[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: blocking DHCP requests
* Ed White <[email protected]> [2004-10-04 18:32]:
> On Sunday 03 October 2004 01:10, Camiel Dobbelaar wrote:
> > dhcpd (like tcpdump) uses bpf/libpcap, which gets a copy of the network
> > data before pf does. This means you cannot use pf to filter what gets to
> > dhcpd.
> Quoting from here: http://www.onlamp.com/lpt/a/4839
> Federico: If I'm not wrong, tools that use raw access to network data bypass
> PF because the filtering happens after. How can this be solved? Is this a
> behavior you want to change?
> HB: This is not true.
> It is true that bpf is outside pf. This is actually very good for debugging.
> We might add a possibility for bpf-based tools to request to be hooked in
> before pf. It might be useful for the dhcp programs. But then, that is not a
> real-world problem ??? I have privilege revoked dhcpd and dhcrelay so that they
> don't run as root anymore, and [email protected] helped out with bpf write filters (we
> have read filters already) and lock the bpf device so that no changes in
> those filters are possible anymore. Especially for dhcpd that means that one
> very worrysome piece of code is now locked away that nicely that you don't
> have to worry much anymore. And of course besides the privdrop and bpf
> security work, we cleaned that mess up big time...
> The most worrysome of those programs is now dhclient which is scary, huge and
> still runs as root ??? even given we cut about half of its code out already. I
> have it running privilege separated on my machine already...
> RM: I don't see this as a problem, and don't think that this will be changed.
> CEA: This is by design, and I do not want/see this behavior changing. We have
> introduced bpf security extensions to solve this problem on a case-by-case
> basis. We are going through every program in the tree and modify them to use
> the security extensions and drop/separate privileges. At some point we may
> also start looking at critical applications in the ports tree.
> Who's right ?
if you bothered to read what you posted you'd see that all of camiel,
Ryan, Can and me say the same.
Henning Brauer, BS Web Services, http://bsws.de
[email protected] - [email protected]
Unix is very simple, but it takes a genius to understand the simplicity.