - no patch provided, but a good request, and a wanted feature by me
> also...
> (ubuntu & debian seem to have a patch for this...)
> (openbsd dhclient does this.. AFAIK)
> 4) having a dhclient that runs chrooted..
> - no patch provided.

Miguel Figueiredo Mascarenhas Sousa Filipe,

THANK YOU - for your direct responses to my questions; for your analysis
of this matter; and for your research!

Given my lack of expertise, I'll work on a patch later, and in the short
term I'll automate the momentary use of the dhcpcd client in a hardened
jail to negotiate a connection; then record that information; then
terminate dhcpcd; then use the recorded info and ifconfig or iproute2 to
create a direct connection. A script or little C program.

Middle term, I'd like to use the dhcpd patch as a model for patching
dhcpcd - a learning exercise for this Winter. Should it work I'll post it
here or in security for further discussion.

I apologize if this seems over the top :-) . As a newbie, I'm not
confident that I've correctly installed/configured my OS, and therefor
want to err in favor of more caution. So I presently have everything that
is connected to the WAN ( and LAN in the case of WIFI hotspots) in a
hardened jail with no privileges (e.g. browser, mail client, TOR, socat,
wireshark, etc....... ). That would include dhcpcd (and IMHO dhcpd as well
were I running a server :-) ) .

(FWIW, I think great caution is necessary when using a laptop at a public
WIFI, given there is no separate gateway firewall, and given the hotspot
LANs are the new Wild West for kiddies - numerous new tools designed
specifically to attack WIFI LANs, APs, and users - for fun and profit. A
risky environment.)

Thanks Again! Roger

--
gentoo-security [at] gentoo mailing list

brian at braverock

Oct 9, 2006, 12:06 PM

Post #4 of 5 (597 views)
Permalink

Re: Re: [gentoo-hardened] Securing dhcpcd (client) [In reply to]

On Monday 09 October 2006 13:37, 7v5w7go9ub0o wrote:
> Given my lack of expertise, I'll work on a patch later, and in the
> short � term I'll automate the momentary use of the dhcpcd client in a
> hardened jail to negotiate a connection; then record that information;
> then terminate dhcpcd; then use the recorded info and ifconfig or
> iproute2 to create a direct connection. A script or little C program.

Why not just use one of the other clients?

pump drops privs

udhcp drops privs

it looks like dhclient can be configured to drop privs

Why go throught the trouble to use dhcpcd?

Regards,

- Brian

--
gentoo-security [at] gentoo mailing list

7v5w7go9ub0o at gmail

Oct 9, 2006, 12:49 PM

Post #5 of 5 (595 views)
Permalink

Re: Re: [gentoo-hardened] Securing dhcpcd (client) [In reply to]

On Mon, 09 Oct 2006 15:06:15 -0400, Brian G. Peterson
<brian [at] braverock> wrote:

> On Monday 09 October 2006 13:37, 7v5w7go9ub0o wrote:
>> Given my lack of expertise, I'll work on a patch later, and in the
>> short term I'll automate the momentary use of the dhcpcd client in a
>> hardened jail to negotiate a connection; then record that information;
>> then terminate dhcpcd; then use the recorded info and ifconfig or
>> iproute2 to create a direct connection. A script or little C program.
>
> Why not just use one of the other clients?
>
> pump drops privs
>
> udhcp drops privs
>
> it looks like dhclient can be configured to drop privs
>
> Why go throught the trouble to use dhcpcd?
>
> Regards,
>
> - Brian
>

Thanks for the follow up. I was following this page :

<http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?style=printable&part=4&chap=3#doc_chap3>

which describes pump as "No longer maintained upstream, unreliable,
especially over modems, cannot get NIS servers from DHCP",
describes udhcp as "Unproven - no distro uses it by default, cannot define
a timeout beyond 3 seconds ",
describes dhclient as "Configuration is overly complex, software is quite
bloated .........",
and (IIUC) recommends dhcpcd ("the longtime Gentoo default") over the
other alternatives.

Perhaps this handbook is out of date (unfortunately, the individual Gentoo
handbook pages have no dates)?

Would certainly appreciate a contemporary recommendation. :-) (I'll be
googling about looking for info on these other clients)

Thanks!

--
gentoo-security [at] gentoo mailing list

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads