DHCPv6 client in base

[Brooks Davis]

On Tue, Oct 15, 2019 at 06:41:36AM +0800, Ben Woods wrote:
> On Sat, 12 Oct 2019 at 1:45 am, Brooks Davis <brooks at freebsd.org> wrote:
> 
> > DHCP is one of the most exposed attack surfaces in existence.  We expect
> > it to take input from explicitly untrustworthy networks and perform
> > actions as root.  It might be OK to import this as a stopgap only
> > supporting IPv6, but without capsicum or privilege separation (as noted
> > elsewhere in the thread) it seems unlikely to be a good idea enable it
> > by default or replace the existing IPv4 dhclient.
> >
> > -- Brooks
> >
> Hi Brooks,
> 
> Thanks for the feedback.
> 
> Roy Marples (the main dhcpcd) has already begun working on privilege
> separating dhcpcd based on your feedback.
> 
> Have you or Roy got any thoughts on how the privilege separation might be
> structured?
> - main process
> - network listener
> - packer interpreter
> - hook runner and scripts
> 
> It???s obviously the packet interpreter that is the risky part, but does not
> need privileges.
> 
> FreeBSD has the ???_dhcp??? user which I assume could be used for running these
> low privilege tasks?

It's worth taking a look at the separation in the existing dhclient.  They
have chosen to drop privilege in the main program and have a child which
retains privilege for sending packets, tweaking interface MTU, and running
the script.

> Roy is not intending to work on capsicum support in dhcpcd, but I think
> once the privilege separation has been done it will be easier to add that
> support.

The capsicum support in our client is pretty limited so that sounds like
a good approach.

-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191014/8afc2acb/attachment.sig>