[gentoo-security] Securing dhcpcd (client)

[gentoo-security] Securing dhcpcd (client)

[7v5w7go9ub0o]

It is my understanding that dhcpcd client requires root or a
privileged user. Am presently running dhcpcd in a chroot jail (ssp and
grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
at hotspots, so I think I need to use dhcp).

Other distributions distribute dhcpcd with a "paranoia" patch incorporated

<http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch>

which allows the dropping of privilege and changing of user/group after startup.

Questions:

1 Does Gentoo have an "official" way to apply this patch.

2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
the source manually; ebuild merge !?

3. Are there other ways to deal with this potential vulnerability
(privileged process listening on an open port (68) )?  (e.g. using
selfdhcp and effecting a manual connection?)

TIA, newbie
-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Securing dhcpcd (client)

[Brian G. Peterson]

On Sunday 08 October 2006 16:26, 7v5w7go9ub0o wrote:
> It is my understanding that dhcpcd client requires root or a
> privileged user.

Standard gentoo net scripts offer multiple dhcp options, not all of them 
require maintaing root privileges.

Regards,

   - Brian
-- 
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: Securing dhcpcd (client)

[7v5w7go9ub0o]

On Sun, 08 Oct 2006 18:51:01 -0400, Brian G. Peterson  
<brian@braverock.com> wrote:

> On Sunday 08 October 2006 16:26, 7v5w7go9ub0o wrote:
>> It is my understanding that dhcpcd client requires root or a
>> privileged user.
>
> Standard gentoo net scripts offer multiple dhcp options, not all of them
> require maintaing root privileges.
>
> Regards,
>
>    - Brian

Great!  Thanks for the reply!

Where do I get standard gentoo net scripts?

-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Securing dhcpcd (client)

[Brian G. Peterson]

On Sunday 08 October 2006 19:10, 7v5w7go9ub0o wrote:
> On Sun, 08 Oct 2006 18:51:01 -0400, Brian G. Peterson wrote:
> > On Sunday 08 October 2006 16:26, 7v5w7go9ub0o wrote:
> >> It is my understanding that dhcpcd client requires root or a
> >> privileged user.
> >
> > Standard gentoo net scripts offer multiple dhcp options, not all of
> > them require maintaing root privileges.
>
> Great!  Thanks for the reply!
>
> Where do I get standard gentoo net scripts?

Try looking at /etc/conf.d/net and all the options in there.

If you have an old or truncated net script, re-emerge sys-apps/baselayout

Regards,

   - Brian
-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Securing dhcpcd (client)

[Hemmann, Volker Armin]

On Monday 09 October 2006 02:10, 7v5w7go9ub0o wrote:
> On Sun, 08 Oct 2006 18:51:01 -0400, Brian G. Peterson
>
> <brian@braverock.com> wrote:
> > On Sunday 08 October 2006 16:26, 7v5w7go9ub0o wrote:
> >> It is my understanding that dhcpcd client requires root or a
> >> privileged user.
> >
> > Standard gentoo net scripts offer multiple dhcp options, not all of them
> > require maintaing root privileges.
> >
> > Regards,
> >
> >    - Brian
>
> Great!  Thanks for the reply!
>
> Where do I get standard gentoo net scripts?

you'll find them in /etc/conf.d
-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Securing dhcpcd (client)

[7v5w7go9ub0o]

On Sun, 08 Oct 2006 20:27:23 -0400, Brian G. Peterson  
<brian@braverock.com> wrote:

> On Sunday 08 October 2006 19:10, 7v5w7go9ub0o wrote:
>> On Sun, 08 Oct 2006 18:51:01 -0400, Brian G. Peterson wrote:
>> > On Sunday 08 October 2006 16:26, 7v5w7go9ub0o wrote:
>> >> It is my understanding that dhcpcd client requires root or a
>> >> privileged user.
>> >
>> > Standard gentoo net scripts offer multiple dhcp options, not all of
>> > them require maintaing root privileges.
>>
>> Great!  Thanks for the reply!
>>
>> Where do I get standard gentoo net scripts?
>
> Try looking at /etc/conf.d/net and all the options in there.
>
> If you have an old or truncated net script, re-emerge sys-apps/baselayout
>

Ah..... /etc/conf.d/net....... been there often. Sorry ... didn't know  
that it was
referred to as net scripts (duh).

I've looked through net and have found some interesting options for both
dhcpcd (e.g. dhcpcd_eth0="-t 10", which seems to be a dhcpcd command line  
parameter),  and for
"generic" dhcp (e.g.  dhcp_eth0="release nodns nontp nonis nogateway  
nosendhost")..

1. Have seen nothing that lowers dhcpcd privilege!?  What am I missing?  
(dhcpcd starts fine, but sits out there as a root process)

2. Where can I get a list of other "generic" dhcp commands, please.

Thanks for your (patient) help!  (newbie)

-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: Securing dhcpcd (client)

[Brian G. Peterson]

On Sunday 08 October 2006 20:24, 7v5w7go9ub0o wrote:
> 2. Where can I get a list of other "generic" dhcp commands

look here in /etc/conf.d/net:

#-----------------------------------------------------------------------------
# DHCP
# DHCP can be provided by dhcpcd, dhclient, udhcpc or pump
#
# dhclient: emerge net-misc/dhcp
# dhcpcd:   emerge net-misc/dhcpcd
# pump:     emerge net-misc/pump
# udhcpc:   emerge net-misc/udhcp

and then research your options and use something more appropriate to your 
needs than dhcpcd as your dhcp client.

Regards,

   - Brian
-- 
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client)

[Miguel Figueiredo Mascarenhas Sousa Filipe]

Hi,

On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> wrote:
> It is my understanding that dhcpcd client requires root or a
> privileged user. Am presently running dhcpcd in a chroot jail (ssp and
> grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
> at hotspots, so I think I need to use dhcp).


Not all dhcp clients run has root.

in ubuntu linux, the dhclient is running with "daemon" user.
I haven't looked carefully how to acomplish this in gentoo.. but I will.


>
> Other distributions distribute dhcpcd with a "paranoia" patch incorporated
>
> <http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch>
>
> which allows the dropping of privilege and changing of user/group after startup.


It would be nice to have that integrated.


>
> Questions:
>
> 1 Does Gentoo have an "official" way to apply this patch.
>
> 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
> the source manually; ebuild merge !?
>
> 3. Are there other ways to deal with this potential vulnerability
> (privileged process listening on an open port (68) )?  (e.g. using
> selfdhcp and effecting a manual connection?)
>

privilege revocation/separation on the aplication in case seems the better way.

> TIA, newbie
> --
> gentoo-hardened@gentoo.org mailing list
>

Best regards,


-- 
Miguel Sousa Filipe
-- 
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client)

[Miguel Figueiredo Mascarenhas Sousa Filipe]

Hi all,

Disregards my previous email,

On 10/8/06, 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> wrote:
> It is my understanding that dhcpcd client requires root or a
> privileged user. Am presently running dhcpcd in a chroot jail (ssp and
> grsecurity-hardened kernel) as user root (ugh). (This is a laptop used
> at hotspots, so I think I need to use dhcp).
>
> Other distributions distribute dhcpcd with a "paranoia" patch incorporated
>
> <http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch>
>
> which allows the dropping of privilege and changing of user/group after startup.
>

this patch seems to be for the dhcpd (that is, the dhcp server, not
the client)..
and its for dhcpd version 2, which is outdated.
But there are other patches for this, for updated versions of dhcpd, see below.


> Questions:
>
> 1 Does Gentoo have an "official" way to apply this patch.

Gentoo does have a way to run dhcpd (v3) chrooted.
And the chroot is done outside the application (userland/setup).
(IIRC, there's a chroot setup option in /etc/conf.d/dhcp)

But, has far has I know, it doesn't drop privileges.

>
> 2 Presuming that it doesn't, I guess that I'll ebuild unpack: patch
> the source manually; ebuild merge !?
>
> 3. Are there other ways to deal with this potential vulnerability
> (privileged process listening on an open port (68) )?  (e.g. using
> selfdhcp and effecting a manual connection?)
>
> TIA, newbie
> --
> gentoo-hardened@gentoo.org mailing list
>
>

So, there are 4 diferent issues here:
1) running the dhcp server chrooted (possible in gentoo today.. i'm
running it chrooted)
 - no need for any patch
2) have dhcp server drop privileges. (privilege revocation)
 - the patch that you provided has this.. this part would be nice to integrate.
 - the are other patches for this...:
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain
http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch

IMHO, the owl patch looks better...

btw, OpenWall also has a patch to replace sprintfs() for snprintfs()
and the like...(bounds checking..)

3) have a dhclient that drops privileges
- no patch provided, but a good request, and a wanted feature by me also...
  (ubuntu & debian seem to have a patch for this...)
  (openbsd dhclient does this.. AFAIK)
4) having a dhclient that runs chrooted..
- no patch provided.

best regards,


-- 
Miguel Sousa Filipe
-- 
gentoo-security@gentoo.org mailing list

[gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client)

[7v5w7go9ub0o]

On Mon, 09 Oct 2006 08:45:42 -0400, Miguel Figueiredo Mascarenhas Sousa  
Filipe <miguel.filipe@gmail.com> wrote:

<snip>

> this patch seems to be for the dhcpd (that is, the dhcp server, not
> the client)..
> and its for dhcpd version 2, which is outdated.
> But there are other patches for this, for updated versions of dhcpd, see  
> below.

Dang! Thank you...... I screwed up.

>


<snip>


>>
>
> So, there are 4 diferent issues here:
> 1) running the dhcp server chrooted (possible in gentoo today.. i'm
> running it chrooted)
>  - no need for any patch
> 2) have dhcp server drop privileges. (privilege revocation)
>  - the patch that you provided has this.. this part would be nice to  
> integrate.
>  - the are other patches for this...:
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/dhcp/dhcp-3.0.4-owl-drop-root.diff?rev=1.1;content-type=text%2Fplain
> http://www.episec.com/people/edelkind/patches/dhcp/dhcp-3.0+paranoia.patch
>
> IMHO, the owl patch looks better...
>
> btw, OpenWall also has a patch to replace sprintfs() for snprintfs()
> and the like...(bounds checking..)
>
> 3) have a dhclient that drops privileges
> - no patch provided, but a good request, and a wanted feature by me  
> also...
>   (ubuntu & debian seem to have a patch for this...)
>   (openbsd dhclient does this.. AFAIK)
> 4) having a dhclient that runs chrooted..
> - no patch provided.

Miguel Figueiredo Mascarenhas Sousa Filipe,

THANK YOU - for your direct responses to my questions; for your analysis  
of  this matter; and for your research!

Given my lack of expertise, I'll work on a patch later, and in the short  
term I'll automate the momentary use of the dhcpcd client in a hardened  
jail to negotiate a connection; then record that information; then  
terminate dhcpcd; then use the recorded info and ifconfig or iproute2 to  
create a direct connection. A script or little C program.

Middle term, I'd like to use the dhcpd patch as a model for patching  
dhcpcd - a learning exercise for this Winter. Should it work I'll post it  
here or in security for further discussion.

I apologize if this seems over the top :-) . As a newbie, I'm not  
confident that I've correctly installed/configured my OS, and therefor  
want to err in favor of more caution. So I presently have everything that  
is connected to the WAN ( and LAN in the case of WIFI hotspots) in a  
hardened jail with no privileges (e.g. browser, mail client, TOR, socat,  
wireshark, etc....... ). That would include dhcpcd (and IMHO dhcpd as well  
were I running a server :-) ) .

(FWIW, I think great caution is necessary when using a laptop at a public  
WIFI, given there is no separate gateway firewall, and given the hotspot  
LANs are the new Wild West for kiddies - numerous new tools designed  
specifically to attack WIFI LANs, APs, and users - for fun and profit. A  
risky environment.)

Thanks Again! Roger

-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client)

[Brian G. Peterson]

On Monday 09 October 2006 13:37, 7v5w7go9ub0o wrote:
> Given my lack of expertise, I'll work on a patch later, and in the
> short   term I'll automate the momentary use of the dhcpcd client in a
> hardened jail to negotiate a connection; then record that information;
> then terminate dhcpcd; then use the recorded info and ifconfig or
> iproute2 to create a direct connection. A script or little C program.

Why not just use one of the other clients?

pump drops privs

udhcp drops privs

it looks like dhclient can be configured to drop privs

Why go throught the trouble to use dhcpcd?

Regards,

   - Brian

-- 
gentoo-security@gentoo.org mailing list

Re: [gentoo-security] Re: [gentoo-hardened] Securing dhcpcd (client)

[7v5w7go9ub0o]

On Mon, 09 Oct 2006 15:06:15 -0400, Brian G. Peterson  
<brian@braverock.com> wrote:

> On Monday 09 October 2006 13:37, 7v5w7go9ub0o wrote:
>> Given my lack of expertise, I'll work on a patch later, and in the
>> short   term I'll automate the momentary use of the dhcpcd client in a
>> hardened jail to negotiate a connection; then record that information;
>> then terminate dhcpcd; then use the recorded info and ifconfig or
>> iproute2 to create a direct connection. A script or little C program.
>
> Why not just use one of the other clients?
>
> pump drops privs
>
> udhcp drops privs
>
> it looks like dhclient can be configured to drop privs
>
> Why go throught the trouble to use dhcpcd?
>
> Regards,
>
>    - Brian
>

Thanks for the follow up.  I was following this page :

<http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?style=printable&part=4&chap=3#doc_chap3>

which describes pump as "No longer maintained upstream, unreliable,  
especially over modems, cannot get NIS servers from DHCP",
describes udhcp as "Unproven - no distro uses it by default, cannot define  
a timeout beyond 3 seconds ",
describes dhclient as "Configuration is overly complex, software is quite  
bloated .........",
and (IIUC) recommends dhcpcd ("the longtime Gentoo default") over the  
other alternatives.

Perhaps this handbook is out of date (unfortunately, the individual Gentoo  
handbook pages have no dates)?

Would certainly appreciate a contemporary recommendation. :-) (I'll be  
googling about looking for info on these other clients)

Thanks!

-- 
gentoo-security@gentoo.org mailing list