[pkg-dhcp-devel] Running the DHCP server as non-root

Thu Jun 2 10:37:05 UTC 2011

On Mon, May 16, 2011 at 07:05:48AM +1000, Andrew Pollock wrote:
> On Sun, May 15, 2011 at 01:15:33PM +0200, Matt Zimmerman wrote:
> > I'm sure there are cases (like a build failure) where it wouldn't make
> > sense to wait because of the severity of the problem in Debian.  This
> > patch is obviously a different situation, but (in my opinion of course)
> > offers good long-term benefits to Debian users.
> 
> Yeah fixing a build failure tends not to introduce new functionality, so
> that is a different ball of wax. I'm particularly loathe to introduce
> distro-specific functionality, where upstream may introduce something
> similar but sufficient different in the future, that it makes switching to
> the "proper" implementation more troublesome than just waiting for it to
> come in the first place. 
> 
> That isn't the case for the particular patch we're talking about here, but
> is the case for the patch Ubuntu applied to the client to allow it to send
> its hostname without hard-coding it. That functionality has finally landed
> in 4.2, and is implemented in a completely different manner to how the
> Ubuntu patch does it.

That is an unfortunate outcome, and I would be interested to explore how it
happened so that we can do better in the future.  Why was the Ubuntu
implementation considered unsuitable for upstream?  Could we have made the
upstream design or early implementation available to Ubuntu sooner?

> > It's been a couple of weeks, and I'm curious if you've got feedback from
> > upstream.  Would it help if I contacted them directly on behalf of Debian
> > and CCed you?
> 
> I had lunch with then on Thursday and went over a number of bugs and patches
> that I've escalated to them over the years, but are still unaddressed. The
> de-rooting patch was one I covered in particular, given the ongoing interest
> in it.

Thanks for bringing more visibility to this patch.  We would really like to
see Debian, Ubuntu and upstream all in sync with respect to this
functionality.

> In following up, they told me about the --enable-paranoia and
> --enable-early-chroot configure flags, which are apparently completely
> undocumented. I need to investigate these further and see how much they
> overlap with the existing de-rooting patch, if at all.

PARANOIA (something of a misnomer if you ask me) implements three options,
-user, -group and -chroot, which do what you would expect (setuid(),
setgroups() + setgid(), and chroot() at a certain point in execution).

EARLY_CHROOT simply causes the chroot() to happen at an earlier point in the
code.

The Ubuntu patch adds a drop_privileges() function, and two calls to it.0
The first one drops all privileges except the needed capabilities, very
early on (first call in main()).  The second one (last thing before
dispatch()) drops those remaining capabilites leaving it completely
unprivileged.

The approach taken in Ubuntu provides stronger production, but is
Linux-specific.

> They're talking about a 4.3 release coming out in the fall I think they
> said, so I'm hopeful now that I've repositioned the de-rooting patch on
> their radar, that they'll consider it for inclusion in that feature release.

Any update?

-- 
 - mdz