On Mon, 24 Jul 2000, Kurt Seifried wrote:
This came up on linux audit list, I think it's rather useful, Thomas/Marc, would you guys have any comments on the following patch for dhcpd?
http://users.phri.nyu.edu/~edelkind/custom/public/patches/dhcp-2.0+paranoia. patch
It let's you specify user/group to run dhcpd as, and -t for chrooting it (just like BIND). I think it would be nice (hint =) if SuSE included this in their DHCPD package and maybe even defaulted to running dhcpd as a non root user (not hard to do, all it needs to write to is the leases file).
hm, the guy, who wrotes that patch seems not very familiar with chroot()ed environments. he misses the chdir() after the chroot(), which makes the chroot jail unsecure. to be on the safe track initgroups() should be called in addition to setgid(), he also missed that. there could be more failures like this. if i have the time, i'll debug and test this patch... maybe it'll become part of our next SuSE, but I don't think so. As long as we have Marc's Compartment it would be wiser to use this instead of a buggy patch. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47