Red Hat Bugzilla – Full Text Bug Listing
|Summary:||/etc/dhcp/dhcpd.conf is world-readable|
|Product:||[Fedora] Fedora||Reporter:||Vincent Danen <vdanen>|
|Component:||dhcp||Assignee:||David Cantrell <dcantrell>|
|Status:||CLOSED RAWHIDE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-06-30 03:46:44 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Vincent Danen 2009-06-26 06:38:33 EDT
According to a Gentoo bug report , the dhcpd.conf configuration file is world-readable. I took a look at Fedora and RHEL5 and the same issue exists. This isn't a major issue I don't think, but by default it could and should probably be mode 0600 as dhcpd is run fully as root and really only root needs access to this file.  http://bugs.gentoo.org/show_bug.cgi?id=271309
Comment 1 David Cantrell 2009-06-26 16:43:22 EDT
The Gentoo bug mentions changing the ownership and permissions of the /etc/dhcp subdirectory, not just the dhcpd.conf file. Would that not be a better approach?
Comment 2 Vincent Danen 2009-06-27 01:45:25 EDT
I think either way works. I'm not sure what else, if anything, is being put in that directory, but making dhcpd.conf mode 0600 and the directory mode 0750 or 0700 would be fine. You'd have to make there are no regressions with the directory mode change (again, as I'm unsure whether anything else would use it... I have my doubts since on RHEL5 we use /etc/dhcpd.conf so I suspect this directory should be exclusively used for that file).
Comment 3 David Cantrell 2009-06-27 06:01:53 EDT
I'll make the permission changes in the next rawhide build. For F-11, I changed the dhcp package to have all configuration files stored in /etc/dhcp because the number of possible files was cluttering up /etc. In /etc/dhcp, you can have: dhcpd.conf dhclient.conf dhclient-DEVICE.conf dhclient-DEVICE-up-hooks dhclient-DEVICE-down-hooks Additionally, I created the /etc/dhcp/dhclient.d directory and expanded dhclient-script to support executing scripts from that subdirectory. The idea is that other packages can provide handlers for specific DHCP options. As of now, there is ntp.sh and nis.sh provided by ntp and ypbind, respectively. These changes will show up in RHEL 6.0.
Comment 4 Vincent Danen 2009-06-28 01:45:09 EDT
Ok, great. In light of the above, changing the permissions on the directory sounds like the best way forward. Thanks for the explanation and the fix.
Comment 5 David Cantrell 2009-06-30 03:46:44 EDT
Will be fixed in dhcp-4.1.0-22.fc12.