Date: Mon, 14 Oct 2019 22:59:40 +0000 From: Brooks Davis <brooks@freebsd.org> To: Ben Woods <woodsb02@gmail.com> Cc: Brooks Davis <brooks@freebsd.org>, "roy@marples.name" <roy@marples.name>, Hiroki Sato <hrs@freebsd.org>, driesm.michiels@gmail.com, freebsd-net@freebsd.org Subject: Re: DHCPv6 client in base Message-ID: <20191014225940.GA34287@spindle.one-eyed-alien.net> In-Reply-To: <CAOc73CBffOK8QgsO8OUxhz1PCVdAmR9=UdZYQaq6B-FasWLSUA@mail.gmail.com> References: <001e01d50b49$176104d0$46230e70$@gmail.com> <20190516.032012.517661495892269813.hrs@allbsd.org> <CAOc73CCLPmB7m3yaDE7p4izJ8apaO5jcyRPyLkSJtopqsHxtSQ@mail.gmail.com> <CAOc73CD5dAn95mMuzxeNKoJGxdmZF-ChYFm49tLdKca00OSv8w@mail.gmail.com> <20191011174520.GC53377@spindle.one-eyed-alien.net> <CAOc73CBffOK8QgsO8OUxhz1PCVdAmR9=UdZYQaq6B-FasWLSUA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 15, 2019 at 06:41:36AM +0800, Ben Woods wrote: > On Sat, 12 Oct 2019 at 1:45 am, Brooks Davis <brooks@freebsd.org> wrote: >=20 > > DHCP is one of the most exposed attack surfaces in existence. We expect > > it to take input from explicitly untrustworthy networks and perform > > actions as root. It might be OK to import this as a stopgap only > > supporting IPv6, but without capsicum or privilege separation (as noted > > elsewhere in the thread) it seems unlikely to be a good idea enable it > > by default or replace the existing IPv4 dhclient. > > > > -- Brooks > > > Hi Brooks, >=20 > Thanks for the feedback. >=20 > Roy Marples (the main dhcpcd) has already begun working on privilege > separating dhcpcd based on your feedback. >=20 > Have you or Roy got any thoughts on how the privilege separation might be > structured? > - main process > - network listener > - packer interpreter > - hook runner and scripts >=20 > It???s obviously the packet interpreter that is the risky part, but does = not > need privileges. >=20 > FreeBSD has the ???_dhcp??? user which I assume could be used for running= these > low privilege tasks? It's worth taking a look at the separation in the existing dhclient. They have chosen to drop privilege in the main program and have a child which retains privilege for sending packets, tweaking interface MTU, and running the script. > Roy is not intending to work on capsicum support in dhcpcd, but I think > once the privilege separation has been done it will be easier to add that > support. The capsicum support in our client is pretty limited so that sounds like a good approach. -- Brooks --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJdpP3bAAoJEKzQXbSebgfA3FIIAJRkgx40QTvVpSoSK1odhiPz NIPN2op8gtLa7TycQYebn4p14UZ3AiXFt9KNffs1cWvhSq45nboTYZ4pgMLh9e0I 0OCTVPPZy9REENcMGFJ1UD+xSUTqvv8SXm7PURnNG9+WFPG5y75xjhA08dWvx9so MT1zw7zt21+92hXztG271IP0JTY31qftWO0gly4kK1KI4LWVQkgZRXeT/f+ca7W2 iR2m32Uqs4SeNs8zUPoq9eB96qvGkpRRN8bJ9fY1eEmPsNynPuFcw1Ub4ldHomE7 tLDjBFdFi3dwB7Jl+u+g8lDdauwxXXQsag5jW0mDjjbwlVoovLOWNjW1QroVs5Q= =aL3U -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191014225940.GA34287>