Debian Bug report logs - #308832
dhcp3-server: Please do not run the server as root

Package: dhcp3-server; Maintainer for dhcp3-server is Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>;

Reported by: Martin Pitt <mpitt@debian.org>

Date: Thu, 12 May 2005 16:18:02 UTC

Severity: wishlist

Tags: patch, security

Forwarded to dhcp-bugs@isc.org

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris):
Bug#308832; Package dhcp3-server. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
New Bug report received and forwarded. Copy sent to peloy@debian.org (Eloy A. Paris). Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: dhcp3-server: Please do not run the server as root
Date: Thu, 12 May 2005 18:03:06 +0200
[Message part 1 (text/plain, inline)]
Package: dhcp3-server
Severity: wishlist
Tags: security patch

Hi!

dhcpd currently runs as root, which is much more than necessary. To
confine the impact of security holes, I minimized the privileges of
the server to a minimum: it runs as a normal user "dhcpd" now and only
uses CAP_NET_RAW and CAP_NET_BIND_SERVICE capabilities for the
initialization phase, and completely drops kernel capabilities when
running.

The patch is at 

  http://patches.ubuntu.com/patches/dhcp3.deroot-server.diff

I separated out the function for privilege dropping since it can be
reused to deroot the server (I'll file that as a separate bug).

Would you consider applying this in Debian?

Thanks and have a nice day!

Martin


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages dhcp3-server depends on:
ii  debconf                     1.4.30.13    Debian configuration management sy
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
pn  dhcp3-common                             Not found.
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris):
Bug#308832; Package dhcp3-server. Full text and rfc822 format available.

Acknowledgement sent to Andrew Pollock <apollock@debian.org>:
Extra info received and forwarded to list. Copy sent to peloy@debian.org (Eloy A. Paris). Full text and rfc822 format available.

Message #10 received at 308832@bugs.debian.org (full text, mbox):

From: Andrew Pollock <apollock@debian.org>
To: Martin Pitt <mpitt@debian.org>, 308832@bugs.debian.org
Subject: Re: Bug#308832: dhcp3-server: Please do not run the server as root
Date: Fri, 13 May 2005 09:41:59 +1000
On Thu, May 12, 2005 at 06:03:06PM +0200, Martin Pitt wrote:
> Package: dhcp3-server
> Severity: wishlist
> Tags: security patch
> 
> Hi!
> 
> dhcpd currently runs as root, which is much more than necessary. To
> confine the impact of security holes, I minimized the privileges of
> the server to a minimum: it runs as a normal user "dhcpd" now and only
> uses CAP_NET_RAW and CAP_NET_BIND_SERVICE capabilities for the
> initialization phase, and completely drops kernel capabilities when
> running.
> 
> The patch is at 
> 
>   http://patches.ubuntu.com/patches/dhcp3.deroot-server.diff
> 
> I separated out the function for privilege dropping since it can be
> reused to deroot the server (I'll file that as a separate bug).
> 
> Would you consider applying this in Debian?
> 
> Thanks and have a nice day!
> 

Hi Martin,

Very cool. I will attempt to feed this to upstream, and will look at
applying it to Debian. I'm planning on having a major fiddle with dhcp3
after Sarge releases.

regards

Andrew



Information forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris):
Bug#308832; Package dhcp3-server. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to peloy@debian.org (Eloy A. Paris). Full text and rfc822 format available.

Message #15 received at 308832@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: Andrew Pollock <apollock@debian.org>
Cc: 308832@bugs.debian.org
Subject: Re: Bug#308832: dhcp3-server: Please do not run the server as root
Date: Fri, 13 May 2005 09:13:17 +0200
[Message part 1 (text/plain, inline)]
Hi!

Andrew Pollock [2005-05-13  9:41 +1000]:
> Very cool. I will attempt to feed this to upstream, and will look at
> applying it to Debian. I'm planning on having a major fiddle with dhcp3
> after Sarge releases.

Nice to hear! For upstream adoption it is probably required to invest
a bit more work; in particular the "dhcp" and "dhcpd" users certainly
shouldn't be hardcoded in the patch, but specified at build time (if
left empty, derooting wouldn't take place, this can be checked with
an #ifdef around drop_privileges).

If upstream generally likes the idea, I'd be willing to refine the
patch, please feel free to contact me.

Thanks and have a nice day!

Martin

P.S. Congratulations for being the first DD who actually replied to one 
of my numerous patches (http://wiki.ubuntu.com/DerootificationStatus). :-)

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris):
Bug#308832; Package dhcp3-server. Full text and rfc822 format available.

Acknowledgement sent to Andrew Pollock <apollock@debian.org>:
Extra info received and forwarded to list. Copy sent to peloy@debian.org (Eloy A. Paris). Full text and rfc822 format available.

Message #20 received at 308832@bugs.debian.org (full text, mbox):

From: Andrew Pollock <apollock@debian.org>
To: Martin Pitt <mpitt@debian.org>
Cc: 308832@bugs.debian.org
Subject: Re: Bug#308832: dhcp3-server: Please do not run the server as root
Date: Fri, 13 May 2005 17:20:14 +1000
On Fri, May 13, 2005 at 09:13:17AM +0200, Martin Pitt wrote:
> Hi!
> 
> Andrew Pollock [2005-05-13  9:41 +1000]:
> > Very cool. I will attempt to feed this to upstream, and will look at
> > applying it to Debian. I'm planning on having a major fiddle with dhcp3
> > after Sarge releases.
> 
> Nice to hear! For upstream adoption it is probably required to invest
> a bit more work; in particular the "dhcp" and "dhcpd" users certainly
> shouldn't be hardcoded in the patch, but specified at build time (if
> left empty, derooting wouldn't take place, this can be checked with
> an #ifdef around drop_privileges).
> 
> If upstream generally likes the idea, I'd be willing to refine the
> patch, please feel free to contact me.

What I'll do is get a discussion happening on the upstream mailing list, but
I'll refer stuff on to you for enhancements.
 
> Thanks and have a nice day!
> 
> Martin
> 
> P.S. Congratulations for being the first DD who actually replied to one 
> of my numerous patches (http://wiki.ubuntu.com/DerootificationStatus). :-)
> 

Heh. Cool :-)



Information forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris):
Bug#308832; Package dhcp3-server. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to peloy@debian.org (Eloy A. Paris). Full text and rfc822 format available.

Message #25 received at 308832@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: "David W. Hankins" <David_Hankins@isc.org>
Cc: dhcp-hackers@isc.org, mpitt@debian.org, 308833@bugs.debian.org, 308832@bugs.debian.org
Subject: Re: Not running the server as root
Date: Tue, 17 May 2005 17:56:20 +0200
[Message part 1 (text/plain, inline)]
Hi!

David W. Hankins [2005-05-17  8:39 -0700]:
> On Tue, May 17, 2005 at 09:57:20PM +1000, Andrew Pollock wrote:
> > Details on the patch can be found at
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308832
> 
> On first glance, the patches as presently distributed in FreeBSD /usr/ports
> look to me to be more complete (not the least of which is due to including
> a chroot() and jail() implementation).

Interesting, I take a look at them. However, a chroot in Linux is not
very efficient when it is meant to improve security (unless you are
using grsecurity or similar)---chrooted processes that run as root can
easily break out of the chroot, and processes which do not run as root
cannot do much harm anyway; thus I'm rather aiming for letting
processes run as root instead of chrooting them.

> I think the 'capability' flag setting is overhead.  We never open new
> sockets after initialization - so long as you put the setuid calls after
> configuration parsing (which you should do anyway since these should be
> config-file configurable) there's no need for those capabilities.

Right, for the server it might be a little exaggerated, but since the
function is already there it does not do much harm to immediately drop
capabilities which are never needed. Please note that the patch works
fine on kernels which don't support capabilities, in that case the
privileges are not reduced.

Kernel capabilities are mainly important for dhclient, which I
derooted as well:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308833

In that case they really make sense because dhclient needs them not
only in an initialization phase, but throughout lifetime.

> We're looking very closely at the FreeBSD ports changes, and these features
> are definitely something that 'must' appear in a 3.1 release.
> 
> You'd have to ask the ports maintainer, but I assume you would be most
> welcome to include their changes in whatever upcoming debian releases.

I'll ask them and take a look at their patches.

> As it stands, these changes in ports represent a fork of our software, and
> it would be good if the number of forks remained a relatively low number
> until we can get a feature release out to address them.

Right, that's why this stuff should eventually go upstream. The only
problem that I see is the variety of methods to restrict Daemons --
one uses normal users with additional kernel capabilities in Linux,
and apparently jails() in FreeBSD. This should be resolvable with some
#ifdef'ed code, but it is certainly not very nice. (Things are so much
easier if you just maintain a patch for a particular distro :-) )

The current patches are not perfect anyway since they have too much
hardcoded stuff in them. I can make them more upstream-friendly if you
are generally interested in them.

Thanks for considering and have a nice day!

Martin
-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org
[signature.asc (application/pgp-signature, inline)]

Noted your statement that Bug has been forwarded to dhcp-hackers@isc.org. Request was from Andrew Pollock <apollock@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Message #28 received at 308832-forwarded@bugs.debian.org (full text, mbox):

From: Andrew Pollock <apollock@debian.org>
To: dhcp-bugs@isc.org
Cc: mpitt@debian.org, 308832-forwarded@bugs.debian.org
Subject: dhcp3-server: Please do not run the server as root
Date: Mon, 14 Jan 2008 20:48:14 -0800
[Message part 1 (text/plain, inline)]
Hello,

This bug was received some time ago, and I forwarded it on to
dhcp-hackers, because I wasn't aware of dhcp-bugs at the time.

I'm reforwarding it as an upstream bug so it gets tracked properly.

Please maintain the Cc on correspondence to keep our bug tracking system
in the loop.

regards

Andrew

----- Forwarded message from Martin Pitt <mpitt@debian.org> -----

Subject: Bug#308832: dhcp3-server: Please do not run the server as root
Reply-To: Martin Pitt <mpitt@debian.org>, 308832@bugs.debian.org
Resent-From: Martin Pitt <mpitt@debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: peloy@debian.org (Eloy A. Paris)
Resent-Date: Thu, 12 May 2005 16:18:02 UTC
Resent-Message-ID: <handler.308832.B.111591381715515@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 308832
X-Debian-PR-Package: dhcp3-server
X-Debian-PR-Keywords: patch security
From: Martin Pitt <mpitt@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
X-Reportbug-Version: 3.8
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: dhcp3-server
Severity: wishlist
Tags: security patch

Hi!

dhcpd currently runs as root, which is much more than necessary. To
confine the impact of security holes, I minimized the privileges of
the server to a minimum: it runs as a normal user "dhcpd" now and only
uses CAP_NET_RAW and CAP_NET_BIND_SERVICE capabilities for the
initialization phase, and completely drops kernel capabilities when
running.

The patch is at 

  http://patches.ubuntu.com/patches/dhcp3.deroot-server.diff

I separated out the function for privilege dropping since it can be
reused to deroot the server (I'll file that as a separate bug).

Would you consider applying this in Debian?

Thanks and have a nice day!

Martin


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages dhcp3-server depends on:
ii  debconf                     1.4.30.13    Debian configuration management sy
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
pn  dhcp3-common                             Not found.
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org



----- End forwarded message -----
[signature.asc (application/pgp-signature, inline)]

Forwarded-to-address changed from dhcp-hackers@isc.org to dhcp-bugs@isc.org. Request was from Andrew Pollock <apollock@debian.org> to control@bugs.debian.org. (Tue, 15 Jan 2008 06:09:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, peloy@debian.org (Eloy A. Paris):
Bug#308832; Package dhcp3-server. Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <mpitt@debian.org>:
Extra info received and forwarded to list. Copy sent to peloy@debian.org (Eloy A. Paris). Full text and rfc822 format available.

Message #35 received at 308832@bugs.debian.org (full text, mbox):

From: Martin Pitt <mpitt@debian.org>
To: dhcp-bugs@isc.org
Cc: Andrew Pollock <apollock@debian.org>, 308832@bugs.debian.org
Subject: Re: dhcp3-server: Please do not run the server as root
Date: Tue, 15 Jan 2008 09:28:54 +0100
[Message part 1 (text/plain, inline)]
Hi DHCP developers,

Andrew Pollock [2008-01-14 20:48 -0800]:
> This bug was received some time ago, and I forwarded it on to
> dhcp-hackers, because I wasn't aware of dhcp-bugs at the time.

Just confirming that I still think that the server derooting patch
makes sense; it is unintrusive and robust.

The client patch is more delicate, though, since it needs a suid root
wrapper to call the dhclient script. I think it might be better to
drop that and replace it with an SELinux or AppArmor policy.

FYI I attach the upstream parts of the patch (the one on
patches.ubuntu.com is for Debian and also contains the packaging
changes, and the upstream patches as diff-of-diffs). It still needs
some autoconfiscation, though.

Thanks,

Martin

-- 
Martin Pitt        http://www.piware.de
Ubuntu Developer   http://www.ubuntu.com
Debian Developer   http://www.debian.org
[dhcp3.deroot-server.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Andrew Pollock <apollock@debian.org>:
Bug#308832; Package dhcp3-server. (Tue, 11 Nov 2008 12:57:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Pitt <martin.pitt@ubuntu.com>:
Extra info received and forwarded to list. Copy sent to Andrew Pollock <apollock@debian.org>. (Tue, 11 Nov 2008 12:57:03 GMT) Full text and rfc822 format available.

Message #40 received at 308832@bugs.debian.org (full text, mbox):

From: Martin Pitt <martin.pitt@ubuntu.com>
To: 308832@bugs.debian.org
Subject: Current server derooting patch
Date: Tue, 11 Nov 2008 13:55:32 +0100
[Message part 1 (text/plain, inline)]
Hi Andrew,

this is the current debdiff against 3.1.1-5. Applies cleanly, and this
patch hasn't caused any trouble in years.

Thanks for considering,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)
[dhcp3.deroot-server.patch (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information stored :
Bug#308832; Package dhcp3-server. (Sun, 04 Jan 2009 00:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andrew Pollock <apollock@debian.org>:
Extra info received and filed, but not forwarded. (Sun, 04 Jan 2009 00:06:03 GMT) Full text and rfc822 format available.

Message #45 received at 308832-quiet@bugs.debian.org (full text, mbox):

From: Andrew Pollock <apollock@debian.org>
To: 308832-quiet@bugs.debian.org
Subject: [dhcp-bugs@isc.org: [ISC-Bugs #17488] AutoReply: dhcp3-server: Please do not run the server as root]
Date: Sun, 4 Jan 2009 10:05:14 +1000
----- Forwarded message from DHCP Bugs via RT <dhcp-bugs@isc.org> -----

From: DHCP Bugs via RT <dhcp-bugs@isc.org>
To: apollock@debian.org
Subject: [ISC-Bugs #17488] AutoReply: dhcp3-server: Please do not run the server as root 
Date: Tue, 15 Jan 2008 04:48:21 +0000


Greetings,

This message has been automatically generated in response to the
creation of a trouble ticket regarding:
	"dhcp3-server: Please do not run the server as root", 
a summary of which appears below.

There is no need to reply to this message right now.  Your ticket has been
assigned an ID of [ISC-Bugs #17488].

Please include the string:

         [ISC-Bugs #17488]

in the subject line of all future correspondence about this issue. To do so, 
you may reply to this message.

                        Thank you,
                        dhcp-bugs@isc.org

-------------------------------------------------------------------------
Hello,

This bug was received some time ago, and I forwarded it on to
dhcp-hackers, because I wasn't aware of dhcp-bugs at the time.

I'm reforwarding it as an upstream bug so it gets tracked properly.

Please maintain the Cc on correspondence to keep our bug tracking system
in the loop.

regards

Andrew

----- Forwarded message from Martin Pitt <mpitt@debian.org> -----

Subject: Bug#308832: dhcp3-server: Please do not run the server as root
Reply-To: Martin Pitt <mpitt@debian.org>, 308832@bugs.debian.org
Resent-From: Martin Pitt <mpitt@debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: peloy@debian.org (Eloy A. Paris)
Resent-Date: Thu, 12 May 2005 16:18:02 UTC
Resent-Message-ID: <handler.308832.B.111591381715515@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 308832
X-Debian-PR-Package: dhcp3-server
X-Debian-PR-Keywords: patch security
From: Martin Pitt <mpitt@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
X-Reportbug-Version: 3.8
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: dhcp3-server
Severity: wishlist
Tags: security patch

Hi!

dhcpd currently runs as root, which is much more than necessary. To
confine the impact of security holes, I minimized the privileges of
the server to a minimum: it runs as a normal user "dhcpd" now and only
uses CAP_NET_RAW and CAP_NET_BIND_SERVICE capabilities for the
initialization phase, and completely drops kernel capabilities when
running.

The patch is at 

  http://patches.ubuntu.com/patches/dhcp3.deroot-server.diff

I separated out the function for privilege dropping since it can be
reused to deroot the server (I'll file that as a separate bug).

Would you consider applying this in Debian?

Thanks and have a nice day!

Martin


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages dhcp3-server depends on:
ii  debconf                     1.4.30.13    Debian configuration management sy
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
pn  dhcp3-common                             Not found.
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org



----- End forwarded message -----



----- End forwarded message -----




Information forwarded to debian-bugs-dist@lists.debian.org, Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>:
Bug#308832; Package dhcp3-server. (Wed, 02 Feb 2011 12:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to dave b <db.pub.mail@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>. (Wed, 02 Feb 2011 12:24:03 GMT) Full text and rfc822 format available.

Message #50 received at 308832@bugs.debian.org (full text, mbox):

From: dave b <db.pub.mail@gmail.com>
To: 308832@bugs.debian.org
Subject: any news regarding the state of this patch?
Date: Wed, 2 Feb 2011 23:19:36 +1100
any news regarding the state of this patch?




Information forwarded to debian-bugs-dist@lists.debian.org, Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>:
Bug#308832; Package dhcp3-server. (Thu, 07 Apr 2011 20:15:10 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>. (Thu, 07 Apr 2011 20:15:10 GMT) Full text and rfc822 format available.

Message #55 received at 308832@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: 308832@bugs.debian.org
Subject: Ubuntu patch
Date: Thu, 7 Apr 2011 19:54:16 +0100
[Message part 1 (text/plain, inline)]
Just attaching the patch here in the BTS for reference (it was only linked
to before).

-- 
 - mdz
[dhcp3.deroot-server.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian ISC DHCP maintainers <pkg-dhcp-devel@lists.alioth.debian.org>:
Bug#308832; Package dhcp3-server. (Sun, 10 Apr 2011 09:18:03 GMT) Full text and rfc822 format available.

Message #58 received at 308832@bugs.debian.org (full text, mbox):

From: Andrew Pollock <apollock@debian.org>
To: Matt Zimmerman <mdz@debian.org>, pkg-dhcp-devel@lists.alioth.debian.org, debian-derivatives@lists.debian.org
Subject: Re: [pkg-dhcp-devel] Running the DHCP server as non-root
Date: Tue, 22 Mar 2011 22:28:28 -0700
[Message part 1 (text/plain, inline)]
On Tue, Mar 22, 2011 at 05:02:56PM +0000, Matt Zimmerman wrote:
> Hello DHCP maintainers,
> 
> As part of a patch review for the DEX project[0], I came across this
> wishlist bug on dhcp3-server:
> 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308832
> 
> for which a patch is available.
> 
> It looks like this issue was forwarded upstream and got a reference number,
> but I couldn't find any way to look up its current status upstream.  Is the
> upstream bug tracker not public?

No. Their rationale is that they have potentially sensitive paid-customer
bugs in there or something.
 
> I would like to help get this patch merged into Debian and upstream if
> possible.  It was originally based on 3.0.1-2, but Ubuntu has been carrying
> it since then, and so it's been merged up to 4.1.1-P1-15 and quite well
> tested at this stage.
> 
> The changes to upstream code are actually quite small and contained (10
> lines, across one source file and 2 makefiles).  Would you be willing to
> merge this small patch into the package until upstream decides what to do
> with it?
> 
> Can you tell me what you think and how you would like to proceed with this?

I have a personal policy of keeping the Debian package as close to upstream
as possible. Ideally the long term set of Debian patches should approach
zero.

I'm suffering from a severe lack of spare time at the moment, but after
mid-April I plan on getting back into DHCP-related stuff with a vengeance.

I've got a good relationship with upstream, and I plan on having a
face-to-face sit down with them in the near future. One of the things I'll
be discussing is bugs that I've forwarded upstream. I'll ensure that I
discuss this particular patch.

I've managed to get the LDAP patch accepted this way, and I'm sure I can get
a patch of this size accepted as well.

In the meantime, I'll also ping the ticket.

regards

Andrew
[signature.asc (application/pgp-signature, inline)]

Information stored :
Bug#308832; Package dhcp3-server. (Thu, 28 Apr 2011 14:09:15 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and filed, but not forwarded. (Thu, 28 Apr 2011 14:09:15 GMT) Full text and rfc822 format available.

Message #63 received at 308832-quiet@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Andrew Pollock <apollock@debian.org>
Cc: pkg-dhcp-devel@lists.alioth.debian.org, debian-derivatives@lists.debian.org, 308832-quiet@bugs.debian.org
Subject: Re: [pkg-dhcp-devel] Running the DHCP server as non-root
Date: Thu, 28 Apr 2011 15:04:34 +0100
On Tue, Mar 22, 2011 at 10:28:28PM -0700, Andrew Pollock wrote:
> On Tue, Mar 22, 2011 at 05:02:56PM +0000, Matt Zimmerman wrote:
> > I would like to help get this patch merged into Debian and upstream if
> > possible.  It was originally based on 3.0.1-2, but Ubuntu has been carrying
> > it since then, and so it's been merged up to 4.1.1-P1-15 and quite well
> > tested at this stage.
> > 
> > The changes to upstream code are actually quite small and contained (10
> > lines, across one source file and 2 makefiles).  Would you be willing to
> > merge this small patch into the package until upstream decides what to do
> > with it?
> > 
> > Can you tell me what you think and how you would like to proceed with this?
> 
> I have a personal policy of keeping the Debian package as close to upstream
> as possible. Ideally the long term set of Debian patches should approach
> zero.

I appreciate that, and it's a good practice.  How do you decide when the
benefit of a patch is enough to offset this general principle?

> I'm suffering from a severe lack of spare time at the moment, but after
> mid-April I plan on getting back into DHCP-related stuff with a vengeance.
> 
> I've got a good relationship with upstream, and I plan on having a
> face-to-face sit down with them in the near future. One of the things I'll
> be discussing is bugs that I've forwarded upstream. I'll ensure that I
> discuss this particular patch.
> 
> I've managed to get the LDAP patch accepted this way, and I'm sure I can get
> a patch of this size accepted as well.
> 
> In the meantime, I'll also ping the ticket.

Have you found some more time to work on this past mid-April as you hoped?
Is there any word from upstream?

-- 
 - mdz




Information stored :
Bug#308832; Package dhcp3-server. (Thu, 28 Apr 2011 23:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andrew Pollock <apollock@debian.org>:
Extra info received and filed, but not forwarded. (Thu, 28 Apr 2011 23:30:03 GMT) Full text and rfc822 format available.

Message #68 received at 308832-quiet@bugs.debian.org (full text, mbox):

From: Andrew Pollock <apollock@debian.org>
To: Matt Zimmerman <mdz@debian.org>, pkg-dhcp-devel@lists.alioth.debian.org, debian-derivatives@lists.debian.org, 308832-quiet@bugs.debian.org
Subject: Re: [pkg-dhcp-devel] Running the DHCP server as non-root
Date: Thu, 28 Apr 2011 16:15:44 -0700
[Message part 1 (text/plain, inline)]
On Thu, Apr 28, 2011 at 03:04:34PM +0100, Matt Zimmerman wrote:
> On Tue, Mar 22, 2011 at 10:28:28PM -0700, Andrew Pollock wrote:
> > I have a personal policy of keeping the Debian package as close to upstream
> > as possible. Ideally the long term set of Debian patches should approach
> > zero.
> 
> I appreciate that, and it's a good practice.  How do you decide when the
> benefit of a patch is enough to offset this general principle?

Good question. Generally I just avoid getting on the slippery slope in the
first place, as once you start, it becomes a lot harder to say no.
 
> > I'm suffering from a severe lack of spare time at the moment, but after
> > mid-April I plan on getting back into DHCP-related stuff with a vengeance.
> > 
> > I've got a good relationship with upstream, and I plan on having a
> > face-to-face sit down with them in the near future. One of the things I'll
> > be discussing is bugs that I've forwarded upstream. I'll ensure that I
> > discuss this particular patch.
> > 
> > I've managed to get the LDAP patch accepted this way, and I'm sure I can get
> > a patch of this size accepted as well.
> > 
> > In the meantime, I'll also ping the ticket.
> 
> Have you found some more time to work on this past mid-April as you hoped?
> Is there any word from upstream?

Not yet, but thanks for the reminder, as this had totally slipped my mind.
I'm gradually getting things off my plate, and this is approaching the top.

I kicked upstream today, and they're going to get back to me. I'll schedule
a face to face meeting for some time in the next couple of weeks.

regards

Andrew
[signature.asc (application/pgp-signature, inline)]

Information stored :
Bug#308832; Package dhcp3-server. (Sun, 15 May 2011 11:18:25 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and filed, but not forwarded. (Sun, 15 May 2011 11:18:30 GMT) Full text and rfc822 format available.

Message #73 received at 308832-quiet@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Andrew Pollock <apollock@debian.org>
Cc: pkg-dhcp-devel@lists.alioth.debian.org, debian-derivatives@lists.debian.org, 308832-quiet@bugs.debian.org
Subject: Re: [pkg-dhcp-devel] Running the DHCP server as non-root
Date: Sun, 15 May 2011 13:15:33 +0200
On Thu, Apr 28, 2011 at 04:15:44PM -0700, Andrew Pollock wrote:
> On Thu, Apr 28, 2011 at 03:04:34PM +0100, Matt Zimmerman wrote:
> > I appreciate that, and it's a good practice.  How do you decide when the
> > benefit of a patch is enough to offset this general principle?
> 
> Good question. Generally I just avoid getting on the slippery slope in the
> first place, as once you start, it becomes a lot harder to say no.

I'm sure there are cases (like a build failure) where it wouldn't make sense
to wait because of the severity of the problem in Debian.  This patch is
obviously a different situation, but (in my opinion of course) offers good
long-term benefits to Debian users.

> > Have you found some more time to work on this past mid-April as you hoped?
> > Is there any word from upstream?
> 
> Not yet, but thanks for the reminder, as this had totally slipped my mind.
> I'm gradually getting things off my plate, and this is approaching the top.
> 
> I kicked upstream today, and they're going to get back to me. I'll schedule
> a face to face meeting for some time in the next couple of weeks.

It's been a couple of weeks, and I'm curious if you've got feedback from
upstream.  Would it help if I contacted them directly on behalf of Debian
and CCed you?

-- 
 - mdz




Information stored :
Bug#308832; Package dhcp3-server. (Sun, 15 May 2011 21:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Andrew Pollock <apollock@debian.org>:
Extra info received and filed, but not forwarded. (Sun, 15 May 2011 21:09:04 GMT) Full text and rfc822 format available.

Message #78 received at 308832-quiet@bugs.debian.org (full text, mbox):

From: Andrew Pollock <apollock@debian.org>
To: Matt Zimmerman <mdz@debian.org>, pkg-dhcp-devel@lists.alioth.debian.org, debian-derivatives@lists.debian.org, 308832-quiet@bugs.debian.org
Subject: Re: [pkg-dhcp-devel] Running the DHCP server as non-root
Date: Mon, 16 May 2011 07:05:48 +1000
[Message part 1 (text/plain, inline)]
On Sun, May 15, 2011 at 01:15:33PM +0200, Matt Zimmerman wrote:
> On Thu, Apr 28, 2011 at 04:15:44PM -0700, Andrew Pollock wrote:
> > On Thu, Apr 28, 2011 at 03:04:34PM +0100, Matt Zimmerman wrote:
> > > I appreciate that, and it's a good practice.  How do you decide when the
> > > benefit of a patch is enough to offset this general principle?
> > 
> > Good question. Generally I just avoid getting on the slippery slope in the
> > first place, as once you start, it becomes a lot harder to say no.
> 
> I'm sure there are cases (like a build failure) where it wouldn't make sense
> to wait because of the severity of the problem in Debian.  This patch is
> obviously a different situation, but (in my opinion of course) offers good
> long-term benefits to Debian users.

Yeah fixing a build failure tends not to introduce new functionality, so
that is a different ball of wax. I'm particularly loathe to introduce
distro-specific functionality, where upstream may introduce something
similar but sufficient different in the future, that it makes switching to
the "proper" implementation more troublesome than just waiting for it to
come in the first place. 

That isn't the case for the particular patch we're talking about here, but
is the case for the patch Ubuntu applied to the client to allow it to send
its hostname without hard-coding it. That functionality has finally landed
in 4.2, and is implemented in a completely different manner to how the
Ubuntu patch does it.
 
> > > Have you found some more time to work on this past mid-April as you hoped?
> > > Is there any word from upstream?
> > 
> > Not yet, but thanks for the reminder, as this had totally slipped my mind.
> > I'm gradually getting things off my plate, and this is approaching the top.
> > 
> > I kicked upstream today, and they're going to get back to me. I'll schedule
> > a face to face meeting for some time in the next couple of weeks.
> 
> It's been a couple of weeks, and I'm curious if you've got feedback from
> upstream.  Would it help if I contacted them directly on behalf of Debian
> and CCed you?

I had lunch with then on Thursday and went over a number of bugs and patches
that I've escalated to them over the years, but are still unaddressed. The
de-rooting patch was one I covered in particular, given the ongoing interest
in it.

In following up, they told me about the --enable-paranoia and
--enable-early-chroot configure flags, which are apparently completely
undocumented. I need to investigate these further and see how much they
overlap with the existing de-rooting patch, if at all.

They're talking about a 4.3 release coming out in the fall I think they
said, so I'm hopeful now that I've repositioned the de-rooting patch on
their radar, that they'll consider it for inclusion in that feature release.

regards

Andrew
[signature.asc (application/pgp-signature, inline)]

Information stored :
Bug#308832; Package dhcp3-server. (Thu, 02 Jun 2011 10:39:34 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matt Zimmerman <mdz@debian.org>:
Extra info received and filed, but not forwarded. (Thu, 02 Jun 2011 10:39:39 GMT) Full text and rfc822 format available.

Message #83 received at 308832-quiet@bugs.debian.org (full text, mbox):

From: Matt Zimmerman <mdz@debian.org>
To: Andrew Pollock <apollock@debian.org>
Cc: pkg-dhcp-devel@lists.alioth.debian.org, debian-derivatives@lists.debian.org, 308832-quiet@bugs.debian.org
Subject: Re: [pkg-dhcp-devel] Running the DHCP server as non-root
Date: Thu, 2 Jun 2011 11:37:05 +0100
On Mon, May 16, 2011 at 07:05:48AM +1000, Andrew Pollock wrote:
> On Sun, May 15, 2011 at 01:15:33PM +0200, Matt Zimmerman wrote:
> > I'm sure there are cases (like a build failure) where it wouldn't make
> > sense to wait because of the severity of the problem in Debian.  This
> > patch is obviously a different situation, but (in my opinion of course)
> > offers good long-term benefits to Debian users.
> 
> Yeah fixing a build failure tends not to introduce new functionality, so
> that is a different ball of wax. I'm particularly loathe to introduce
> distro-specific functionality, where upstream may introduce something
> similar but sufficient different in the future, that it makes switching to
> the "proper" implementation more troublesome than just waiting for it to
> come in the first place. 
> 
> That isn't the case for the particular patch we're talking about here, but
> is the case for the patch Ubuntu applied to the client to allow it to send
> its hostname without hard-coding it. That functionality has finally landed
> in 4.2, and is implemented in a completely different manner to how the
> Ubuntu patch does it.

That is an unfortunate outcome, and I would be interested to explore how it
happened so that we can do better in the future.  Why was the Ubuntu
implementation considered unsuitable for upstream?  Could we have made the
upstream design or early implementation available to Ubuntu sooner?

> > It's been a couple of weeks, and I'm curious if you've got feedback from
> > upstream.  Would it help if I contacted them directly on behalf of Debian
> > and CCed you?
> 
> I had lunch with then on Thursday and went over a number of bugs and patches
> that I've escalated to them over the years, but are still unaddressed. The
> de-rooting patch was one I covered in particular, given the ongoing interest
> in it.

Thanks for bringing more visibility to this patch.  We would really like to
see Debian, Ubuntu and upstream all in sync with respect to this
functionality.

> In following up, they told me about the --enable-paranoia and
> --enable-early-chroot configure flags, which are apparently completely
> undocumented. I need to investigate these further and see how much they
> overlap with the existing de-rooting patch, if at all.

PARANOIA (something of a misnomer if you ask me) implements three options,
-user, -group and -chroot, which do what you would expect (setuid(),
setgroups() + setgid(), and chroot() at a certain point in execution).

EARLY_CHROOT simply causes the chroot() to happen at an earlier point in the
code.

The Ubuntu patch adds a drop_privileges() function, and two calls to it.0
The first one drops all privileges except the needed capabilities, very
early on (first call in main()).  The second one (last thing before
dispatch()) drops those remaining capabilites leaving it completely
unprivileged.

The approach taken in Ubuntu provides stronger production, but is
Linux-specific.

> They're talking about a 4.3 release coming out in the fall I think they
> said, so I'm hopeful now that I've repositioned the de-rooting patch on
> their radar, that they'll consider it for inclusion in that feature release.

Any update?

-- 
 - mdz




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 04:31:45 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.