Mailinglist Archive: opensuse-security (260 mails)

< Previous Next >
Re: [suse-security] dhcpd patch
  • From: Thomas Biege <thomas@xxxxxxx>
  • Date: Tue, 25 Jul 2000 10:10:40 +0200 (CEST)
  • Message-id: <Pine.LNX.4.21.0007250956070.6044-100000@xxxxxxxxxxxxxx>
On Mon, 24 Jul 2000, Kurt Seifried wrote:

> This came up on linux audit list, I think it's rather useful, Thomas/Marc,
> would you guys have any comments on the following patch for dhcpd?
>
> http://users.phri.nyu.edu/~edelkind/custom/public/patches/dhcp-2.0+paranoia.
> patch
>
> It let's you specify user/group to run dhcpd as, and -t for chrooting it
> (just like BIND). I think it would be nice (hint =) if SuSE included this in
> their DHCPD package and maybe even defaulted to running dhcpd as a non root
> user (not hard to do, all it needs to write to is the leases file).

hm, the guy, who wrotes that patch seems not very familiar with chroot()ed
environments. he misses the chdir() after the chroot(), which makes the
chroot jail unsecure. to be on the safe track initgroups() should be
called in addition to setgid(), he also missed that. there could be more
failures like this. if i have the time, i'll debug and test this patch...
maybe it'll become part of our next SuSE, but I don't think so. As long as
we have Marc's Compartment it would be wiser to use this instead of a
buggy patch.

Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@xxxxxxx Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47


< Previous Next >
References