Packaging dhcpcd for privsep
Ben Woods
Fri Apr 10 01:51:24 2020
Hi Roy,
I would like to package dhcpcd to work with privsep on FreeBSD:
- Unprivileged User: _dhcp
- DBDIR: /var/db/dhcpcd/
- RUNDIR: /var/run/dhcpcd/
Can you please advise:
1. Should the package create the 2 directories above, or should it be
left to the first run of dhcpcd to create them itself?
2. If dhcpcd is left to create these directories itself, why does it
create them owned by root instead of the unprivileged user? According to
the upgrading section of README.md, the unprivileged user needs write
access to DBDIR. Does it also need write access to RUNDIR?
3. Given the _dhcp user on FreeBSD has its home directory set to
/var/empty, what is required to correctly setup chroot?
4. Are there any other steps to setup the package for privsep correctly?
The only other thing I am doing currently are
- using the ./configure argument --privsepuser="_dhcp"
- ensuring any pidfiles created by the rc script are stored in the
/var/run/dhcpcd/ directory
Thanks for your guidance.
Background - Some recent commits I noticed that led to these questions:
Upgrading instructions for dhcpcd-9:
https://roy.marples.name/cgit/dhcpcd.git/tree/README.md?h=dhcpcd-9.0.0#n92
"Don't install /var/db/dhcpcd in the Makefile.
dhcpcd will create it in the right place by default."
https://roy.marples.name/cgit/dhcpcd.git/commit/?id=5f275b7bd1ed4d1f830b7a60ba253a98f7ef6127
"privsep: Refuse chroot if privsep users home dir is /var/empty
As we should not be filling it. This means we don't mess up a stock install
where the pkg admin hasn't setup privsep correctly."
https://roy.marples.name/cgit/dhcpcd.git/commit/?id=5ac1a5cd6fe054c5ece0de679d5294cfca797772
Regards,
Ben
--
From: Benjamin Woods
woodsb02@xxxxxxxxxxx
Archive administrator: postmaster@marples.name