Bug 508247

Summary: /etc/dhcp/dhcpd.conf is world-readable
Product: [Fedora] Fedora Reporter: Vincent Danen <vdanen>
Component: dhcpAssignee: David Cantrell <dcantrell>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dcantrell, wwoods
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-30 07:46:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2009-06-26 10:38:33 UTC 
According to a Gentoo bug report [1], the dhcpd.conf configuration file is world-readable.  I took a look at Fedora and RHEL5 and the same issue exists.  This isn't a major issue I don't think, but by default it could and should probably be mode 0600 as dhcpd is run fully as root and really only root needs access to this file.

[1] http://bugs.gentoo.org/show_bug.cgi?id=271309
Comment 1 David Cantrell 2009-06-26 20:43:22 UTC 
The Gentoo bug mentions changing the ownership and permissions of the /etc/dhcp subdirectory, not just the dhcpd.conf file.  Would that not be a better approach?
Comment 2 Vincent Danen 2009-06-27 05:45:25 UTC 
I think either way works.  I'm not sure what else, if anything, is being put in that directory, but making dhcpd.conf mode 0600 and the directory mode 0750 or 0700 would be fine.  You'd have to make there are no regressions with the directory mode change (again, as I'm unsure whether anything else would use it... I have my doubts since on RHEL5 we use /etc/dhcpd.conf so I suspect this directory should be exclusively used for that file).
Comment 3 David Cantrell 2009-06-27 10:01:53 UTC 
I'll make the permission changes in the next rawhide build.

For F-11, I changed the dhcp package to have all configuration files stored in /etc/dhcp because the number of possible files was cluttering up /etc.  In /etc/dhcp, you can have:

dhcpd.conf
dhclient.conf
dhclient-DEVICE.conf
dhclient-DEVICE-up-hooks
dhclient-DEVICE-down-hooks

Additionally, I created the /etc/dhcp/dhclient.d directory and expanded dhclient-script to support executing scripts from that subdirectory.  The idea is that other packages can provide handlers for specific DHCP options.  As of now, there is ntp.sh and nis.sh provided by ntp and ypbind, respectively.

These changes will show up in RHEL 6.0.
Comment 4 Vincent Danen 2009-06-28 05:45:09 UTC 
Ok, great.  In light of the above, changing the permissions on the directory sounds like the best way forward.  Thanks for the explanation and the fix.
Comment 5 David Cantrell 2009-06-30 07:46:44 UTC 
Will be fixed in dhcp-4.1.0-22.fc12.