dhcpcd-discuss

Home Other Lists Thread Index Date Index Search
Thread Prev Thread Next Date Prev Date Next Thread Index Date Index

Re: Privilege separation

Roy Marples

Mon Jun 25 08:23:39 2018
On 23/06/2018 22:24, Roy Marples wrote:

On 21/06/2018 21:30, lists+dhcpcd@xxxxxxxx wrote:

Hello everyone, and thanks for your work on dhcpcd.  I've been using it
on OpenBSD, and it works great with Comcast FWIW.


Glad you like it!


Is there any work being done to secure the daemon with privilege
separation, or at least not have it run as root (this last one probably
requires it due to routes being built/destroyed on most OS).  Other
practices like chroot() might be nice, but I think not having the net
process running as the superuser is probably the best place to start.

I might be able to take a stab at it, but didn't know if work was
already underway.

  No work has been done in this area.
I personally see it as too much work for too little gain.
If you wanted to make the listeners non super user and chrooted that's probably do-able. 
You would need one listener per interface because they come and go.
The INET sockets for it would need to be opened by the dhcpcd super user process because it uses BPF. 
INET6 is simpler here, we just need one listener to control them all.
The next step is message validation and this is probably the most important. This is tricker as dhcpcd first extracts basic stuff from the message it needs - such as address and routing and builds up internal structures from it. Then it adjusts the kernel as necessary before sending the full message to functions to convert the contents to shell variables and finally a script is called. The easiest approach here would be to just skip the actual configiration and running script in the listeners. If this all works, then pass the original message back up to the dhcpcd super user process and then let it handle it as normal.
All of this needs to be wrapped in #ifdef guards as well so it's configurable. Similar to how wpa_supplicant handles this.
If you're willing to take a stab at it I'm willing to review and give advice, but as I said earlier I personally see it as too much work for too little gain. 

Does anyone see any problems with this or think of a better way of doing it?
Now is probably a good time - dhcpcd-7.0 is pretty stable and I only have one more feature left on my drawing board to implement - dhcp anonymous profile support. Once that's done dhcpcd-7.0 will probably be branched from trunk and enter maintainance mode as I have some fairly invasive ideas to reduce code size more. 

Roy
References:
Privilege separationlists+dhcpcd
Re: Privilege separationRoy Marples
Archive administrator: postmaster@marples.name