Security: Running dhcpcd as non root ?

[ebanDev]

Hello,
I'd wondering, is it possible to run dhcpcd as a non-root user by setting the right caps ? This could be interesting in a security perspective... Thanks :)

[rsmarples]

dhcpcd-9 already supports sandbox techniques for FreeBSD (capsicum), OpenBSD (pledge) and Linux (seccomp).

This means that the root owned process doesn't directly handle any input from anything other than non root owned dhcpcd processes. It also does the bare minimum - ie just carry out a pre-defined action from one of the non root processes.

You're welcome to try and patch the root process not to run as root though if you can set the right caps for it :)

https://github.com/NetworkConfiguration/dhcpcd/blob/master/src/privsep-root.c
https://github.com/NetworkConfiguration/dhcpcd/blob/master/src/privsep-linux.c

[ebanDev]

Thanks for your answer :D I don't code in C, so I'll not be able to patch anything unfortunately 😅

[dkwo]

I had a similar thought here #417 using setpriv.
The capabilities net_admin and net_raw seem to be enough for wpa_supplicant.
What about the dhcpcd? Are the required capabilities documented anywhere?
I can of course try and experiment, but I could use some guidance.

[dkwo]

As a raw, first experiment, I tried to run the dhcpcd daemon with a runit service that looks like

! [ -d /run/dhcpcd ] && install -m 700 -g _dhcpcd -o _dhcpcd -d /run/dhcpcd
exec setpriv --reuid _dhcpcd --regid _dhcpcd --clear-groups \
  --ambient-caps -all,+net_admin,+net_raw \
  --inh-caps -all,+net_admin,+net_raw \
  --bounding-set -all,+net_admin,+net_raw \
  --no-new-privs -- dhcpcd -B ${OPTS:=-M}

and it works, although it complains about a bunch of things in the logs:

dhcp6_openudp: Permission denied
ps_inet_startcb: dhcp6_open: Permission denied
ps_dropprivs: chroot: /var/db/dhcpcd: Operation not permitted
failed to drop privileges: Operation not permitted

[rsmarples]

What about the dhcpcd? Are the required capabilities documented anywhere? I can of course try and experiment, but I could use some guidance.

No they are not documented anywhere. Once you have reduced the warnings emitted to zero for all IPv4 and IPv6 operations then I guess everything is covered :)

A quick look through a man page suggests these caps: CAP_BPF, CAP_LEASE (for the pidfile), CAP_NET_ADMIN, CAP_NET_BIND_SERVICE, CAP_NET_BROADCAST, CAP_NET_RAW (might not be needed in dhcpcd-11), CAP_SETGID, CAP_SETUID, CAP_SYS_CHROOT.

It will likely need CAP_SYS_ADMIN, CAP_SYS_RAWIO and CAP_SYS_RESOURCE as well, but that will require some testing.

Good luck!

[dkwo]

Thanks for pointing out the list.
If I don't use privsep, then in my tests +net_admin,+net_raw,+net_bind_service are enough to reduce warnings to zero.
Other more complex setups may require +cap_bpf as well.
Are you sure about CAP_NET_BROADCAST? its man page says (Unused).
Most of the rest of those capabilities are probably only needed for privsep to function (e.g it chroots..).

[dkwo]

We should be careful with CAP_SETGID, CAP_SETUID, CAP_SYS_CHROOT, CAP_SYS_ADMIN, CAP_SYS_RAWIO as they're considered root-equivalent. While CAP_BPF, CAP_LEASE, CAP_SYS_RESOURCE seem fine, I did not need to include them to reach zero warnings.