On Tue, Oct 15, 2019 at 06:41:36AM +0800, Ben Woods wrote: > On Sat, 12 Oct 2019 at 1:45 am, Brooks Davis <bro...@freebsd.org> wrote: > > > DHCP is one of the most exposed attack surfaces in existence. We expect > > it to take input from explicitly untrustworthy networks and perform > > actions as root. It might be OK to import this as a stopgap only > > supporting IPv6, but without capsicum or privilege separation (as noted > > elsewhere in the thread) it seems unlikely to be a good idea enable it > > by default or replace the existing IPv4 dhclient. > > > > -- Brooks > > > Hi Brooks, > > Thanks for the feedback. > > Roy Marples (the main dhcpcd) has already begun working on privilege > separating dhcpcd based on your feedback. > > Have you or Roy got any thoughts on how the privilege separation might be > structured? > - main process > - network listener > - packer interpreter > - hook runner and scripts > > It???s obviously the packet interpreter that is the risky part, but does not > need privileges. > > FreeBSD has the ???_dhcp??? user which I assume could be used for running > these > low privilege tasks?
It's worth taking a look at the separation in the existing dhclient. They have chosen to drop privilege in the main program and have a child which retains privilege for sending packets, tweaking interface MTU, and running the script. > Roy is not intending to work on capsicum support in dhcpcd, but I think > once the privilege separation has been done it will be easier to add that > support. The capsicum support in our client is pretty limited so that sounds like a good approach. -- Brooks
signature.asc
Description: PGP signature
