Date: Sat, 29 Jan 2005 21:59:04 +1030 (CST) From: Rob <listone@deathbeforedecaf.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/76811: [patch] Updates for net/isc-dhcp3-server running chrooted on 4.x Message-ID: <200501291129.j0TBT4p1011998@zim.0x7e.net> Resent-Message-ID: <200501291130.j0TBUHRX048466@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 76811 >Category: ports >Synopsis: [patch] Updates for net/isc-dhcp3-server running chrooted on 4.x >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sat Jan 29 11:30:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Rob <listone@deathbeforedecaf.net> >Release: FreeBSD 4.10-RELEASE i386 >Organization: >Environment: System: FreeBSD gir.0x7e.net 4.10-RELEASE FreeBSD 4.10-RELEASE #0: Mon Jan 3 03:40:44 CST 2005 rob@goo.0x7e.net:/tmp/GIR i386 Package: isc-dhcp3-server-3.0.1.r14_6 >Description: The following comments apply to version 1.11 of /usr/local/etc/rc.d/isc-dhcpd.sh: 1. On 4.x, isc-dhcpd.sh always emits the warning WARNING: dhcpd_devfs_enable disabled -- not available even with dhcpd_devfs_enable=NO. Harmless, but annoying. 2. On 4.x with dhcpd_chroot_enable=YES, the entire /dev directory is copied to ${dhcpd_rootdir}/dev, including mem and kmem. This could be considered a security risk. 3. With dhcpd_chroot_enable=YES, DNS lookups fail due to the absence of hosts and resolv.conf files in ${dhcpd_rootdir}/etc. This causes DHCP requests to timeout if hostnames are used in dhcpd.conf(5). Also, log timestamps are incorrect due to the absence of ${dhcpd_rootdir}/etc/localtime. >How-To-Repeat: Build and install net/isc-dhcp3-server with the default configuration. >Fix: The 3 separate patches below are meant to clarify which lines belong to which change; however, I have only tested the combined patch: http://deathbeforedecaf.net/misc/patches/patch-isc-dhcpd.sh (83 lines) Please use this version for any testing. 1. Only check for mount_devfs(8) if dhcpd_devfs_enable=YES: --- isc-dhcpd.sh.orig Mon Dec 27 16:10:47 2004 +++ isc-dhcpd.sh Sat Jan 29 19:07:11 2005 @@ -343,7 +343,8 @@ err 1 "dhcpd_rootdir must be set" \ "if dhcpd_chroot_enable is enabled" fi - if ! ( type mount_devfs ) > /dev/null 2>&1; then + if checkyesno dhcpd_devfs_enable && + ! ( type mount_devfs ) > /dev/null 2>&1; then warn "dhcpd_devfs_enable disabled" \ "-- not available" dhcpd_devfs_enable=NO 2. Use 'MAKEDEV jail' to create devices for the chroot environment: --- isc-dhcpd.sh.orig Mon Dec 27 16:10:47 2004 +++ isc-dhcpd.sh Sat Jan 29 19:08:26 2005 @@ -30,6 +30,7 @@ dhcpd_chroot_enable=${dhcpd_chroot_enable:-"NO"} # runs chrooted? dhcpd_devfs_enable=${dhcpd_devfs_enable:-"YES"} # devfs if available? +dhcpd_makedev_enable=${dhcpd_makedev_enable:-"YES"} # use /dev/MAKEDEV? dhcpd_rootdir=${dhcpd_rootdir:-/var/db/${name}} # directory to run in # untested @@ -441,11 +442,18 @@ setup_chroot () { + local _mdev + + _mdev=MAKEDEV + if checkyesno paranoia && checkyesno dhcpd_chroot_enable; then safe_mkdir ${_dhcpd_rootdir} ${_dhcpd_devdir}/_ ${_dhcpd_confdir} # XXX /_ hack! so, .../dev is root owned. if checkyesno dhcpd_devfs_enable; then safe_mount ${_dhcpd_devdir} + elif checkyesno dhcpd_makedev_enable; then + safe_copy ${dhcpd_devdir}/$_mdev ${_dhcpd_devdir}/$_mdev + safe_run 0 sh -c "cd ${_dhcpd_devdir} && ./$_mdev jail bpf4" else safe_copy ${dhcpd_devdir} ${_dhcpd_devdir} fi BUGS: ${dhcpd_rootdir}/dev/MAKEDEV ends up owned by the dhcpd user - potential root exploit! 3. Copy files from /etc to ${dhcpd_rootdir}/etc as needed: --- isc-dhcpd.sh.orig Mon Dec 27 16:10:47 2004 +++ isc-dhcpd.sh Sat Jan 29 19:16:33 2005 @@ -384,6 +384,7 @@ dhcpd_rootdir= elif checkyesno paranoia && checkyesno dhcpd_chroot_enable; then dhcpd_devdir=${__dhcpd_devdir} + dhcpd_etcdir=${__dhcpd_etcdir} fi } @@ -403,6 +404,7 @@ { _dhcpd_rootdir=${dhcpd_rootdir} _dhcpd_devdir=${dhcpd_rootdir}${dhcpd_devdir} + _dhcpd_etcdir=${dhcpd_rootdir}${dhcpd_etcdir} _dhcpd_confdir=${dhcpd_rootdir}${dhcpd_confdir} _dhcpd_piddir=${dhcpd_rootdir}${dhcpd_piddir} _dhcpd_leasesdir=${dhcpd_rootdir}${dhcpd_leasesdir} @@ -441,15 +443,24 @@ setup_chroot () { + local _hosts _ltime _rconf + + _hosts=hosts + _ltime=localtime + _rconf=resolv.conf + if checkyesno paranoia && checkyesno dhcpd_chroot_enable; then - safe_mkdir ${_dhcpd_rootdir} ${_dhcpd_devdir}/_ ${_dhcpd_confdir} - # XXX /_ hack! so, .../dev is root owned. + safe_mkdir ${_dhcpd_rootdir} ${_dhcpd_devdir}/_ ${_dhcpd_etcdir}/_ ${_dhcpd_confdir} + # XXX /_ hack! so, .../dev, .../etc is root owned. if checkyesno dhcpd_devfs_enable; then safe_mount ${_dhcpd_devdir} else safe_copy ${dhcpd_devdir} ${_dhcpd_devdir} fi safe_copy ${dhcpd_conffile} ${_dhcpd_conffile} + safe_copy ${dhcpd_etcdir}/$_hosts ${_dhcpd_etcdir}/$_hosts + safe_copy ${dhcpd_etcdir}/$_ltime ${_dhcpd_etcdir}/$_ltime + safe_copy ${dhcpd_etcdir}/$_rconf ${_dhcpd_etcdir}/$_rconf fi } @@ -650,6 +661,7 @@ __dhcpd_uninstall="NO" # internal use only __dhcpd_devdir=/dev # devices directory +__dhcpd_etcdir=/etc # config directory __dhcpd_piddir=/var/run # pid file directory __dhcpd_leasesdir=/var/db # leases file directory #__dhcpd_rootdir=/var/db/${name} # root directory BUGS: ${dhcpd_rootdir}/etc/* end up owned by the dhcpd user - same problem. These patches are in http://deathbeforedecaf.net/misc/patches/ - please remember that only http://deathbeforedecaf.net/misc/patches/patch-isc-dhcpd.sh has been tested. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200501291129.j0TBT4p1011998>