[Bug 810946] Re: dhclient should drop capabilities

Tue Jun 26 18:49:33 UTC 2012

Our AppArmor profile for dhclient is a lot better than doing this:

+               capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+                               CAP_DAC_OVERRIDE); // Drop this someday
+               capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED,
+                               CAP_NET_ADMIN, CAP_NET_RAW,
+                               CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, -1);

That's not dropping much, IMHO...

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to isc-dhcp in Ubuntu.
https://bugs.launchpad.net/bugs/810946

Title:
  dhclient should drop capabilities

Status in “isc-dhcp” package in Ubuntu:
  Confirmed

Bug description:
  Disclaimer: This is not a real bug report.  It is more a wish for a
  future version.

  The dhclient is running as root and thus needs special protection
  (OpenBSD implemented privilege separation, but unfortunately there is
  no patch for Linux available).

  Fedora added a patch to drop the capabilities of the process right
  after start:
  http://pkgs.fedoraproject.org/gitweb/?p=dhcp.git;a=blob;f=dhcp-4.2.2-capability.patch;h=1f31e1776d94cb8721b66e338999c8664f4fc74a;hb=HEAD

  This patch should be added to the dhclient in Ubuntu.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/isc-dhcp/+bug/810946/+subscriptions