Bug 508247 - /etc/dhcp/dhcpd.conf is world-readable
/etc/dhcp/dhcpd.conf is world-readable
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: dhcp (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: David Cantrell
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-26 06:38 EDT by Vincent Danen
Modified: 2009-06-30 03:46 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-06-30 03:46:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2009-06-26 06:38:33 EDT
According to a Gentoo bug report [1], the dhcpd.conf configuration file is world-readable.  I took a look at Fedora and RHEL5 and the same issue exists.  This isn't a major issue I don't think, but by default it could and should probably be mode 0600 as dhcpd is run fully as root and really only root needs access to this file.

[1] http://bugs.gentoo.org/show_bug.cgi?id=271309
Comment 1 David Cantrell 2009-06-26 16:43:22 EDT
The Gentoo bug mentions changing the ownership and permissions of the /etc/dhcp subdirectory, not just the dhcpd.conf file.  Would that not be a better approach?
Comment 2 Vincent Danen 2009-06-27 01:45:25 EDT
I think either way works.  I'm not sure what else, if anything, is being put in that directory, but making dhcpd.conf mode 0600 and the directory mode 0750 or 0700 would be fine.  You'd have to make there are no regressions with the directory mode change (again, as I'm unsure whether anything else would use it... I have my doubts since on RHEL5 we use /etc/dhcpd.conf so I suspect this directory should be exclusively used for that file).
Comment 3 David Cantrell 2009-06-27 06:01:53 EDT
I'll make the permission changes in the next rawhide build.

For F-11, I changed the dhcp package to have all configuration files stored in /etc/dhcp because the number of possible files was cluttering up /etc.  In /etc/dhcp, you can have:

dhcpd.conf
dhclient.conf
dhclient-DEVICE.conf
dhclient-DEVICE-up-hooks
dhclient-DEVICE-down-hooks

Additionally, I created the /etc/dhcp/dhclient.d directory and expanded dhclient-script to support executing scripts from that subdirectory.  The idea is that other packages can provide handlers for specific DHCP options.  As of now, there is ntp.sh and nis.sh provided by ntp and ypbind, respectively.

These changes will show up in RHEL 6.0.
Comment 4 Vincent Danen 2009-06-28 01:45:09 EDT
Ok, great.  In light of the above, changing the permissions on the directory sounds like the best way forward.  Thanks for the explanation and the fix.
Comment 5 David Cantrell 2009-06-30 03:46:44 EDT
Will be fixed in dhcp-4.1.0-22.fc12.

Note You need to log in before you can comment on or make changes to this bug.