Bug 76811 - [patch] Updates for net/isc-dhcp3-server running chrooted on 4.x
Summary: [patch] Updates for net/isc-dhcp3-server running chrooted on 4.x
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-29 11:30 UTC by Rob
Modified: 2005-03-10 13:38 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Rob 2005-01-29 11:30:16 UTC 
The following comments apply to version 1.11 of
/usr/local/etc/rc.d/isc-dhcpd.sh:

1.  On 4.x, isc-dhcpd.sh always emits the warning

      WARNING: dhcpd_devfs_enable disabled -- not available

    even with dhcpd_devfs_enable=NO. Harmless, but annoying.

2.  On 4.x with dhcpd_chroot_enable=YES, the entire /dev directory is copied to
    ${dhcpd_rootdir}/dev, including mem and kmem. This could be considered a
    security risk.

3.  With dhcpd_chroot_enable=YES, DNS lookups fail due to the absence of hosts
    and resolv.conf files in ${dhcpd_rootdir}/etc. This causes DHCP requests to
    timeout if hostnames are used in dhcpd.conf(5).

    Also, log timestamps are incorrect due to the absence of
    ${dhcpd_rootdir}/etc/localtime.

Fix: 

The 3 separate patches below are meant to clarify which lines belong to which
change; however, I have only tested the combined patch:

  http://deathbeforedecaf.net/misc/patches/patch-isc-dhcpd.sh (83 lines)

Please use this version for any testing.

1.  Only check for mount_devfs(8) if dhcpd_devfs_enable=YES:

	--- isc-dhcpd.sh.orig	Mon Dec 27 16:10:47 2004
	+++ isc-dhcpd.sh	Sat Jan 29 19:07:11 2005
	@@ -343,7 +343,8 @@
					err 1 "dhcpd_rootdir must be set" \
					      "if dhcpd_chroot_enable is enabled"
				fi
	-			if ! ( type mount_devfs ) > /dev/null 2>&1; then
	+			if checkyesno dhcpd_devfs_enable &&
	+			    ! ( type mount_devfs ) > /dev/null 2>&1; then
					warn "dhcpd_devfs_enable disabled" \
					     "-- not available"
					dhcpd_devfs_enable=NO

2.  Use 'MAKEDEV jail' to create devices for the chroot environment:

	--- isc-dhcpd.sh.orig	Mon Dec 27 16:10:47 2004
	+++ isc-dhcpd.sh	Sat Jan 29 19:08:26 2005
	@@ -30,6 +30,7 @@
	 
	 dhcpd_chroot_enable=${dhcpd_chroot_enable:-"NO"}	# runs chrooted?
	 dhcpd_devfs_enable=${dhcpd_devfs_enable:-"YES"}		# devfs if available?
	+dhcpd_makedev_enable=${dhcpd_makedev_enable:-"YES"}	# use /dev/MAKEDEV?
	 dhcpd_rootdir=${dhcpd_rootdir:-/var/db/${name}}		# directory to run in
	 
	 # untested
	@@ -441,11 +442,18 @@
	 
	 setup_chroot ()
	 {
	+	local _mdev
	+
	+	_mdev=MAKEDEV
	+
		if checkyesno paranoia && checkyesno dhcpd_chroot_enable; then
			safe_mkdir ${_dhcpd_rootdir} ${_dhcpd_devdir}/_ ${_dhcpd_confdir}
			# XXX /_ hack! so, .../dev is root owned.
			if checkyesno dhcpd_devfs_enable; then
				safe_mount ${_dhcpd_devdir}
	+		elif checkyesno dhcpd_makedev_enable; then
	+			safe_copy ${dhcpd_devdir}/$_mdev ${_dhcpd_devdir}/$_mdev
	+			safe_run 0 sh -c "cd ${_dhcpd_devdir} && ./$_mdev jail bpf4"
			else
				safe_copy ${dhcpd_devdir} ${_dhcpd_devdir}
			fi

    BUGS: ${dhcpd_rootdir}/dev/MAKEDEV ends up owned by the dhcpd user -
    potential root exploit!

3.  Copy files from /etc to ${dhcpd_rootdir}/etc as needed:

	--- isc-dhcpd.sh.orig	Mon Dec 27 16:10:47 2004
	+++ isc-dhcpd.sh	Sat Jan 29 19:16:33 2005
	@@ -384,6 +384,7 @@
			dhcpd_rootdir=
		elif checkyesno paranoia && checkyesno dhcpd_chroot_enable; then
			dhcpd_devdir=${__dhcpd_devdir}
	+		dhcpd_etcdir=${__dhcpd_etcdir}
		fi
	 }
	 
	@@ -403,6 +404,7 @@
	 {
		_dhcpd_rootdir=${dhcpd_rootdir}
		_dhcpd_devdir=${dhcpd_rootdir}${dhcpd_devdir}
	+	_dhcpd_etcdir=${dhcpd_rootdir}${dhcpd_etcdir}
		_dhcpd_confdir=${dhcpd_rootdir}${dhcpd_confdir}
		_dhcpd_piddir=${dhcpd_rootdir}${dhcpd_piddir}
		_dhcpd_leasesdir=${dhcpd_rootdir}${dhcpd_leasesdir}
	@@ -441,15 +443,24 @@
	 
	 setup_chroot ()
	 {
	+	local _hosts _ltime _rconf
	+
	+	_hosts=hosts
	+	_ltime=localtime
	+	_rconf=resolv.conf
	+
		if checkyesno paranoia && checkyesno dhcpd_chroot_enable; then
	-		safe_mkdir ${_dhcpd_rootdir} ${_dhcpd_devdir}/_ ${_dhcpd_confdir}
	-		# XXX /_ hack! so, .../dev is root owned.
	+		safe_mkdir ${_dhcpd_rootdir} ${_dhcpd_devdir}/_ ${_dhcpd_etcdir}/_ ${_dhcpd_confdir}
	+		# XXX /_ hack! so, .../dev, .../etc is root owned.
			if checkyesno dhcpd_devfs_enable; then
				safe_mount ${_dhcpd_devdir}
			else
				safe_copy ${dhcpd_devdir} ${_dhcpd_devdir}
			fi
			safe_copy ${dhcpd_conffile} ${_dhcpd_conffile}
	+		safe_copy ${dhcpd_etcdir}/$_hosts ${_dhcpd_etcdir}/$_hosts
	+		safe_copy ${dhcpd_etcdir}/$_ltime ${_dhcpd_etcdir}/$_ltime
	+		safe_copy ${dhcpd_etcdir}/$_rconf ${_dhcpd_etcdir}/$_rconf
		fi
	 }
	 
	@@ -650,6 +661,7 @@
	 
	 __dhcpd_uninstall="NO"			# internal use only
	 __dhcpd_devdir=/dev			# devices directory
	+__dhcpd_etcdir=/etc			# config directory
	 __dhcpd_piddir=/var/run			# pid file directory
	 __dhcpd_leasesdir=/var/db		# leases file directory
	 #__dhcpd_rootdir=/var/db/${name}	# root directory

    BUGS: ${dhcpd_rootdir}/etc/* end up owned by the dhcpd user - same problem.

These patches are in http://deathbeforedecaf.net/misc/patches/ - please remember
that only http://deathbeforedecaf.net/misc/patches/patch-isc-dhcpd.sh has been
tested.
How-To-Repeat: Build and install net/isc-dhcp3-server with the default configuration.
Comment 1 Sergey Matveychuk freebsd_committer freebsd_triage 2005-03-10 13:37:29 UTC 
State Changed
From-To: open->closed

Included in maintainer's ports/78613, thanks!