Debian Bug report logs - #308833
dhcp3-client: Please do not run dhclient as root

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: dhcp3-client: Please do not run dhclient as root

Date: Thu, 12 May 2005 18:05:33 +0200

[Message part 1 (text/plain, inline)]

Package: dhcp3-client
Severity: wishlist
Tags: security patch

Hi!

dhclient currently runs as root, which is much more than necessary.
Similarly to the derooting of dhcpd (I filed a separate bug about
this) I minimized the privileges of dhclient. Here is the patch (which
requires that the server derooting patch is already applied):

  http://patches.ubuntu.com/patches/dhcp3.deroot-client.diff

Please consider applying it in Debian. Please also don't hesitate to
contact me if you have questions or suggestions how to improve it.

Thanks,

Martin

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages dhcp3-client depends on:
ii  debconf                     1.4.30.13    Debian configuration management sy
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
pn  dhcp3-common                             Not found.
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 308833@bugs.debian.org (full text, mbox, reply):

From: Andrew Pollock <apollock@debian.org>

To: Martin Pitt <mpitt@debian.org>, 308833@bugs.debian.org

Subject: Re: Bug#308833: dhcp3-client: Please do not run dhclient as root

Date: Fri, 13 May 2005 09:42:41 +1000

On Thu, May 12, 2005 at 06:05:33PM +0200, Martin Pitt wrote:
> Package: dhcp3-client
> Severity: wishlist
> Tags: security patch
> 
> Hi!
> 
> dhclient currently runs as root, which is much more than necessary.
> Similarly to the derooting of dhcpd (I filed a separate bug about
> this) I minimized the privileges of dhclient. Here is the patch (which
> requires that the server derooting patch is already applied):
> 
>   http://patches.ubuntu.com/patches/dhcp3.deroot-client.diff
> 
> Please consider applying it in Debian. Please also don't hesitate to
> contact me if you have questions or suggestions how to improve it.
> 

Similiar to #308832, I'll look into applying this after Sarge, when I
hopefully have some more time.

regards

Andrew

Message #15 received at 308833@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: "David W. Hankins" <David_Hankins@isc.org>

Cc: dhcp-hackers@isc.org, mpitt@debian.org, 308833@bugs.debian.org, 308832@bugs.debian.org

Subject: Re: Not running the server as root

Date: Tue, 17 May 2005 17:56:20 +0200

[Message part 1 (text/plain, inline)]

Hi!

David W. Hankins [2005-05-17  8:39 -0700]:
> On Tue, May 17, 2005 at 09:57:20PM +1000, Andrew Pollock wrote:
> > Details on the patch can be found at
> > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308832
> 
> On first glance, the patches as presently distributed in FreeBSD /usr/ports
> look to me to be more complete (not the least of which is due to including
> a chroot() and jail() implementation).

Interesting, I take a look at them. However, a chroot in Linux is not
very efficient when it is meant to improve security (unless you are
using grsecurity or similar)---chrooted processes that run as root can
easily break out of the chroot, and processes which do not run as root
cannot do much harm anyway; thus I'm rather aiming for letting
processes run as root instead of chrooting them.

> I think the 'capability' flag setting is overhead.  We never open new
> sockets after initialization - so long as you put the setuid calls after
> configuration parsing (which you should do anyway since these should be
> config-file configurable) there's no need for those capabilities.

Right, for the server it might be a little exaggerated, but since the
function is already there it does not do much harm to immediately drop
capabilities which are never needed. Please note that the patch works
fine on kernels which don't support capabilities, in that case the
privileges are not reduced.

Kernel capabilities are mainly important for dhclient, which I
derooted as well:

  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308833

In that case they really make sense because dhclient needs them not
only in an initialization phase, but throughout lifetime.

> We're looking very closely at the FreeBSD ports changes, and these features
> are definitely something that 'must' appear in a 3.1 release.
> 
> You'd have to ask the ports maintainer, but I assume you would be most
> welcome to include their changes in whatever upcoming debian releases.

I'll ask them and take a look at their patches.

> As it stands, these changes in ports represent a fork of our software, and
> it would be good if the number of forks remained a relatively low number
> until we can get a feature release out to address them.

Right, that's why this stuff should eventually go upstream. The only
problem that I see is the variety of methods to restrict Daemons --
one uses normal users with additional kernel capabilities in Linux,
and apparently jails() in FreeBSD. This should be resolvable with some
#ifdef'ed code, but it is certainly not very nice. (Things are so much
easier if you just maintain a patch for a particular distro :-) )

The current patches are not perfect anyway since they have too much
hardcoded stuff in them. I can make them more upstream-friendly if you
are generally interested in them.

Thanks for considering and have a nice day!

Martin
-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #18 received at 308833-forwarded@bugs.debian.org (full text, mbox, reply):

From: Andrew Pollock <apollock@debian.org>

To: dhcp-hackers@isc.org

Cc: mpitt@debian.org, 308833-forwarded@bugs.debian.org

Subject: Not running the client as root

Date: Wed, 18 May 2005 10:39:28 +1000

[Message part 1 (text/plain, inline)]

Hi,

In the same vein as yesterday's email regarding not running the DHCP server
as root, Martin Pitt of Ubuntu fame also submitted a patch to not run the
client as root.

Details are at http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308833

Again, my personal preference is for this sort of stuff to get rolled in
upstream, and for the Debian packages to merely reflect what upstream is
doing.

(Maintaining the Cc of this email will ensure our bug tracking system is
kept in the loop)

regards

Andrew

[signature.asc (application/pgp-signature, inline)]

Message #19 received at 308833-forwarded@bugs.debian.org (full text, mbox, reply):

From: "David W. Hankins" <David_Hankins@isc.org>

To: dhcp-hackers@isc.org, mpitt@debian.org, 308833-forwarded@bugs.debian.org

Subject: Re: Not running the client as root

Date: Thu, 26 May 2005 18:29:41 +0000

On Wed, May 18, 2005 at 10:39:28AM +1000, Andrew Pollock wrote:
> Again, my personal preference is for this sort of stuff to get rolled in
> upstream, and for the Debian packages to merely reflect what upstream is
> doing.

I think setuid in the client is not a feature that was incorporated in
the freebsd changes.

Which is ironic when you consider that the client is used far more
often in FreeBSD than the server.

This is a feature we need in DHCP one way or the other - I'll create
a ticket to remind me to evaluate these patches for 3.1.0.

So long as we're at it, the relay software could probably use this
as well.

-- 
David W. Hankins		"If you don't do it right the first time,
Operations Engineer			you'll just have to do it again."
Internet Systems Consortium, Inc.		-- Jack T. Hankins

Message #24 received at 308833@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 308833@bugs.debian.org

Subject: Updated patch with important fix

Date: Mon, 30 May 2005 12:07:50 +0200

[Message part 1 (text/plain, inline)]

Hi Eloy!

I just updated the patch at 

  http://patches.ubuntu.com/patches/dhcp3.deroot-client.diff
 
to fix Ubuntu bug #10803. The PID file was (sometimes) written after
dropping the privileges, which produced a "dhclient: Can't create
/var/run/dhclient.eth0.pid: Permission denied". The updated patch
always writes the PID file before dropping the privileges.

To make this more robust, I also fixed up the old pid file handling a
bit, will followup to #178885 soon.

Can you please forward the updated patch to upstream? I tried to post
to their mailing list, but they have a rather restrictive policy
for non-subscribers.

Thanks and have a nice day!

Martin

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 308833-forwarded@bugs.debian.org (full text, mbox, reply):

From: Andrew Pollock <apollock@debian.org>

To: dhcp-bugs@isc.org

Cc: mpitt@debian.org, 308833-forwarded@bugs.debian.org

Subject: dhcp-client: Please do not run dhclient as root

Date: Mon, 14 Jan 2008 20:46:55 -0800

[Message part 1 (text/plain, inline)]

Hello,

This bug was received some time ago, and I forwarded it on to
dhcp-hackers, because I wasn't aware of dhcp-bugs at the time.

Ubuntu has been running with a local patch to implement this for some time, to
the best of my knowledge. See http://bugs.debian.org/308833 for the full
history.

I'm reforwarding it as an upstream bug so it gets tracked properly.

Please maintain the Cc on correspondence to keep our bug tracking system
in the loop.

regards

Andrew

----- Forwarded message from Martin Pitt <mpitt@debian.org> -----

Subject: Bug#308833: dhcp3-client: Please do not run dhclient as root
Reply-To: Martin Pitt <mpitt@debian.org>, 308833@bugs.debian.org
Resent-From: Martin Pitt <mpitt@debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: peloy@debian.org (Eloy A. Paris)
Resent-Date: Thu, 12 May 2005 16:18:03 UTC
Resent-Message-ID: <handler.308833.B.111591396417342@bugs.debian.org>
Resent-Sender: owner@bugs.debian.org
X-Debian-PR-Message: report 308833
X-Debian-PR-Package: dhcp3-client
X-Debian-PR-Keywords: patch security
From: Martin Pitt <mpitt@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
X-Reportbug-Version: 3.8
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 

Package: dhcp3-client
Severity: wishlist
Tags: security patch

Hi!

dhclient currently runs as root, which is much more than necessary.
Similarly to the derooting of dhcpd (I filed a separate bug about
this) I minimized the privileges of dhclient. Here is the patch (which
requires that the server derooting patch is already applied):

  http://patches.ubuntu.com/patches/dhcp3.deroot-client.diff

Please consider applying it in Debian. Please also don't hesitate to
contact me if you have questions or suggestions how to improve it.

Thanks,

Martin

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.11.9
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)

Versions of packages dhcp3-client depends on:
ii  debconf                     1.4.30.13    Debian configuration management sy
ii  debianutils                 2.8.4        Miscellaneous utilities specific t
pn  dhcp3-common                             Not found.
ii  libc6                       2.3.2.ds1-21 GNU C Library: Shared libraries an

-- 
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org



----- End forwarded message -----

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 308833-done@bugs.debian.org (full text, mbox, reply):

From: Martin Pitt <mpitt@debian.org>

To: 308833-done@bugs.debian.org

Subject: Re: Bug#308833: dhcp3-client: Please do not run dhclient as root

Date: Tue, 11 Nov 2008 13:46:07 +0100

I dropped the client derooting patch in Ubuntu in the last release,
since it is imperfect ($PATH injection into client script) and too
complicated. This is better solved with AppArmor or something.

Thus I close this report now, too.

Martin

-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

Send a report that this bug log contains spam.