On Sat, 12 Oct 2019 at 1:45 am, Brooks Davis <bro...@freebsd.org> wrote:
> DHCP is one of the most exposed attack surfaces in existence. We expect > it to take input from explicitly untrustworthy networks and perform > actions as root. It might be OK to import this as a stopgap only > supporting IPv6, but without capsicum or privilege separation (as noted > elsewhere in the thread) it seems unlikely to be a good idea enable it > by default or replace the existing IPv4 dhclient. > > -- Brooks > Hi Brooks, Thanks for the feedback. Roy Marples (the main dhcpcd) has already begun working on privilege separating dhcpcd based on your feedback. Have you or Roy got any thoughts on how the privilege separation might be structured? - main process - network listener - packer interpreter - hook runner and scripts It’s obviously the packet interpreter that is the risky part, but does not need privileges. FreeBSD has the “_dhcp” user which I assume could be used for running these low privilege tasks? Roy is not intending to work on capsicum support in dhcpcd, but I think once the privilege separation has been done it will be easier to add that support. Regards, Ben -- -- From: Benjamin Woods woods...@gmail.com _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
