The dhcp-4.1.0p1-capability.patch causes dhclient to remove all unnecessary capabilities, unconditionally in main() after startup: #ifdef HAVE_LIBCAP_NG /* Drop capabilities */ capng_clear(CAPNG_SELECT_BOTH); capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED|CAPNG_BOUNDING_SET, CAP_NET_ADMIN, CAP_KILL, CAP_NET_RAW, CAP_NET_BIND_SERVICE, -1); capng_apply(CAPNG_SELECT_BOTH); #endif Unfortunately, this patch severely breaks the ability of the scripts in /etc/dhcp/dhclient.d/* to perform necessary functions, such as restarting daemons. Even when daemons can be successfully restarted, they are often crippled, because they do not have capabilities they need. A good example is ntpd, when it is running and restarted by /etc/dhcp/dhclient.d/ntp.sh: 2009-12-11T15:01:13.513244-05:00 farslayer ntpd[21534]: Cannot initgroups() to user `ntp': Operation not permitted Other daemons cannot be restarted at all. For example, I created a /etc/dhcp/dhclient.d/dnsmasq.sh, but it cannot send signals to the running dnsmasq process: 7512 kill(7329, SIGTERM) = -1 EPERM (Operation not permitted) The goal of ratcheting down the capabilities of dhclient is a good one, but dhclient *MUST* pass on full capabilities to /sbin/dhclient-script when it execve()'s it. I haven't mucked around with capabilities for a while, but I think in essence you need to replace CAPNG_PERMITTED with CAPNG_INHERITABLE in the code above, and then call capng_fill(CAPNG_SELECT_CAPS) and capng_apply(CAPNG_SELECT_CAPS) just before calling execve() on /sbin/dhclient-script.
Actually, my suggestion is wrong; you can't monkey with the bounding set, as that will prevent capng_fill from restoring all capabilities to the inheritable set. And you can't use capng_clear() at all, because there's no way to tell it not to clear the inheritable set. I think something like this: #ifdef HAVE_LIBCAP_NG /* Drop capabilities */ capng_updatev(CAPNG_DROP, CAPNG_EFFECTIVE|CAPNG_INHERITABLE, list_all_caps_but_the_ones_we_want_to_retain, -1); capng_apply(CAPNG_SELECT_CAPS); #endif Then later, in script_go(): #ifdef HAVE_LIBCAP_NG capng_fill(CAPNG_SELECT_CAPS); capng_apply(CAPNG_SELECT_CAPS); #endif execve (scriptName, argv, envp); ...will do the right thing, but I haven't tested it.
Doh. That should have been: "And you can't use capng_clear() at all, because there's no way to tell it not to clear the PERMITTED set."
I've found that if I back off the patch related to bug #517649 in the dhcp.spec file, it allows the /etc/dhcp/dhclient-exit-hooks script to be used as it was in the past. Here is my crude work around to the problem: Downloaded and installed source RPM: yumdownloader --source dhclient rpm -ivh dhcp* Tweak the spec file by bumping the release number and commenting out %patch23 -p1 in the dhclient section of the dhcp.spec file: # Drop unnecessary capabilities in dhclient (#517649) # %patch23 -p1 Built and installed the new dhclient RPM. After installing the new build of the dhclient, you should be able to use commands like the following in your /etc/dhcp/dhclient-exit-hooks script once again: #!/bin/bash [ "${new_domain_name}" != "" ] && domainname "${new_domain_name}";
Removing the patch that drops capabilities will fix the problem, obviously. But dropping unnecessary capabilities is a good thing. dhclient just needs to do it in such a way that it can execve() the dhclient-script with full capabilities.
Steve, Adding you to the CC list for this bug because you provided the capabilities for dhclient back in August. Looks like it's causing some issues for people now.
I'm looking at this. Maybe we need to a config option to disable dropping capabilities. When file based capabilities are enabled in the kernel its either an all or none proposition. If you want tight confinement, you have to clear the bounding set so that child processes are crippled. Otherwise an attacker just execs a child and they regain full capabilities which is no confinement.
Using the configuration option, would it work in the following manner? - dhclient binary restricts capabilities initially - If /sbin/dhclient-script is present and dhclient configured to run /sbin/dhclient-script with full capabilities, then: - Temporarily lift capabilities restriction (is that possible?) - Invoke /sbin/dhclient-script - Restrict capabilities again after invoking the script - Otherwise - Invoke /sbin/dhclient-script (if present) with restricted capabilities The above would definitely work in our situation. We could configure dhclient to invoke /sbin/dhclient-script without the capabilities restriction in effect. This would allow us to do things like set the domainname to match the value returned by the DHCP server. Whether or not you choose the default configuration to be to enable or disable these capabilities might be another matter. I'm not sure how many other users are impacted by running /sbin/dhclient-script with reduced capabilities. I'm guessing that most users impacted by the reduced capabilities will grumble about configuring the new option - but I'm sure they'll be able to figure it out.
There is no way to temporarily lift capabilities. If there were, then all an attacker has to do is add that to their exploit. Can these scripts get run at any point while a machine is up, or are they all run near the point in time when the daemon starts? If so, I could move the dropping capabilities. If they get run at any point when the machine is up, would a command line option that could be put in /etc/sysconfig/dhclient be preferable over adding something to the config file? If the commandline option is best, any suggestions/preferances for the name? --no-caps?
These scripts are run any time dhclient changes state. REBIND, RENEW, and so on of the DHCP protocol states. I think a command line option to dhclient is fine. Given that dhclient uses short options only, I would like to see one that fits that naming style rather than adding --no-caps. Well, I guess it's sort of short options. It has things like -cf, for instance. Maybe "-nc".
This capabilities patch also breaks setting the hostname via DHCP - which is part of the standard /sbin/dhclient-script. sethostname(2) wants CAP_SYS_ADMIN or it fails. The error during boot/ifup is "hostname: you must be root to change the host name" - hopefully that helps other people find this bug (it took us a good few hours to get to the bottom of it) For the moment we have just reverted this patch locally to get a working dhclient... it would be nice to get a proper fix for this.
I tried to attach a patch, but the gvfs stat bug locks up firefox every time. I emailed an updated patch to the package maintainer that adds CAP_SYS_ADMIN. Thanks for the bug report.
Created attachment 388279 [details] Patch from Steve Grubb
Created attachment 388567 [details] updated capabilities patch for dhclient This is an improvement over the patch in comment 12. Specifically: - the dhclient(8) man page now documents the -nc option - if dhclient wasn't compiled with libcap-ng support, instead of treating the -nc option as an invalid option, silently ignore it.
Thanks James. Will be in dhcp-4.1.1-3.fc12
No problem, Jiri. You might want to ask the initscripts folks if they have a "blessed" way of passing the "-nc" argument to dhclient. Based on my read of the /etc/sysconfig/network-scripts/* files, simply putting this line in (e.g.) /etc/sysconfig/network-scripts/ifcfg-eth0 should do it: DHCLIENTARGS=-nc This should work, because /etc/sysconfig/network-scripts/ifup-eth only ever appends to $DHCLIENTARGS, like this: DHCLIENTARGS="${DHCLIENTARGS} ${ONESHOT} -q ${DHCLIENTCONF}" That is; ifup-eth0 never sets DHCLIENTARGS absolutely. But /usr/share/doc/initscripts-9.02.1/sysconfig.txt doesn't document DHCLIENTARGS as a supported option, which means they might break it sometime in the future... At any rate, I'll test this myself when dhcp-4.1.1-3.fc12 hits updates-testing.
dhcp-4.1.1-3.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dhcp'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0928
dhcp-4.1.1-5.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update dhcp'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2010-0928
dhcp-4.1.1-5.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Does this means that dhclient *out of the box* now breaks existing features unless the user adds more flags? That's incredibly broken, if so.
Confirmed, reopening. The ypbind script, at least, is broken.
I'd like to add a(nother) user's perspective. I upgraded (fresh install) from FC10 to FC13 in July. I turned off Network Manager. My FC10 firewall script was /etc/dhclient-exit-hooks. I copied the script over to FC13. Imagine my surprise when I turned on the network and found myself without a firewall. Imagine my surprise when I realized that even with my script in /etc/dhcp I didn't have a firewall. I haven't spent a *lot* of time browsing Fedora docs, but some ... and I found this bug report.
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This message is a notice that Fedora 14 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 14. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '14' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 14 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
This message is a notice that Fedora 19 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 19. It is Fedora's policy to close all bug reports from releases that are no longer maintained. Approximately 4 (four) weeks from now this bug will be closed as EOL if it remains open with a Fedora 'version' of '19'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 19 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 19 changed to end-of-life (EOL) status on 2015-01-06. Fedora 19 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.