From owner-securedistros@nl.linux.org Wed Apr 26 07:46:34 2000
Received: by humbolt.nl.linux.org id <S92201AbQDZFpH>;
	Wed, 26 Apr 2000 07:45:07 +0200
Received: from ip-251.companions.de ([195.244.121.251]:33029 "HELO
        mail.lemuria.org") by humbolt.nl.linux.org with SMTP
	id <S92171AbQDZFoo>; Wed, 26 Apr 2000 07:44:44 +0200
Received: from lemuria.org by mail.lemuria.org
	via rsmtp with bsmtp
	id <m12kKSm-0015vnC@mail.lemuria.org>
	for <securedistros@nl.linux.org>; Wed, 26 Apr 2000 07:34:16 +0200 (MEST)
	(Smail-3.2 1996-Jul-4 #1 built 1999-Nov-8)
Received: by lemuria.org
	via sendmail with stdio
	id <m12kJnz-000HdwC@lemuria.org>
	for securedistros@nl.linux.org; Wed, 26 Apr 2000 06:52:07 +0200 (MEST)
	(Smail-3.2 1996-Jul-4 #1 built 1999-Nov-8)
Date:   Wed, 26 Apr 2000 06:52:07 +0200
From:   Tom Vogt <tom@lemuria.org>
To:     securedistros@nl.linux.org
Subject: hi
Message-ID: <20000426065207.A26154@lemuria.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0pre3i
X-Privacy: If you can, please encrypt your mails - finger for key
Sender: owner-securedistros@nl.linux.org
Precedence: bulk
Reply-To: securedistros@nl.linux.org
Return-Path: <owner-securedistros@nl.linux.org>
X-Orcpt: rfc822;securedistros-list

I just subscribed and wanted to say hi, asking who's here and what the
recent topics have been, are there any archives, FAQ, etc...


about me:

I'm currently behind the Nexus project, a split-off from kha0s after scott
decided to restart from scratch and several of us didn't want to throw
everything away, but continue with what we have. the project webpage is at
http://www.lemuria.org/Nexus


-- 
Welcome to the Information Superspyway
-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/

From owner-securedistros@nl.linux.org Wed Apr 26 15:33:58 2000
Received: by humbolt.nl.linux.org id <S92211AbQDZNcW>;
	Wed, 26 Apr 2000 15:32:22 +0200
Received: from mcs01-ext.med.nyu.edu ([128.122.2.2]:38257 "HELO
        apollo.phri.nyu.edu") by humbolt.nl.linux.org with SMTP
	id <S92197AbQDZNcB>; Wed, 26 Apr 2000 15:32:01 +0200
Received: (qmail 12199 invoked by uid 728); 26 Apr 2000 09:27:04 -0400
Date:   Wed, 26 Apr 2000 09:27:04 -0400
From:   ari <edelkind@phri.nyu.edu>
To:     securedistros@nl.linux.org
Subject: paranoia patch for ISC dhcp 2.0
Message-ID: <20000426092704.A9659@phri.nyu.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
Sender: owner-securedistros@nl.linux.org
Precedence: bulk
Reply-To: securedistros@nl.linux.org
Return-Path: <owner-securedistros@nl.linux.org>
X-Orcpt: rfc822;securedistros-list

I sent this to the openbsd ports list a little while ago... but it may be
appreciated here as well, especially by those who wish to distribute dhcp
with their linux distributions.

------

Though this isn't specifically a port, i assume most openbsd users would be
interested in a patch of this nature (as the ISC developers do not seem to
care).

This patch allows one to run dhcpd as a non-root user and in a chroot()ed
environment.  

My post to the dhcp-server mailing list (with more information) is located
at http://www.isc.org/ml-archives/dhcp-server/2000/04/msg00098.html .

I have also placed the patch at the following URL:
http://users.phri.nyu.edu/~edelkind/custom/public/patches/dhcp-2.0+paranoia.patch

ari

### cut here ###


paranoia (non-root/chroot) patch for ISC dhcp 2.0
file to patch: dhcp-2.0/server/dhcpd.c

Adds 3 options:

	-user <user>
	-group <group> 
	-chroot <chroot_dir>

Notes:
	-DPARANOIA must be added to the COPTS variable in server/Makefile
	after configuration.  Otherwise, the paranoia code will not be
	compiled in.

	You may need to change the ownership of the lease directory to the
	user you tell dhcpd to run as.  Otherwise, you may have problems
	rewriting the lease file.


ari edelkind (04/06/2000)


*** dhcp-2.0/server/dhcpd.c	Tue Jun 22 09:43:18 1999
--- dhcp-2.0+paranoia/server/dhcpd.c	Thu Apr  6 18:29:47 2000
***************
*** 55,60 ****
--- 55,68 ----
  #include "dhcpd.h"
  #include "version.h"
  
+ #ifdef PARANOIA
+ #	include <pwd.h>
+ /* get around the ISC's declaration of group */
+ #define group  real_group
+ #	include <grp.h>
+ #undef group
+ #endif
+ 
  static void usage PROTO ((char *));
  
  TIME cur_time;
***************
*** 92,98 ****
--- 100,114 ----
  	int daemon = 1;
  #endif
  	int quiet = 0;
+ #ifdef PARANOIA
+ 	char *set_user   = NULL;
+ 	char *set_group  = NULL;
+ 	char *set_chroot = NULL;
  
+ 	uid_t set_uid = 0;
+ 	gid_t set_gid = 0;
+ #endif
+ 
  	appname = strrchr (argv [0], '/');
  	if (!appname)
  		appname = argv [0];
***************
*** 139,144 ****
--- 155,174 ----
  			daemon = 0;
  #endif
  			log_perror = -1;
+ #ifdef PARANOIA
+ 		} else if (!strcmp (argv [i], "-user")) {
+ 			if (++i == argc)
+ 				usage (appname);
+ 			set_user = argv [i];
+ 		} else if (!strcmp (argv [i], "-group")) {
+ 			if (++i == argc)
+ 				usage (appname);
+ 			set_group = argv [i];
+ 		} else if (!strcmp (argv [i], "-chroot")) {
+ 			if (++i == argc)
+ 				usage (appname);
+ 			set_chroot = argv [i];
+ #endif
  		} else if (!strcmp (argv [i], "-cf")) {
  			if (++i == argc)
  				usage (appname);
***************
*** 201,206 ****
--- 231,280 ----
  #endif
  	}
    
+ #ifdef PARANOIA
+ 	/* get user and group info if those options were given */
+ 	if (set_user) {
+ 		struct passwd *tmp_pwd;
+ 
+ 		if (geteuid())
+ 			error ("you must be root to set user");
+ 
+ 		if (!(tmp_pwd = getpwnam(set_user)))
+ 			error ("no such user: %s", set_user);
+ 
+ 		set_uid = tmp_pwd->pw_uid;
+ 
+ 		/* use the user's group as the default gid */
+ 		if (!set_group)
+ 			set_gid = tmp_pwd->pw_gid;
+ 		
+ 	}
+ 
+ 	if (set_group) {
+ /* get around the ISC's declaration of group */
+ #define group real_group
+ 		struct group *tmp_grp;
+ 
+ 		if (geteuid())
+ 			error ("you must be root to set group");
+ 
+ 		if (!(tmp_grp = getgrnam(set_group)))
+ 			error ("no such group: %s", set_group);
+ 
+ 		set_gid = tmp_grp->gr_gid;
+ #undef group
+ 	}
+ 
+ 	if (set_chroot) {
+ 		if (geteuid())
+ 			error ("you must be root to use chroot");
+ 
+ 		if (chroot(set_chroot) != 0) {
+ 			error ("no such directory: %s", set_chroot);
+ 		}
+ 	}
+ #endif /* PARANOIA */
+ 
  	remote_port = htons (ntohs (local_port) + 1);
  
  	/* Get the current time... */
***************
*** 285,290 ****
--- 359,378 ----
  	}
  #endif /* !DEBUG */
  
+ #ifdef PARANOIA
+ 	/* change uid to the specified one */
+ 
+ 	if (set_gid) {
+ 		if (setgid (set_gid) != 0)
+ 			error ("couldn't set gid to %d", set_gid);
+ 	}	
+ 
+ 	if (set_uid) {
+ 		if (setuid (set_uid) != 0)
+ 			error ("couldn't set uid to %d", set_uid);
+ 	}
+ #endif
+ 
  	/* Set up the bootp packet handler... */
  	bootp_packet_handler = do_packet;
  
***************
*** 308,315 ****
--- 396,408 ----
  	note (url);
  	note ("");
  
+ #ifdef PARANOIA
+ 	warn ("Usage: %s [-p <UDP port #>] [-d] [-f] [-user <user>]", appname);
+ 	warn ("            [-group <group>] [-chroot <dir>] [-cf config-file]");
+ #else
  	warn ("Usage: %s [-p <UDP port #>] [-d] [-f] [-cf config-file]",
  	      appname);
+ #endif
  	error("            [-lf lease-file] [-pf pidfile] [if0 [...ifN]]");
  }
  
-
Securedistros: A common list for all secured Linux distributions
Archive:       http://humbolt.nl.linux.org/lists/