Date: Sat, 30 Nov 2019 10:52:05 +0800 From: Ben Woods <woodsb02@gmail.com> To: Roy Marples <roy@marples.name> Cc: Hiroki Sato <hrs@allbsd.org>, Brooks Davis <brooks@freebsd.org>, driesm.michiels@gmail.com, freebsd-net <freebsd-net@freebsd.org>, Hiroki Sato <hrs@freebsd.org>, Julian Elischer <julian@freebsd.org> Subject: Re: DHCPv6 client in base Message-ID: <CAOc73CBSwJYtdVfNObhu=iAwN7NFc_BPXeY8iCf_UMPQtnnJ1w@mail.gmail.com> In-Reply-To: <26ba64b2-7c94-f4cf-980d-bcab8aa83bf7@marples.name> References: <CAOc73CBzvRD0Je5%2BXQJ9_UqTP2_cgJvc7_7JTU0fjKBCVnTt-w@mail.gmail.com> <20191014.043209.919156653743886519.hrs@allbsd.org> <f3c51ba5-ebad-4f2f-2ae5-ab08055f6b6b@marples.name> <20191015.215732.1618848784026596315.hrs@allbsd.org> <CAOc73CAMvh4dcN9c3tGaS2uu6C_OsbaTOT94dcQxgzcA4xp1vQ@mail.gmail.com> <26ba64b2-7c94-f4cf-980d-bcab8aa83bf7@marples.name>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 29 Nov 2019 at 09:40, Roy Marples <roy@marples.name> wrote: > On 28/11/2019 22:50, Ben Woods wrote: > > It is not yet enabled by default until he gets more feedback from other= s > > that it is working ok. I intend to update the FreeBSD port to enable > > this feature (perhaps with a =E2=80=9C-devel=E2=80=9D port) to allow it= to be tested > > more easily on FreeBSD. > > Please add it as a new port - don't want to affect any current dhcpcd > users with privsep issues. > > I've already fixed a few issues based some initial feedback, but there > is an outstanding issue where dhcpcd will occasionally hang when exiting. > > Roy > Hi Roy, I have just added the new port net/dhcpcd-devel which uses the latest commit (273915d), and enables privilege separation. So far it seems to be working ok for me! Couple of comments / questions: 1. I have setup the low privileged user to be the existing FreeBSD user "_dhcp" [1]. Using a global CFLAG for this seems a bit clunky - it might be nicer if this could either be a configure option or a runtime option. 2. I have configured both /var/db/dhcpcd/ and /var/run/dhcpcd/ to have owner:group as _dhcp:_dhcp (the low privilege processes will have both read and write access to these folders). Is that correct? I note that the commit message referenced below [2] states read access is required to /var/db/dhcpcd/, but the text added to README.md states write access is required. 3. Can you please confirm the output below [3] looks right / matches your privilege separation design? [1] https://svnweb.freebsd.org/ports/head/net/dhcpcd-devel/Makefile?revision=3D= 518697&view=3Dmarkup#l26 [2] https://roy.marples.name/cgit/dhcpcd.git/commit/?id=3D0e5bfa4eb22f7b6412d23= b9548bf157f9fea88c2 [3] privilege separation output: # ps auxwwd | grep dhcpcd _dhcp 7652 0.0 0.0 12232 3012 - S 10:25 0:00.00 |-- dhcpcd: [master] [ip4] [ip6] (dhcpcd) root 7878 0.0 0.0 11724 2852 - S 10:25 0:00.00 | |-- dhcpcd: [privileged actioneer] (dhcpcd) _dhcp 10455 0.0 0.0 11724 2852 - S 10:25 0:00.00 | | `-- dhcpcd: [BPF ARP] wlan0 (dhcpcd) _dhcp 7903 0.0 0.0 11696 2844 - S 10:25 0:00.00 | `-- dhcpcd: [network proxy] (dhcpcd) # ls -lah /var/db/dhcpcd/ drwxr-xr-x 2 _dhcp _dhcp 3B Nov 30 10:28 . drwxr-xr-x 19 root wheel 34B Nov 30 10:28 .. -rw-r--r-- 1 _dhcp _dhcp 300B Nov 30 10:28 wlan0-mySSIDname.lease # ls -lah /var/run/dhcpcd/ drwxr-xr-x 3 _dhcp _dhcp 6B Nov 30 10:28 . drwxr-xr-x 20 root wheel 48B Nov 30 10:28 .. drwxr-xr-x 3 root _dhcp 3B Nov 30 10:28 hook-state -rw-r--r-- 1 _dhcp _dhcp 6B Nov 30 10:28 pid srw-rw---- 1 _dhcp _dhcp 0B Nov 30 10:28 sock srw-rw-rw- 1 _dhcp _dhcp 0B Nov 30 10:28 unpriv.sock # ls -lah /var/run/dhcpcd/hook-state/ drwxr-xr-x 3 root _dhcp 3B Nov 30 10:28 . drwxr-xr-x 3 _dhcp _dhcp 6B Nov 30 10:28 .. drwxr-xr-x 2 root _dhcp 2B Nov 30 10:28 ntp.conf # ls -lah /var/run/dhcpcd/hook-state/ntp.conf/ drwxr-xr-x 2 root _dhcp 2B Nov 30 10:28 . drwxr-xr-x 3 root _dhcp 3B Nov 30 10:28 .. Regards, Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOc73CBSwJYtdVfNObhu=iAwN7NFc_BPXeY8iCf_UMPQtnnJ1w>