https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
Mark Johnston changed:
What|Removed |Added
Resolution|--- |FIXED
Status|Open
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
--- Comment #12 from commit-h...@freebsd.org ---
A commit references this bug:
Author: markj
Date: Mon Aug 6 16:22:02 UTC 2018
New revision: 337382
URL: https://svnweb.freebsd.org/changeset/base/337382
Log:
dhclient: Don't chroot if we
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
--- Comment #11 from Mark Johnston ---
I think that this represents the best compromise, and is relatively simple:
https://reviews.freebsd.org/D16584
--
You are receiving this mail because:
You are the assignee for the bug.
__
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
--- Comment #10 from Mark Johnston ---
(In reply to Ed Maste from comment #9)
In addition, how about we also keep dhclient pidfiles under /var/run/dhclient
so that dhclient doesn't have access to /var/run/* via the directory
descriptor?
--
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
--- Comment #9 from Ed Maste ---
(In reply to Mark Johnston from comment #4)
> I realize that this doesn't address the general problem, but what's
> the reason for chrooting in the first place now that dhclient runs
> in capability mode?
P
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
--- Comment #8 from Ed Maste ---
(In reply to Goran Mekić from comment #7)
> I would expect at least one more capsicumed app had the same problem?
I think dhclient may be the only program that uses all of pidfile, capsicum,
and chroot.
--
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
Ed Maste changed:
What|Removed |Added
Blocks||228911
CC|
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
Goran Mekić changed:
What|Removed |Added
CC||meka@tilda.center
--- Comment #7 fro
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
--- Comment #6 from Jilles Tjoelker ---
(In reply to Mark Johnston from comment #4)
Although the pidfile library retains the rights, dhclient itself does not:
around line 2435 of sbin/dhclient/dhclient.c it removes all rights from the
descr
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
--- Comment #5 from Mark Johnston ---
(In reply to Mark Johnston from comment #4)
Err, of course dhclient might run on a kernel compiled without capsicum
support.
--
You are receiving this mail because:
You are the assignee for the bug.
_
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
--- Comment #4 from Mark Johnston ---
I realize that this doesn't address the general problem, but what's the reason
for chrooting in the first place now that dhclient runs in capability mode?
(In reply to Jilles Tjoelker from comment #2)
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
--- Comment #3 from Conrad Meyer ---
(In reply to Jilles Tjoelker from comment #2)
> In capability mode where ".." is disallowed, there is still full access to
> /var/run.
Nitpicking a little bit: .. *is* allowed in capability mode, as lon
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
Jilles Tjoelker changed:
What|Removed |Added
CC||jil...@freebsd.org
S
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
Kristof Provost changed:
What|Removed |Added
CC||c...@freebsd.org,
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
Mark Linimon changed:
What|Removed |Added
Keywords||patch
--
You are receiving this ma
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=223327
Bug ID: 223327
Summary: dhclient: close the pidfile before calling chroot(2)
Product: Base System
Version: CURRENT
Hardware: Any
OS: Any
Status: New
16 matches
Mail list logo
