Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Apr 2011 08:32:25 +0300
From: Nikola Nikov <nikolanikov@...connect.bg>
To: owl-dev@...ts.openwall.com
Subject: Re: DHCP client

I found this one https://redmine.user.in-berlin.de/projects/dhclient-openbsd
A port of OpenBSD's dhclient to Linux one with privilege sep.

I'm going to test it and write you the results.

Also I found http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0997
And going to test whether is vulnerable, because I don't see any
hostname updates in the current dhclient-script (but we may make some
changes).


I compiled it successfully, but need's libbsd.


On 4/17/2011 6:57 AM, Solar Designer wrote:
> On Sun, Apr 17, 2011 at 07:47:01AM +0400, Solar Designer wrote:
>> We need a DHCP client with privilege separation.  Juan on our team did
>> some work on this several years ago, but he never completed it and he is
>> not going to.  Meanwhile, OpenBSD implemented privsep in their fork of
>> ISC's dhclient, and this code got into FreeBSD and DragonFly BSD, but it
>> has not yet been ported to Linux (as far as I'm aware).
> Here's their code:
>
> http://www.openbsd.org/cgi-bin/cvsweb/src/sbin/dhclient/
>
> At least dhclient-script will need changes for Linux.  Maybe we should
> base it on ISC's original rather than on the revision in OpenBSD.
>
>> I think that we should either port OpenBSD's dhclient to Linux ...
> If that's what we do, we could either include patches against OpenBSD's
> code like we do for mailx, mtree, telnet:
>
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/mailx/
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/mtree/
> http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/telnet/
>
> (yes, this stuff hasn't been updated for a long time...), or we could
> keep the entire thing in our native tree.  I think the latter will work
> better if we're to release this Linux port separately from Owl, which I
> think would be a good thing to do.  Similarly, I think it makes sense
> for us to get at least mtree fully into our tree and release it (mtree
> for Linux or portable mtree) separately from Owl (in addition to
> continuing to develop and use it as part of Owl, indeed).
>
> Alexander
>

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ