On Fri, 29 Nov 2019 at 09:40, Roy Marples <r...@marples.name> wrote: > On 28/11/2019 22:50, Ben Woods wrote: > > It is not yet enabled by default until he gets more feedback from others > > that it is working ok. I intend to update the FreeBSD port to enable > > this feature (perhaps with a “-devel” port) to allow it to be tested > > more easily on FreeBSD. > > Please add it as a new port - don't want to affect any current dhcpcd > users with privsep issues. > > I've already fixed a few issues based some initial feedback, but there > is an outstanding issue where dhcpcd will occasionally hang when exiting. > > Roy >
Hi Roy, I have just added the new port net/dhcpcd-devel which uses the latest commit (273915d), and enables privilege separation. So far it seems to be working ok for me! Couple of comments / questions: 1. I have setup the low privileged user to be the existing FreeBSD user "_dhcp" [1]. Using a global CFLAG for this seems a bit clunky - it might be nicer if this could either be a configure option or a runtime option. 2. I have configured both /var/db/dhcpcd/ and /var/run/dhcpcd/ to have owner:group as _dhcp:_dhcp (the low privilege processes will have both read and write access to these folders). Is that correct? I note that the commit message referenced below [2] states read access is required to /var/db/dhcpcd/, but the text added to README.md states write access is required. 3. Can you please confirm the output below [3] looks right / matches your privilege separation design? [1] https://svnweb.freebsd.org/ports/head/net/dhcpcd-devel/Makefile?revision=518697&view=markup#l26 [2] https://roy.marples.name/cgit/dhcpcd.git/commit/?id=0e5bfa4eb22f7b6412d23b9548bf157f9fea88c2 [3] privilege separation output: # ps auxwwd | grep dhcpcd _dhcp 7652 0.0 0.0 12232 3012 - S 10:25 0:00.00 |-- dhcpcd: [master] [ip4] [ip6] (dhcpcd) root 7878 0.0 0.0 11724 2852 - S 10:25 0:00.00 | |-- dhcpcd: [privileged actioneer] (dhcpcd) _dhcp 10455 0.0 0.0 11724 2852 - S 10:25 0:00.00 | | `-- dhcpcd: [BPF ARP] wlan0 (dhcpcd) _dhcp 7903 0.0 0.0 11696 2844 - S 10:25 0:00.00 | `-- dhcpcd: [network proxy] (dhcpcd) # ls -lah /var/db/dhcpcd/ drwxr-xr-x 2 _dhcp _dhcp 3B Nov 30 10:28 . drwxr-xr-x 19 root wheel 34B Nov 30 10:28 .. -rw-r--r-- 1 _dhcp _dhcp 300B Nov 30 10:28 wlan0-mySSIDname.lease # ls -lah /var/run/dhcpcd/ drwxr-xr-x 3 _dhcp _dhcp 6B Nov 30 10:28 . drwxr-xr-x 20 root wheel 48B Nov 30 10:28 .. drwxr-xr-x 3 root _dhcp 3B Nov 30 10:28 hook-state -rw-r--r-- 1 _dhcp _dhcp 6B Nov 30 10:28 pid srw-rw---- 1 _dhcp _dhcp 0B Nov 30 10:28 sock srw-rw-rw- 1 _dhcp _dhcp 0B Nov 30 10:28 unpriv.sock # ls -lah /var/run/dhcpcd/hook-state/ drwxr-xr-x 3 root _dhcp 3B Nov 30 10:28 . drwxr-xr-x 3 _dhcp _dhcp 6B Nov 30 10:28 .. drwxr-xr-x 2 root _dhcp 2B Nov 30 10:28 ntp.conf # ls -lah /var/run/dhcpcd/hook-state/ntp.conf/ drwxr-xr-x 2 root _dhcp 2B Nov 30 10:28 . drwxr-xr-x 3 root _dhcp 3B Nov 30 10:28 .. Regards, Ben _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
