From 3863afcdfc5996f25741a41272c1a3bea0476692 Mon Sep 17 00:00:00 2001 From: Pavel Zhukov Date: Thu, 21 Feb 2019 10:30:28 +0100 Subject: [PATCH] Drop unnecessary capabilities dhclient (#517649, #546765), dhcpd/dhcrelay (#699713) --- client/Makefile.am | 3 ++- client/dhclient-script.8 | 10 ++++++++++ client/dhclient.8 | 29 +++++++++++++++++++++++++++++ client/dhclient.c | 24 ++++++++++++++++++++++++ configure.ac | 35 +++++++++++++++++++++++++++++++++++ relay/Makefile.am | 3 ++- relay/dhcrelay.c | 29 +++++++++++++++++++++++++++++ 7 files changed, 131 insertions(+), 2 deletions(-) diff --git a/client/Makefile.am b/client/Makefile.am index d177159..0689185 100644 --- a/client/Makefile.am +++ b/client/Makefile.am @@ -17,6 +17,7 @@ dhclient_LDADD = ../common/libdhcp.@A@ ../omapip/libomapi.@A@ \ @BINDLIBIRSDIR@/libirs.@A@ \ @BINDLIBDNSDIR@/libdns.@A@ \ @BINDLIBISCCFGDIR@/libisccfg.@A@ \ - @BINDLIBISCDIR@/libisc.@A@ + @BINDLIBISCDIR@/libisc.@A@ \ + $(CAPNG_LDADD) man_MANS = dhclient.8 dhclient-script.8 dhclient.conf.5 dhclient.leases.5 EXTRA_DIST = $(man_MANS) diff --git a/client/dhclient-script.8 b/client/dhclient-script.8 index 0db5516..2eddb8f 100644 --- a/client/dhclient-script.8 +++ b/client/dhclient-script.8 @@ -243,6 +243,16 @@ repeatedly initialized to the values provided by one server, and then the other. Assuming the information provided by both servers is valid, this shouldn't cause any real problems, but it could be confusing. +.PP +Normally, if dhclient was compiled with libcap-ng support, +dhclient drops most capabilities immediately upon startup. +While more secure, this greatly restricts the additional actions that +hooks in dhclient-script can take. For example, any daemons that +dhclient-script starts or restarts will inherit the restricted +capabilities as well, which may interfere with their correct operation. +Thus, the +.BI \-nc +option can be used to prevent dhclient from dropping capabilities. .SH SEE ALSO dhclient(8), dhcpd(8), dhcrelay(8), dhclient.conf(5) and dhclient.leases(5). diff --git a/client/dhclient.8 b/client/dhclient.8 index 7155cc5..9f1e435 100644 --- a/client/dhclient.8 +++ b/client/dhclient.8 @@ -135,6 +135,9 @@ dhclient - Dynamic Host Configuration Protocol Client .B -w ] [ +.B -nc +] +[ .B -B ] [ @@ -329,6 +332,32 @@ not to exit when it doesn't find any such interfaces. The program can then be used to notify the client when a network interface has been added or removed, so that the client can attempt to configure an IP address on that interface. +.TP +.BI \-nc +Do not drop capabilities. + +Normally, if +.B dhclient +was compiled with libcap-ng support, +.B dhclient +drops most capabilities immediately upon startup. While more secure, +this greatly restricts the additional actions that hooks in +.B dhclient-script (8) +can take. (For example, any daemons that +.B dhclient-script (8) +starts or restarts will inherit the restricted capabilities as well, +which may interfere with their correct operation.) Thus, the +.BI \-nc +option can be used to prevent +.B dhclient +from dropping capabilities. + +The +.BI \-nc +option is ignored if +.B dhclient +was not compiled with libcap-ng support. + .TP .BI \-n Do not configure any interfaces. This is most likely to be useful in diff --git a/client/dhclient.c b/client/dhclient.c index adcce50..7f202f9 100644 --- a/client/dhclient.c +++ b/client/dhclient.c @@ -41,6 +41,10 @@ #include #include +#ifdef HAVE_LIBCAP_NG +#include +#endif + /* * Defined in stdio.h when _GNU_SOURCE is set, but we don't want to define * that when building ISC code. @@ -271,6 +275,9 @@ main(int argc, char **argv) { int timeout_arg = 0; char *arg_conf = NULL; int arg_conf_len = 0; +#ifdef HAVE_LIBCAP_NG + int keep_capabilities = 0; +#endif /* Initialize client globals. */ memset(&default_duid, 0, sizeof(default_duid)); @@ -670,6 +677,10 @@ main(int argc, char **argv) { dhclient_request_options = argv[i]; + } else if (!strcmp(argv[i], "-nc")) { +#ifdef HAVE_LIBCAP_NG + keep_capabilities = 1; +#endif } else if (argv[i][0] == '-') { usage("Unknown command: %s", argv[i]); } else if (interfaces_requested < 0) { @@ -730,6 +741,19 @@ main(int argc, char **argv) { path_dhclient_script = s; } +#ifdef HAVE_LIBCAP_NG + /* Drop capabilities */ + if (!keep_capabilities) { + capng_clear(CAPNG_SELECT_CAPS); + capng_update(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_DAC_OVERRIDE); // Drop this someday + capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_NET_ADMIN, CAP_NET_RAW, + CAP_NET_BIND_SERVICE, CAP_SYS_ADMIN, -1); + capng_apply(CAPNG_SELECT_CAPS); + } +#endif + /* Set up the initial dhcp option universe. */ initialize_common_option_spaces(); diff --git a/configure.ac b/configure.ac index 2ca53ff..3276888 100644 --- a/configure.ac +++ b/configure.ac @@ -603,6 +603,41 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[void foo() __attribute__((noreturn)); # Look for optional headers. AC_CHECK_HEADERS(sys/socket.h net/if_dl.h net/if6.h regex.h) +# look for capabilities library +AC_ARG_WITH(libcap-ng, + [ --with-libcap-ng=[auto/yes/no] Add Libcap-ng support [default=auto]],, + with_libcap_ng=auto) + +# Check for Libcap-ng API +# +# libcap-ng detection +if test x$with_libcap_ng = xno ; then + have_libcap_ng=no; +else + # Start by checking for header file + AC_CHECK_HEADER(cap-ng.h, capng_headers=yes, capng_headers=no) + + # See if we have libcap-ng library + AC_CHECK_LIB(cap-ng, capng_clear, + CAPNG_LDADD=-lcap-ng,) + + # Check results are usable + if test x$with_libcap_ng = xyes -a x$CAPNG_LDADD = x ; then + AC_MSG_ERROR(libcap-ng support was requested and the library was not found) + fi + if test x$CAPNG_LDADD != x -a $capng_headers = no ; then + AC_MSG_ERROR(libcap-ng libraries found but headers are missing) + fi +fi +AC_SUBST(CAPNG_LDADD) +AC_MSG_CHECKING(whether to use libcap-ng) +if test x$CAPNG_LDADD != x ; then + AC_DEFINE(HAVE_LIBCAP_NG,1,[libcap-ng support]) + AC_MSG_RESULT(yes) +else + AC_MSG_RESULT(no) +fi + # Solaris needs some libraries for functions AC_SEARCH_LIBS(socket, [socket]) AC_SEARCH_LIBS(inet_ntoa, [nsl]) diff --git a/relay/Makefile.am b/relay/Makefile.am index 5562b69..4c5cfa6 100644 --- a/relay/Makefile.am +++ b/relay/Makefile.am @@ -8,6 +8,7 @@ dhcrelay_LDADD = ../common/libdhcp.@A@ ../omapip/libomapi.@A@ \ @BINDLIBIRSDIR@/libirs.@A@ \ @BINDLIBDNSDIR@/libdns.@A@ \ @BINDLIBISCCFGDIR@/libisccfg.@A@ \ - @BINDLIBISCDIR@/libisc.@A@ + @BINDLIBISCDIR@/libisc.@A@ \ + $(CAPNG_LDADD) man_MANS = dhcrelay.8 EXTRA_DIST = $(man_MANS) diff --git a/relay/dhcrelay.c b/relay/dhcrelay.c index 5e4a6a9..4c472a9 100644 --- a/relay/dhcrelay.c +++ b/relay/dhcrelay.c @@ -32,6 +32,11 @@ #include #include +#ifdef HAVE_LIBCAP_NG +# include + int keep_capabilities = 0; +#endif + TIME default_lease_time = 43200; /* 12 hours... */ TIME max_lease_time = 86400; /* 24 hours... */ struct tree_cache *global_options[256]; @@ -597,6 +602,10 @@ main(int argc, char **argv) { if (++i == argc) usage(use_noarg, argv[i-1]); dhcrelay_sub_id = argv[i]; +#endif + } else if (!strcmp(argv[i], "-nc")) { +#ifdef HAVE_LIBCAP_NG + keep_capabilities = 1; #endif } else if (!strcmp(argv[i], "-pf")) { if (++i == argc) @@ -667,6 +676,17 @@ main(int argc, char **argv) { #endif } +#ifdef HAVE_LIBCAP_NG + /* Drop capabilities */ + if (!keep_capabilities) { + capng_clear(CAPNG_SELECT_BOTH); + capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, + CAP_NET_RAW, CAP_NET_BIND_SERVICE, -1); + capng_apply(CAPNG_SELECT_BOTH); + log_info ("Dropped all unnecessary capabilities."); + } +#endif + if (!quiet) { log_info("%s %s", message, PACKAGE_VERSION); log_info(copyright); @@ -823,6 +843,15 @@ main(int argc, char **argv) { signal(SIGTERM, dhcp_signal_handler); /* kill */ #endif +#ifdef HAVE_LIBCAP_NG + /* Drop all capabilities */ + if (!keep_capabilities) { + capng_clear(CAPNG_SELECT_BOTH); + capng_apply(CAPNG_SELECT_BOTH); + log_info ("Dropped all capabilities."); + } +#endif + /* Start dispatching packets and timeouts... */ dispatch(); -- 2.31.1