From owner-freebsd-net@freebsd.org Mon Oct 14 22:59:42 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B21FA142E5A for ; Mon, 14 Oct 2019 22:59:42 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 46sYsn1x5fz42XC; Mon, 14 Oct 2019 22:59:41 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 3DBAE3C0199; Mon, 14 Oct 2019 22:59:40 +0000 (UTC) Date: Mon, 14 Oct 2019 22:59:40 +0000 From: Brooks Davis To: Ben Woods Cc: Brooks Davis , "roy@marples.name" , Hiroki Sato , driesm.michiels@gmail.com, freebsd-net@freebsd.org Subject: Re: DHCPv6 client in base Message-ID: <20191014225940.GA34287@spindle.one-eyed-alien.net> References: <001e01d50b49$176104d0$46230e70$@gmail.com> <20190516.032012.517661495892269813.hrs@allbsd.org> <20191011174520.GC53377@spindle.one-eyed-alien.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="C7zPtVaVf+AK4Oqc" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) X-Rspamd-Queue-Id: 46sYsn1x5fz42XC X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of brooks@spindle.one-eyed-alien.net has no SPF policy when checking 199.48.129.229) smtp.mailfrom=brooks@spindle.one-eyed-alien.net X-Spamd-Result: default: False [-6.50 / 15.00]; ARC_NA(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; TO_DN_EQ_ADDR_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TAGGED_RCPT(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_FIVE(0.00)[6]; TO_MATCH_ENVRCPT_SOME(0.00)[]; R_SPF_NA(0.00)[]; SIGNED_PGP(-2.00)[]; FORGED_SENDER(0.30)[brooks@freebsd.org,brooks@spindle.one-eyed-alien.net]; RCVD_COUNT_ZERO(0.00)[0]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:36236, ipnet:199.48.128.0/22, country:US]; FROM_NEQ_ENVFROM(0.00)[brooks@freebsd.org,brooks@spindle.one-eyed-alien.net]; IP_SCORE(-3.60)[ip: (-9.41), ipnet: 199.48.128.0/22(-4.69), asn: 36236(-3.85), country: US(-0.05)] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Oct 2019 22:59:42 -0000 --C7zPtVaVf+AK4Oqc Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Oct 15, 2019 at 06:41:36AM +0800, Ben Woods wrote: > On Sat, 12 Oct 2019 at 1:45 am, Brooks Davis wrote: >=20 > > DHCP is one of the most exposed attack surfaces in existence. We expect > > it to take input from explicitly untrustworthy networks and perform > > actions as root. It might be OK to import this as a stopgap only > > supporting IPv6, but without capsicum or privilege separation (as noted > > elsewhere in the thread) it seems unlikely to be a good idea enable it > > by default or replace the existing IPv4 dhclient. > > > > -- Brooks > > > Hi Brooks, >=20 > Thanks for the feedback. >=20 > Roy Marples (the main dhcpcd) has already begun working on privilege > separating dhcpcd based on your feedback. >=20 > Have you or Roy got any thoughts on how the privilege separation might be > structured? > - main process > - network listener > - packer interpreter > - hook runner and scripts >=20 > It???s obviously the packet interpreter that is the risky part, but does = not > need privileges. >=20 > FreeBSD has the ???_dhcp??? user which I assume could be used for running= these > low privilege tasks? It's worth taking a look at the separation in the existing dhclient. They have chosen to drop privilege in the main program and have a child which retains privilege for sending packets, tweaking interface MTU, and running the script. > Roy is not intending to work on capsicum support in dhcpcd, but I think > once the privilege separation has been done it will be easier to add that > support. The capsicum support in our client is pretty limited so that sounds like a good approach. -- Brooks --C7zPtVaVf+AK4Oqc Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJdpP3bAAoJEKzQXbSebgfA3FIIAJRkgx40QTvVpSoSK1odhiPz NIPN2op8gtLa7TycQYebn4p14UZ3AiXFt9KNffs1cWvhSq45nboTYZ4pgMLh9e0I 0OCTVPPZy9REENcMGFJ1UD+xSUTqvv8SXm7PURnNG9+WFPG5y75xjhA08dWvx9so MT1zw7zt21+92hXztG271IP0JTY31qftWO0gly4kK1KI4LWVQkgZRXeT/f+ca7W2 iR2m32Uqs4SeNs8zUPoq9eB96qvGkpRRN8bJ9fY1eEmPsNynPuFcw1Ub4ldHomE7 tLDjBFdFi3dwB7Jl+u+g8lDdauwxXXQsag5jW0mDjjbwlVoovLOWNjW1QroVs5Q= =aL3U -----END PGP SIGNATURE----- --C7zPtVaVf+AK4Oqc--