From owner-freebsd-questions  Sat May 25  6:57:28 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from zim.0x7e.net (zim.0x7e.net [203.38.184.132])
	by hub.freebsd.org (Postfix) with ESMTP id 4638C37B40A
	for <freebsd-questions@freebsd.org>; Sat, 25 May 2002 06:57:22 -0700 (PDT)
Received: from goo.0x7e.net ([203.38.184.164] helo=goo)
	by zim.0x7e.net with smtp (Exim 3.33 #1)
	id 17Bc5C-0009i8-00
	for freebsd-questions@FreeBSD.ORG; Sat, 25 May 2002 23:29:46 +0930
Message-ID: <005b01c203f4$28e03100$a4b826cb@goo>
From: "Rob" <rob@deathbeforedecaf.net>
To: <freebsd-questions@FreeBSD.ORG>
Subject: dhcpd and security
Date: Sat, 25 May 2002 23:27:50 +0930
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 5.50.4807.1700
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi,

I'm running a DHCP server on the inside interface of a gateway. Since it's
the only service there (besides SSH) I'd like to tie it down as much as
possible.

The default behaviour of the isc-dhcp-2 port is to run as root, and AFAIK
the isc-dhcp-3 port does the same thing. In this case, I'd like some advice
on my options:

* ari edelkind wrote a dhcp-2.0+paranoia.patch which added chroot() and
setuid()/gid() to dhcpd v2 - unfortunately
http://users.phri.nyu.edu/~edelkind/custom/public/patches/dhcp-2.0+paranoia.
patch
and
http://www.episec.com/people/edelkind/patches/dhcp/dhcp-2.0+paranoia.patch
are now dead links. Does anyone have a copy of this patch?

* Kurt Seifreid wrote an article on DHCP security issues - alas
http://securityportal.com/closet/closet20001129.html
is also a dead link. Has anyone seen a mirror of this article?

* ISC-DHCP v3 has lots of new features, but still seems to be missing the
option to run as non-root. Since I don't need stuff like Dynamic DNS, is
there any reason not to stay with version 2?

Thanks muchly,
Rob.

--
Trust the Computer. The Computer is your friend.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message