nixos/dhcpcd: harden and run as unprivileged user #336988
nixos/dhcpcd: harden and run as unprivileged user #336988rnhmjoj merged 7 commits intoNixOS:stagingfrom
Conversation
d4e2357 to
c346c93
Compare
|
I did some more extensive testing and fixed a couple of mistakes.
|
c346c93 to
7f28314
Compare
|
Why is the move from /var/db to /var/lib done? |
I initially intended to use Anyway, I guess it still makes sense to use /var/lib as it's the path used by the vast majority of services in NixOS. |
I run |
044eab9 to
fe0f134
Compare
|
Fixed merge conflicts. |
fe0f134 to
1a62b54
Compare
|
Fixed more merge conflicts. |
|
I'm reasonably confident with my testing. If no one has any objections I'm going to merge it this weekend. |
This group is useful to allow specific users to run resolvconf and (and this modify /etc/resolv.conf) without root privileges.
The priviledge separation mode has several downsides:
- it's incompatible with alternative memory allocators, including
graphene-hardened;
- it needs an unreleased patch to fix a crash;
- it results in none less than 6 subprocesses running at any time,
increasing the memory usage;
- the privileged process (albeit not doing any networking related
tasks) is still running as root, so it has complete access to the
system.
Let's disable this by default and instead run dhcpcd as an unpriviledge
user with only the necessary capabilities.
This workaround for NTP daemons has been there for 12 years and is most likely not needed anymore.
1a62b54 to
67700c5
Compare
|
i don't think there's much harm in setting CapabilityBoundingSet, but if you trust that the capability system behaves as described, there's no need. see: |
|
There are errors in the logs of the dhcpcd service: and |
|
I can reproduce it with |
|
Yes, that test is blocking the |
|
Can we revert and revisit later now that a blocking test case has been identified and no clear path forward has been presented? |
|
I have a fix for the race condition, #348305. The second error does not seem critical. |
|
I'm using dhcpcd with dnsmasq and getting: This one is actually breaking because it can't write the dnsmasq config. I'll try to get it working by porting what it does for resolv.conf to these files. |
|
Something like this maybe? |
Can you share your config so I can test this setup? |
I think |
Looks good: I would just name the option
|
|
@rnhmjoj sounds good. Would you like me to make a PR? |
|
Yes, please. |
|
@rnhmjoj seems like it also needs Also, even with that added: It appears the metrics sub-directory doesn't have the group and permissions needed to enable this: |
I haven't seen this one before, strange. It looks correct: it appers to be writing to
This one is puzzling, because it's resolvconf itself that is creating the file (if you look at line 945) and the directory is writable. I still haven't figured out whats going on exactly. Anyway, if you have a single interface metrics don't matter. EDIT: just for my curiosity, does you DHCP server provide more than one IP address? |
The But yes, the metrics issue isn't problematic for my use-cases currently, which is good for me. |
The source of the incorrect permissions was the network-setup script invoking |
|
Hello, I don't really understand the reason for this change but this breaks dynamic hostname fetching with DHCP. |
|
If you can describe me a bit your setup and how it fails with hardening, I can try to help. Anyway, the reason for this change is that dhcpcd is a demon with root privileges, network access, written in a memory unsafe language, which is quite a combination. It has a built-in security mechanism to mitigate this, but it caused some issues, so it's better to use systemd to isolate it. By default the daemon has limited permissions, which is fine for a majority of users. |
|
I understand but this was utterly frustrating to stumble across because I don't believe my use-case is rare at all (cloud VMs or anything that uses network boot) and I would have had expected more thorough testing of the basic features of a DHCP client after such a breaking change. Anyway, I managed to fix this with the following: Let me know if this makes sense to you and I can make a PR. This took even more time to debug because yet another breaking change happened in #359571 which has a side effect of changing the default hostname from |
|
Sorry, but the basic features are configuring addresses, routes and nameservers, which is what is been tested in NixOS. Your use case may not be rare, but I personally never used it, nor anyone else that maintains NixOS networking tests... I don't think CAP_SYS_ADMIN is acceptable, at least not by default: it's so overloaded that's basically running as root again. |
|
The host name is being set from a shell hook, so it should be easy to fix both issues:
|
|
I'm not sure it's that easy. I'm not very familiar with polkit but from what I understand I don't think we can use it here because NixOS doesn't use systemd-hostnamed. I'm guessing sudo is one way to go but that means we have to patch the hook or wrap hostname. |
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
Description of changes
These changes replace the dhcpcd privsep mode with a combination of POSIX capabilities and systemd security features that allow to fully run dhcpcd as an unprivileged user. See the commit messages for why I think this is an improvement.
There are a couple of backward incompatibilities, but most users shouldn't notice any difference.
Things done
dhcpcd.testsI re-created the PR because I messed up the staging rebase, as usual.