[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: blocking DHCP requests



* Ed White <[email protected]> [2004-10-04 18:32]:
> On Sunday 03 October 2004 01:10, Camiel Dobbelaar wrote:
> > dhcpd (like tcpdump) uses bpf/libpcap, which gets a copy of the network
> > data before pf does.  This means you cannot use pf to filter what gets to
> > dhcpd.
> 
> Quoting from here: http://www.onlamp.com/lpt/a/4839
> 
> 
> Federico: If I'm not wrong, tools that use raw access to network data bypass 
> PF because the filtering happens after. How can this be solved? Is this a 
> behavior you want to change?
> 
> 
> HB: This is not true.
> It is true that bpf is outside pf. This is actually very good for debugging.
> We might add a possibility for bpf-based tools to request to be hooked in 
> before pf. It might be useful for the dhcp programs. But then, that is not a 
> real-world problem ??? I have privilege revoked dhcpd and dhcrelay so that they 
> don't run as root anymore, and [email protected] helped out with bpf write filters (we 
> have read filters already) and lock the bpf device so that no changes in 
> those filters are possible anymore. Especially for dhcpd that means that one 
> very worrysome piece of code is now locked away that nicely that you don't 
> have to worry much anymore. And of course besides the privdrop and bpf 
> security work, we cleaned that mess up big time...
> The most worrysome of those programs is now dhclient which is scary, huge and 
> still runs as root ??? even given we cut about half of its code out already. I 
> have it running privilege separated on my machine already...
> 
> RM: I don't see this as a problem, and don't think that this will be changed.
> 
> CEA: This is by design, and I do not want/see this behavior changing. We have 
> introduced bpf security extensions to solve this problem on a case-by-case 
> basis. We are going through every program in the tree and modify them to use 
> the security extensions and drop/separate privileges. At some point we may 
> also start looking at critical applications in the ports tree. 
> 
> 
> Who's right ?
if you bothered to read what you posted you'd see that all of camiel, 
Ryan, Can and me say the same.
-- 
Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)